Industry Insight: Tokenisation

Industry Insight UK

Tokenisation: What is it? Do I need it?

As the dust settles on another Money20/20 in Las Vegas, we at JetPay Solutions want to deep dive into one of the hottest topics from the show floor – Tokenisation. Below that simple expression lies wide-ranging innovative technologies which were going to look at in depth, analyse and explain how we at JetPay (one of the earliest pioneers of tokenisation) provide this service to our customers around the globe. So lets start at the beginning…

Tokenisation – what is it?
According to Wikipedia tokenisation was first applied to card data by Shift4 Corp. in 2005. Tokenisation is a process whereby a credit or debit cards PAN – the Primary Account Number (thats the 16 digits embossed on a bank or credit card – also encoded in the card’s magnetic strip which identifies the issuer of the card and the account, and includes a check digit as an authentication device) – is substituted with a randomly generated but entirely unique sequence of numbers. This random token sequence is the same length and format as the original PAN but it acts as a substitute for the PAN while the data is at rest inside a processors or merchants systems.

What that means in reality is that the merchant does not have to store sensitive card data on their networks – which reduces their exposure to the sometimes over-bearing complex and ‘expensive to implement’ PCI DSS Standards. Well discuss those at length in a later newsletter.

Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value. The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system.

Isnt that like Encryption?
For now – think in terms of Tokenisation protecting resting data – data sitting on a secure back-end server. Encryption protects moving data. However the lines between these two mechanisms of protection are getting closer and closer.

Back to Tokenisation
The token is designed to be reverse engineered by the Processor AND ONLY the processor who created the token. To a hacker or a fraudster – its a meaningless set of numbers. And these tokens can be for one off use or multi-use in a recurring transaction environment e.g. sports club monthly memberships or renewable subscriptions. The key thing to remember is that Tokenisation eliminates the need for eCommerce merchants to store sensitive card payment data on their networks. And that IS a big deal.

There are in fact, two different types of tokens. One type is used as a method of authenticating the customers purchase and another type that is mapped to the customers card – held on file in the highly secure stronghold of the processor or the customers bank account. The two tokens are never stored together further reiterating that in isolation either is a meaningless piece of data outside of bona fide usage.

So your customer can register a payment card with you through your online store and tokenisation technology takes care of replacing the actual card number with a surrogate token number used only for that merchant or wallet provider.

So who really benefits from Tokenisation?

Well, in eCommerce and Card-Not-Present transactions the cardholder does for sure. So does the merchant.
And the Card Issuer in fact. Heres a quick breakdown of the benefits:

For the Cardholder, your customer

• peace of mind from greater security overall
• simplified purchasing experience – significantly reduces cart abandonment
• much safer process of all their key financial data to conclude the purchase

For you, the Merchant

• all you have to do is store is the token not the PAN
• you can safely process follow-up transactions efficiently
• the tokens are meaningless to anyone but you
• a token can be used freely in your own environment and requires less stringent PCI standards
• tokens make recurring transactions, subscriptions and on-demand usage simpler and faster
• tokens greatly help decrease PCI costs and compliance

For the Card Issuers

• take comfort from the application of applied global standards
• reduced risk of ensuing fraud if there is a data breach
• greater data security

So, who’s actually calling the shots and asserting industry standards?

In March 2014 EMVco – a business overseen by Visa, MasterCard and AmEx amongst others – finally published the EMV Payment Tokenisation Specification Technical Framework version 1.0. You can download it here. In this document youll find ISO specifications dictating standards, validation rules and other key technical aspects of tokenisation usage and adoption within the current global payments ecosystem.

So lets now look at how JetPay have addressed tokenisation and taken it to the next level.

JetPay’s Secure Tokenisation Program (inc. JetDirect)

JetPay’s Payment Tokenisation Path

The JetDirect solution uses a blind system of redirects that outsources the collection and transmission of the card holder data to the client/customer computer and from there directly to JetPay’s direct front end authorisation platform without the need of any 3rd party entity.

This robust solution has a number of key benefits (1) it eliminates an additional layer of 3rd party costs, (2) it eliminates another point of potential failure and (3) opens up a vast range of feature sets available directly from JetPays superior front end authorisation platform within a flexible but very secure XML framework and architecture.

From a users point of view, a customer will not be aware at all that the cardholder data is being redirected to JetPay because the process works seamlessly.

JetDirect uses W3C standard HTML form elements with specific element names that are mapped to key variables within native processing scripts. These are only ever used on the JetPay servers.

The form elements also include the use of what are know as hidden form fields to provide additional information about the transaction to JetPay. When the customer clicks a Submit button the form information is traditionally gathered and sent back through the merchants network. With the JetDirect blind redirect – the cardholder information in the form is sent as an HTTPS POST directly to a specified web address at JetPay bypassing the merchant’s network.

As a form of validation and to prevent fraudulent transactions by hackers, the JetPay JetDirect product uses a Security Token in conjunction with a Key set that is uniquely generated for each merchant. This Security Token & Key set is used to both validate the merchant against a top level merchant database and in the creation of a secure SHA512* one-way encrypted hash. More about SHA512 here.

Every transaction through the JetPay Secure Tokenisation Program is handled with the tokenisation process.

You can download the full white paper on the JetDirect Processing Method here.

If youd like to know more about JetPay Solutions JetDirect product or any other product of service from our extensive range please email us or call us on +44 (0) 1932 883 147.

By | 2017-01-25T11:17:55+00:00 November 5th, 2015|Industry Insights|0 Comments

About the Author: