The origins of tokenisation can be traced back to the 1970s, but modern innovations in digital payments mean the technology can provide an invisible layer of card and banking data
Tokenisation is the process of replacing sensitive data with non-sensitive substitutes, known as tokens.
Within the payments industry, tokenisation has been a widely used practice, primarily to protect sensitive data with one-time token substitutes that mitigate the exposure of a customer’s personal information.
This can be seen on modern credit and debit cards.
This can be seen on modern credit and debit cards. When a customer enters their details online, Visa and Mastercard deploy tokenisation to substitute the 16-digit primary account number, hiding it from hackers attempting to intercept the data. Mastercard has championed the technology since 2014 and expects all e-commerce to be tokenised by 2030.
The card network generates unique replacement tokens, which are stored in a digital vault. This passes through the merchant and payment processor to finalise the settlement.
This is standard practice for card networks and payment processors. However, since the arrival of decentralised finance on blockchain networks, tokenisation has introduced new payment capabilities and methods.
Tokenisation of digital wallets
Digital wallets such as Apple Pay, Google Pay and Samsung Pay have adopted Device Tokenisation.
This sees the technology deployed when a consumer loads their credit or debit card into a digital wallet on their mobile device. The wallet provider requests a token from the card network, which is then applied to the device hardware that houses the wallet.
For payments using digital wallets, tokenisation also occurs at the checkout. When using Near-Field Communication (NFC) technology to perform a contactless payment, the mobile device uses a Device Primary Account Number.
This number then connects to the device’s cryptographic key, and the payment will only settle once the biometric identifier, such as fingerprint or face, has authenticated it. Mastercard intends to make manual card entry and one-time passwords obsolete by 2030 by pairing biometric authentication with tokenisation.
E-Commerce and merchants
As e-commerce has risen to become one of the world’s most common channels for retail payments, businesses have integrated tokenisation for card-on-file.
The card-on-file process involves merchants storing a consumer’s digital payment information for future transactions.
The technology has enabled card-on-file to create merchant tokens for greater protection of card data. Merchant tokens are generated from either a payment gateway provider or a card network. Ecommpay, for example, leverages network tokens for higher approval rates on online and in-app payments.
Merchant tokens are typically used for subscription payments for services such as Netflix and Spotify, which use Network Tokenisation. This automatically updates the card tokens linked to a consumer’s subscription account, enabling recurring payments without manual work from either the business or the consumer.
The technology has also helped popularise Click to Pay. This payment method recognises the device being used for the transaction during the onboarding process.
Click to Pay tokenisation sees a token generated by a card network for a merchant without the merchant interacting with the card data, allowing the customer to complete the transaction in one click.
Open Banking and VRPs
Tokenisation has also been deployed across bank accounts and systems with the assistance of open banking APIs.
A bank account user’s details can be tokenised to enable account-to-account bank transfers without manually entering credentials or sharing routing and account numbers.
Variable Recurring Payments (VRPs) utilise both open banking and tokenisation through the use of Access Tokens. These replace traditional 16-digit card numbers and are processed on account-to-account (A2A) payment rails. The UK Payments Initiative has launched a scheme to turn open banking from one-off into recurring payments at scale.
The Access Tokens are generated by a third-party open banking provider once a merchant initiates the payment from the customer’s bank.
The bank then issues a Consent Token to the third-party open banking provider, authorising it to request the payment directly from the customer’s account. This process also removes the need to manually store sensitive bank information.
