Last week we presented our new tokenisation service, One Time Token. This service helps non-PCI-compliant merchants to collect card data on their own servers and to process payments securely. But what is a token and how does it work?
During the tokenisation process, the primary account number (PAN) and other sensitive card details are replaced by a non-sensitive equivalent that has no meaning or value, a token. There are two basic types of tokens: reversible and irreversible. You can probably guess where we are going with this, but just in case, allow us to explain. Reversible tokens provide entities using or producing tokens with the possibility to obtain the original data through a process called de-tokenisation. Irreversible tokens can never be converted back to the original data, by any party, under any circumstance. These two basic types of tokens can each be divided into two subcategories. Reversible tokens can either be cryptographic or non-cryptographic and irreversible tokens are authenticable or non-authenticable.
- Reversible cryptographic tokens – the tokens are created using strong cryptography. The PAN or other data is not stored; the encrypted data is only retrievable by using the cryptographic key.
- Reversible non-cryptographic tokens – a PAN is assigned to a token in a pre-generated table of random values. The token is then de-tokenised by looking it up in a card data vault.
- Irreversible authenticable tokens – tokens are mathematically created through a one-way system that can confirm if a certain PAN is used, but cannot be used to de-tokenise the token.
- Irreversible non-authenticable tokens – these types of tokens can never be linked to a specific PAN, but may be linked to a specific customer or merchant account.
When handling payments and sensitive data, security is paramount. Compared to older systems that stored sensitive information on databases and freely shared card numbers etc. over various networks, tokenisation makes it much harder for hackers and other fraudsters to gain access to the card and payment details. Because of the innovative properties and the relative ease with which to implement a tokenisation system or subscribe to a tokenisation service, we expect other industries that handle sensitive data, like medical or criminal records, to follow suit soon.