Contactless Payments for Businesses
What are the pros and cons of contactless payments for businesses?
One of our friendly local team will be in touch with you shortly.
8 November 2017
Chances are, if you’ve heard of Apple Pay, then you’ve heard of tokenisation.
While mobile payments have cast tokenisation into the limelight recently, the concept isn’t new. In fact, tokenisation has been in use since 1976 (the same year as David Bowie’s Station to Station tour, not that the two are connected) for a variety of uses in data processing.
Mobile apps like Apple Pay and Android Pay have certainly breathed new life into tokenisation and made it a buzzy payments topic of conversation, but there’s a lot of confusion surrounding the functionality: what it is, the difference between tokenisation and encryption, the benefits of using token, business considerations and how it impacts your security.
Here’s a simple guide to everything you need to know.
When you ‘tokenise’ an item, it means you’ve turned it into a completely different object. But the new object, while it looks different, represents the original item.
A common analogy to use is a game of poker, or any other game that uses chips as a replacement for money. The chips you play with, although they look nothing like money, represent it. It’s a lot safer to use chips instead of wads of money that might get stolen or lost, too. While the chips hold immense value during the game, once you leave the arcade or the casino, they mean nothing.
The same goes for card data.
Tokenisation removes sensitive card data, like primary account numbers (PANs), from your environment and replaces each number with a ‘token’.
The token is a long, unique string of characters that represents the original piece of data but has no actual meaning or value.
This is partly what makes tokenisation so valuable for businesses: if online fraudsters manage to steal your tokenised data, all they have a list of numbers that mean nothing. It doesn’t matter how hard they wish those numbers to turn into consumer card data, they never, ever will.
Typically, consumer credit and debit cards have 16-digit primary account numbers (PANs), an expiration date and a security code that’s found on the back of the card. Any of these pieces of information can be tokenised but let’s use the PAN as a simple example.
Importantly, the token can only ever be unlocked once it reaches its final destination: the payments processor. But it was the token, not the credit card details, that was used throughout the transaction.
Both can be used to protect and transmit card data. So, here’s where it gets a little technical.
Encryption and tokenisation are often mentioned together as means to secure sensitive information that’s being transmitted through the internet.
Nowadays tokenisation is recognised as the more secure and cost-effective approach to handling sensitive card data. While there’s similarities, like they’re both a form of cryptography, encryption is different from tokenisation because:
The bit that often trips people up is:
It’s not necessarily preferred, but tokenisation is recognised as being the more secure process to protect cardholder data. Encryption is still incredibly valuable. It can be used to store structured (like card field data) and unstructured (like long documents) data as well as biometric data. It can also play an important part in validating cardholder identity online, so depending on the type and size of a business, there’s a good chance that you’ll leverage both.
In the payments industry, there’s three main types of tokenisation.
Card on file (enables subscription billing and recurring payments)
Single-click eCommerce functionality (pioneered by Amazon)
NFC digital wallets, like Apple Pay
So far, we’ve looked at tokenisation from a pure security standpoint. But single-click checkout and NFC technology opens up an entire world of opportunity for businesses - and consumers.
How many consumers know that when they choose to store their card details, or when they use a digital wallet to pay, that this is a more secure way of paying – and why? It’s the convenience that tokenisation offers that’s driving the uptake of the functionality.
From the standpoint of businesses and merchants:
It is a common misconception that if you’re accepting payments through a payment gateway, then your business is automatically PCI compliant.
This is not the case. PCI applies to all businesses who store, process or transmit cardholder information. How you manage your payment process will define the level of PCI that you must adhere to.
Tokenisation reduces PCI scope for merchants because you’re not storing, processing or transmitting cardholder data. However, the tokens and the system (the vault) in which they reside in will need protection and will therefore be in scope for PCI compliance to keep the data safe. Also, any systems connected to the secure vault will be in scope for PCI. To be considered completely out of PCI scope, both the token and the systems they’re on would need to have zero value to fraudsters who are attempting to retrieve PANs.
While tokenisation reduces your PCI scope, the roles and responsibilities that apply to the tokenisation solution as a whole should be distributed between the various stakeholders. The two main stakeholders are usually the merchant and the tokenisation provider (which might also be your payment gateway.) The level of PCI compliance you’ll need will be evaluated for every tokenisation implementation a business might do. For example, the location and flow of cardholder data, controls around de-tokenisation and mapping processes should be reviewed and verified every time to ensure proper scoping and appropriate application of PCI requirements.
If you choose to tokenise your payments through Bambora, you can be completely covered through our Level 1 PCI compliance solutions.
From small businesses to large enterprise businesses, tokenisation can present huge benefits. It is suited to any businesses with subscription-based business models or merchants that generate significant business with repeat customers.
Sound like you?
If you’re interested in finding out more about tokenisation and what it could mean for your business, including PCI scope and requirements, feel free to get in touch with one of the Bambora team.
Victoria Galloway is Bambora APAC's Technical Copywriter, and has been writing and producing in the payments and eCommerce space for a number of years, both in the UK and Australia.