What is tokenisation and how does it work?

3-minute read

Wed July 4 2018

Tokenisation is a security method used to protect a customer’s credit or debit card information while a payment is being processed.

It works by masking a customer’s card details at the checkout by replacing them with an algorithmically generated number, also referred to as a ‘token’.

Simple, right?

But why do payment gateways use tokenisation and what are the benefits to the merchant and the customer? Allow us to explain…

What are the benefits of tokenisation?

1. Improves security online

One of the main benefits of tokenisation is that it reduces the risk of card details being compromised or stolen during the payment authorisation process. 

The process of tokenisation means that merchants never see any card details, and can only store the randomised numbers that represent the card. All card details are securely stored by the payment gateway.

Consequently, if a retailer gets hacked and suffers a data breach, then the hackers won’t gain access to any card details. Furthermore, each merchant generates their own unique tokens, so even if a shopper uses the same credit or debit card to buy from three different retailers, there would be no way of matching the card across the three separate purchases just by using the tokens.

An IBM study found that data breaches cost UK businesses an average of £2.48 million, however the cost was actually lower for businesses that were using extensive data encryption.

2. Reduces PCI DSS burden

From the merchant’s perspective, tokenisation removes some of the burden of PCI DSS compliance. This is because all aspects of tokenisation are handled by the payment gateway, so the merchant doesn’t store any card details.

According to the PCI Security Standards Council’s own guidelines:

‘Tokenisation solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply.’

3. Improve customer experience & frictionless checkout

When people shop with a particular retailer, they expect to be able to interact seamlessly across different offline and digital channels without feeling as if the experience is disjointed or inconsistent.

Tokenisation can help create a joined up customer experience by enabling a retailer’s back end systems to securely store order information and then track that order across different touchpoints or channels.

What does this mean in practice? Well, that click and collect service that your customers love so much would be far less seamless if your payment gateway didn’t use tokenisation. The same goes for any shopping journey that uses more than one channel, such as returning an online order in-store.

This is important for retailers looking to grow their business, as a consumer study conducted by Harvard Business Review found that 73% of people prefer to use multiple channels when shopping, and that these multichannel shoppers proved to be bigger spenders.

4. Enables repeat purchases

Tokens can be used to securely store a shopper’s card details, so that repeat purchases or regular payments (i.e. subscriptions) can be made without the need to fill in the payment form every time a customer makes a purchase. People who shop frequently online will be familiar with one-click checkouts – this functionality is enabled thanks to tokenisation.

Long checkout processes and security concerns are two commons causes of checkout abandonment, so merchants can reduce the likelihood of lost purchases by using tokenisation to enable customers to checkout quickly and securely.

How does tokenisation work?

Tokenisation is a security measure carried out by the payment gateway at the very beginning of the payment process.

When someone makes a payment at a checkout, the payment gateway swaps the credit or debit card details for a unique, randomised number known as a ‘token’. The customer’s card details are securely stored by the payment gateway on the merchant’s behalf, meaning the merchant never sees any sensitive information.

The token is then passed via the internet to each different party involved in authorising the transaction (e.g. the acquirer and the customer’s bank). As a token is used in place of the card details, it means there is less danger of the card details being hacked or exposed to fraudsters while the payment is being authorised (or declined).

The potential cost of tokenisation

As you can see, tokenisation is a very important part of the online payment process and has many added benefits. By improving security, enabling omnichannel commerce, and reducing friction at the checkout, tokenisation helps to improve the customer experience and could potentially drive business growth.

However, it’s important to be aware of the potential costs attached to tokenisation. Most payment gateway providers charge a fee for each token stored on behalf of a merchant or charge additional fees if a merchant exceeds a certain number of tokens each month. And the level of these charges can vary greatly from one provider to another one.

This is obviously something that you need to review if your business is going through a period of growth, as your payment gateway costs will increase as you attract more customers.

Find out more about Barclaycard’s payment gateway.