Skip to main content

Preventing fraudulent payments with tokenisation

(Image credit: Shutterstock)

Data breaches and cybercrime seem to be in the news almost daily, and an issue the world is struggling to overcome. Research commissioned earlier this year by Adyen, found that more than half of retailers (57 per cent) reported an increase in the level of fraudulent transactions compared to the same time last year.

In fact, in the first half of the year 140,344 fraud attacks were recorded by RSA’s Fraud and Risk Intelligence (FRI) team. That represents 32 attacks every hour and is an increase from 86,344 in the last six months of 2018. Despite this increase, fraud prevention is something that is recognised worldwide. International Fraud Awareness Week is an initiative rallying global leaders to minimise the impact of fraud by promoting anti-fraud awareness and education. 

It’s no surprise that fraudsters are targeting retailers when you consider the rise of ecommerce. In 2019, retail e-commerce sales worldwide amounted to 3.53 trillion US dollars – all these transactions create an attractive market for cybercriminals. Various technology advancements have been made in the fraud prevention space, but so too have the techniques fraudsters use to overcome security efforts.

Protecting payments data is a top priority for all parties either buying or selling online, so how can merchants reassure customers their checkout is as secure as possible? The answer may be tokenisation. As the name suggests, payment tokenisation is the replacement of sensitive information from consumer’s credit cards during purchases for ‘tokens’ that are generated instantly and randomly.

How does it work?

Tokenisation is actually a very simple concept. In a nutshell, it is the process of replacing sensitive data with non-sensitive data. In the payments industry, it is used to safeguard a card’s payment card number (PAN) by replacing it with a worthless, unique string of numbers – a token. Payment tokens are generated from the PAN and automatically issued in real-time. They are generated per transaction, per merchant. This means that the customer’s sensitive PAN is substituted by a token and not transmitted during the transaction, making the payment more secure. Because the token is generated for each transaction, even if a fraudster was able to get a hold of it, they would not be able to use it for other payments.

Taking this even further is the concept of ‘network tokenisation’. This is a special form of token created in conjunction with card networks, like Visa and Mastercard to replace a primary account number (PAN) with a unique EMV payment token that is restricted in its usage. As an example this token might be restricted to a specific device, merchant, transaction type or channel. The main benefit of network tokenisation is that it ensures card details are protected throughout the entire transaction lifecycle and as a result can have a really positive result on authorisation rates. Non-network tokens lack this type of end-to-end security.

Who can use tokens?

Although tokenisation can be used by most online merchants, it particularly benefits those with subscription-based business models or who generate significant business with repeat customers.

Tokenisation is particularly useful for businesses that aim to create a frictionless payments experience because tokens can be securely stored and used to enable “one-click” payments for future transactions. For example, industry leaders such as Netflix adopt this process to ensure the safest and smoothest payments experience for its customers. This enables them to collect monthly subscriptions without constantly having to ask their customers to go online and complete a new transaction every month.

Why network tokenisation is future-proofing payments

The cost of fraud is significant and growing. Ponemon Institute’s 2019 Cost of a Data Breach study revealed that average global loss amounted to $3.92 million, and it continues to grow.

The beauty of network tokenisation is that it helps protect businesses and customers from the financial hits of data theft. Even if hackers manage to steal tokenised data, they cannot use the stolen tokens to pay online since they are unable to link the token to payment information stored securely by the payment partner. So, although it can’t protect you from a breach, it can restrict what cybercriminals take from you. It also improves the experience for consumers especially when their card details are updated. For example, when a card expires and is replaced by a new card. Tokens are linked to the customer not the card, so if their card expires and is replaced, the token automatically updates. This means they don’t have to update card information for subscriptions or direct debits.

Tokenisation also helps foster trust between issuers and merchants. Using tokenisation, issuers globally can send updates on lost or stolen data in real-time, for improved authorisation rates, so merchants can feel assured they will not lose business. This process in turn creates a frictionless payment experience and builds customer loyalty to brands through the convenience factor. Another benefit of tokenisation is that it enables merchants to offer shoppers the choice to save their payment details in a secure manner. This means that the next time they make a purchase they do not need to re-enter their payment data. One-click payments significantly increase conversion through streamlining the payment process for customers.

Final thoughts

In a world where convenience is in high demand from consumers, and fraudsters are continually looking to sabotage innovative technology, tokenisation could be a solution to reduce the risks of a compromise and also enable a more seamless payment experience.

Myles Dawson, Managing Director, Adyen UK