Payment Tokenisation
Payment tokenisation is a security technique that replaces sensitive payment information, such as credit card numbers, with a unique, random set of characters called a "token". This process helps to keep payment data safe during transactions because the actual card information is not being used or stored. If someone were to access the token, they wouldn't be able to use it to make fraudulent purchases as it doesn't contain the real payment details. By using tokens instead of actual card information, businesses can provide a secure and seamless payment experience for their customers, while reducing the risk of data breaches and fraud.
How does tokenisation work?
Tokenisation transforms sensitive payment data into a non-sensitive equivalent, which can be stored and transmitted safely without exposing the original data to potential security threats. In the context of payment processing, tokenisation works as follows:
Data collection: When a customer initiates a transaction, they provide their payment information, such as their credit card details, to the business.
Tokenisation request: Depending on how the business's payment system is set up, they may send the sensitive data to a secure tokenisation service, typically provided by a payment processor or a third-party tokenisation vendor. If the business is using tokenisation-enabled payment hardware or software such as Wonder Terminal, tokenisation happens automatically as a basic part of payment processing.
Token generation: The tokenisation process uses a combination of algorithms, encryption methods and secure storage to generate a unique token that represents the original payment data. This token is typically a random string of characters or numbers that has no inherent value or meaning outside of the specific payment system.
Token storage: The token is stored in the business's system, replacing the sensitive payment data. The original payment data is stored securely in the tokenisation service's secure vault, which is designed to protect it against unauthorised access and data breaches.
Token usage: When the business needs to process the transaction, they can send the token to the payment processor or tokenisation service. The service then maps the token back to the original payment data securely, allowing the transaction to be completed without exposing the sensitive information to the business or other intermediaries.
Token reusability: For recurring transactions, such as subscriptions or stored customer profiles, the same token can be used multiple times without collecting sensitive payment data again. This simplifies the payment process while maintaining security.
Which types of businesses need to use tokenisation for payments?
Tokenisation offers significant advantages for various types of businesses that handle sensitive payment data. These include:
E-commerce retailers
Tokenisation helps to safeguard customer payment data and reduce the risk of breaches or fraud in online transactions.
Subscription-based services
Companies offering recurring billing can use tokenisation to handle customer payment data for ongoing transactions securely.
Brick-and-mortar retailers
Although more common in online transactions, tokenisation can benefit physical shops using point-of-sale (POS) systems or mobile payment solutions, by providing an extra layer of security.
Platforms and marketplaces
Payment tokenisation enhances security and streamlines the management of sensitive payment data when multiple parties are involved in complex transactions, fostering trust and scalability in the operations of platform businesses.
Flow
Credit Card
- Call Create Customer API and Create Customer Payment Token API to create a card token, but payment is not allowed yet because it has not been 3DS verified.
- Redirect the customer to the
response.data.payment_token.verify_urlto initiate the 3DS flow. Once the customer completes the 3DS webpage, they will be redirected to either thesuccess_return_urlor thefail_return_url. - Once redirected to the
response.data.payment_token.verify_url, you can start polling the Check Customer Payment Token State API. - When the card is verified, call the Make a payment API to complete the payment.
For security reasons, cards are required to complete 3DS before they can be make payment.