After the industry requested more time to comply with the latest data security rules, the Reserve Bank of India mandated the implementation of tokenization of card transactions, with a deadline of June 30, 2022, which is further extended to September 30, 2022.
So, what exactly is tokenization? And how would it aid in the security of online transactions?
Tokenization is a process of replacing sensitive information with non—sensitive information [token]either completely or partially, rendering the token useless for the unintended users.
Tokens are irreversible, original data cannot be derived back using a key, unlike the cryptographic process. It follows the principle of ‘pseudonymization’ [Pseudo Anonymization or simply put alias or surrogate] for sensitive data like Aadhar, SSN, Credit Card, Bank ac/c, phone, or DOB.
A tokenization system links the original data to a token but does not provide any way to decipher the token and reveal the original data.
For e.g. in the case of a card/PAN, Token PAN is generated using the Format Preserving Hash which is irreversible PAN, and Lunch’s check is passed on the same so all the card validations on the token are also successful and follow card network rules.
Original PAN: 7654 1111 1111 1111
Token PAN: 6667 2397 1422 2655 [Identical to PAN but of no value for a bad actor as it cannot be used without the valid Token Requestor and Merchant Id combination.]
Any token generated for a card will inherit the key attributes of the original card e.g. expiry date, product code, card art, etc.
Tokenization is a secure method of storing payment information. In essence, a token (an alias or a Pseudo number) is generated for the stored payment card. As a result, simply possessing the token does not grant you access to the card information without first passing through the tokenization system.
When we apply this to the real world, we can see the benefits. Consider a website that sells specific products but also offers recurring deliveries. When a client purchases from the website for the first time, they will enter their credit card information themselves; however, for recurring transactions (such as the delivery of specific cosmetics on the first day of each month, for example), the information must be stored by the website in order for a monthly payment to be made.
If card information is not stored securely, unauthorized personnel or even bad actors can gain access, causing a nuisance for the consumer and a serious problem for the merchant resulting in chargebacks. To solve this problem in the simplest way possible, we turn to tokenization.
When a client first enters his card details, the payment platform collects the information and sends it to the tokenization system, which returns the token to the website and processes the payment. The token will be stored on the website in conjunction with the information entered during the registration process.
For a Standing Instruction when the merchant website needs to charge the client on a recurring basis, it will simply send the amount and the token to the payment platform. The payments platform will then send the token to the tokenization system, which will map the card number against the token and complete the transaction on behalf of the customer.
The website does not need to store the actual card details to process recurring payments using this method, and the payment process is limited to the dialogue between the tokenization system and the payment platform, both of which have high levels of security.
Tokenization inherently uses a pseudonymization process to replace sensitive data with random data. Card tokens are intent-based which is unique per merchant. Card tokens generated at one merchant cannot be used at other merchants. In case of any data compromise
at a particular merchant/entity, it cannot be used for any other purpose. Even if the bad actor wants to use the stolen token at the same merchant, they will also need the cryptographic keys to initiate any transactions which are almost impossible to get access to organization cryptographic keys.
Hence tokenization makes the data storage, data transmission, and data usage very secure without worrying about misuse. In this case, the user would simply delete/cancel the token for a particular merchant only as opposed to canceling the card and managing storage at all other locations
Because online shopping is becoming more popular by the day, cybercrime has skyrocketed so as data proliferation, both businesses and their customers must now rely on secure online solutions for all types of transactions. This means that more credit card information is being stored and processed, providing more opportunities for cybercriminals.
Security solutions such as tokenization are arguably more important than ever before, as they can assure clients that their sensitive data is much more secure, thereby fostering trust and loyalty between businesses and consumers.
Benefits of tokenization on your cards :
· With rising subscriptions and recurring economy, intent-based unique tokens enable users to manage multiple subscriptions (COF or SI) very securely
· Can be used for an online card on file and device-based tap n pay contactless payment on mobile devices
· Greater protection against data theft due to higher storage security
· Higher customer control to view and manage tokens and set controls
· Bring standardization for card storage across the ecosystem rather than every entity implementing their own standards
The Wibmo Areion ‘Token Hub,’ built in accordance with EMVCo standards, is the only unified tokenization solution for merchants, acquirers, Issuers, and Fintechs. It ensures that you are in compliance with the latest RBI guidelines while also providing a frictionless payment experience.
To find out more, write to: sales@wibmo.com
Author:
Ravi Battula, Vice President, Merchant Acquiring Business
Wibmo A PayU/Naspers FinTech Company