A new ally for e-commerce sites: Tokenisation

A new ally for e-commerce sites: Tokenisation

Tokenisation has been around for a while, although up to now its uses have been limited to applications such as rendering databases anonymous. It is only now coming to the forefront on e-commerce sites as a way to optimise and add security to the purchasing process.

Tokenisation works by replacing sensitive data (account numbers, social security or other) with substitution values, called tokens. The risk of exposure of sensitive data is thereby greatly reduced. This data is then stored in encrypted format within a dedicated centralized electronic safe. With such a system the consequences of any security breach are limited. This is in part thanks to a helpful property of the tokens themselves: even in case of an attack on the system sensitive information is not revealed; only the value of the token may be read. This encryption method separates the input information from the codes that hide it. Safe, flexible and inexpensive, the system is winning over the world of e-commerce.

The aforementioned tokens are an integral part of Apple Pay, which was launched in September 2014. Visa and Mastercard were not to be left behind, and announced around the same time their acceptance of tokenisation as a means of ensuring secure transactions (in particular for transactions effected without the use of a card).

The e-seller has overall control over the act of payment 

With a tokenisation system the e-seller can do away with external payment pages. Payment functionality may then be integrated into the seller’s own website. They may be in the brand colours (as opposed to those of an external provider), as part of a one page checkout including both the offer and the payment. One may imagine that mobile payments will also be smoother with tokenisation systems. Perhaps it will help to reduce the high drop out rate currently recorded at the moment of payment for consumers using mobile platforms. The merchant will only see the token, and not his or her customer’s sensitive data. This kind of system will therefore be outside of the scope of PCI DSS, which is the payment card industry standard for data security. With fewer procedures and standards to be met the merchant will have more time to focus on his or her trade.

Hackers have been seen to keep up with advances in technology. But the tokenisation system makes it very difficult to access sensitive customer data. Up until now at least, this system seems to be one of the most robust against attacks.