July 26, 2015

The payments landscape has developed and evolved considerably over the last few years. Consumer behaviour and technological advances continue to bring exciting innovations. In May 2015, the Payments Council reported that cashless payments overtook the use of notes and coins for the first time last year.

Paying via mobile devices is another evolutionary step towards a ‘cash-less’ society. According to recent research from Visa Europe, consumer adoption of mobile payments will grow faster than ever in the next five years, with 60% of Britons expecting to use their mobile devices for payments at least once a week by 2020.

As payment technology has evolved, so too has digital security. With millions using digital methods to pay for goods and services, protecting transaction data becomes ever more critical.

This article looks at tokenisation and its application in the payments sphere in order to make the transaction journey more secure.

The Payment Ecosystem

A payment ecosystem traditionally has three or four participants that allow cardholders to pay merchants for goods. The Visa payment system is based on a four-party model as follows:

·       Cardholder – the person who would like to buy goods or services

·       Issuer – the bank that issues the cardholder with a credit or debit card

·       Merchant – the entity that sells goods or services

·       Acquirer – the financial organisation that processes the payment on behalf of the merchant.

In this system, the Issuer provides a card to the Cardholder. The Cardholder uses the card at a Merchant to pay for good or services. The Merchant’s Acquirer requests approval for the payment from the Issuer. The Issuer checks the Cardholder’s account and approves or declines the transaction. This all happens through the Visa network.  There are many more nuances to the system but this is the basic premise.

What’s Special about Tokenisation?

To realise the potential of innovative new payment methods such as card-on-file payments and mobile payments on smartphones and wearable devices, an enhanced security infrastructure was required. Out of this need, tokenisation has been born. It is a distinct product that can be applied to a payment ecosystem to make the transactions more secure, particularly with these exciting new ways to pay.

Payment tokenisation is a mechanism whereby the payment card’s PAN (Primary Account Number) – the long number on the front of the card – is replaced with a surrogate non-sensitive value. The PAN cannot be derived from this non-sensitive value, known as a token. Further, the PAN is held securely and only accessed by the appropriate entities when required. The token is typically a 13-19 digit numeric which has no meaning to the ordinary person.

Tokenisation is not a new concept. What is new, however, is the development of an open, interoperable framework of payment tokens which works within the existing payments standards and infrastructure. This was published in March 2014 by EMVCo, which  is collectively owned by Europay, MasterCard and Visa and other payment organisations and which manages, maintains and enhances specifications for payment systems worldwide.

The beauty of tokenisation is that it slots into a payment ecosystem. It does this by introducing two new players:

·       Token Service Provider –ultimately the entity that provides the service. The Token Service Provider links the PAN to the payment token, provides payment tokens and maintains the mapping mechanism. Other responsibilities include applying security controls, due diligence of processes and policies to do with the Token Requestor.

·       Token Requestor –the entity that engages with the Token Service Provider to request payment tokens. The Token Requestor obtains payment card details from its customer which are then sent to the Token Service Provider in exchange for a token. Examples of Token Requestors include digital wallet providers and card-on-file merchants.

The diagram below identifies the new roles and how the payment system works.














Below is a summary of the main steps when requesting a payment token:


 The cardholder registers his or her chosen payment card with the Token Requestor’s service or product.

·       The Token Requestor communicates with the Token Service Provider and asks for a token in relation to its customer’s registered payment card.

·       The request is checked by the Token Service Provider as well as conducting other due diligence such as customer identification and verification with the Issuer.

·       Assuming the checks are successful, a payment token is generated. This and the payment card details are securely stored with the Token Service Provider.

·       The token is delivered to the Token Requestor.

·       The token is delivered by the Token Requestor to the mobile or online environment of the cardholder that is associated with payment.

As there are two new players in the payment ecosystem, there needs to be a legal relationship between them and the original participants in the payment model which determines the obligations that those parties owe to each other.  

The diagram below explains what happens when payment is made with a token:










·       The cardholder (1) wishes to pay using his or her chosen card for which there is an associated token.


  • The cardholder initiates payment with the Merchant’s (2) payment terminal.
  • The Merchant’s system communicates with the cardholder’s method of paying, such as a mobile device.
  • ·After authentication checks are completed, the Merchant receives the cardholder’s payment token.
  • The Merchant submits the token and other transaction information to the Acquirer (3).
  • The Acquirer sends the token to Processor (4) which is then sent to the Token Service Provider.
  • The Token Service Provider performs its initial checks before accessing the Token Vault in order to de-tokenise the token.
  • The PAN and token data are returned to Processor. These pieces of data are sent to the Issuer (5) for approval.
  • After the decision is made by the Issuer and returned to Processor, the PAN is re-tokenised and the response is sent to the Acquirer.
  • The Acquirer relays the payment authorisation response to the Merchant without the PAN data.

Benefits of Tokenisation

There are two key benefits of tokenisation: (i) enhanced security; and (ii) innovation support.

Tokenisation provides enhanced security as a payment transaction is made with a token and not a PAN and these tokens commonly contain what is known as domain controls. This means that the token will contain restrictions such that it can only be used on a particular device or with a particular Merchant. If a token is stolen, it cannot be used freely to pay for goods or services in different domains unlike the PAN and so the utility of a token to a criminal is severely limited.

In addition, the token cannot be de-tokenised so as to reveal the PAN. Only the Token Service Provider will have the means to do this.

A Merchant is likely to benefit through a reduction in security attacks or hacking attempts from the fact that tokens are less valuable to criminals. This in turn could lead to a reduced risk of a security breach and better protection of the Merchant’s brand.

In the event a token is lost or stolen, it is only payments in respect of the domain where the token was being used that are affected (such as on a particular device or in respect of a particular Merchant). If the PAN was lost or stolen, payment in all environments would be affected and the Cardholder would not be able to use his or her card until a new one had been issued. If a token is lost, the associated payment card does not have to be cancelled; a new token is simply created by the Token Service Provider and associated with the PAN.

Innovation is fostered as the increased security provided to the pan by the use of tokens and domain controls  encourages the introduction of new payment types or form factors which would not have been secure enough where the PAN was used.


The Payment Card Industry Data Security Standard (PCI DSS) was established as an industry-wide set of requirements and processes to help ensure that cardholders can make purchases confident in the knowledge that the information on their card will be protected from fraudsters. It also helps businesses securely process card payments and reduce fraud. There are requirements which cover the storage, transmission and processing of cardholder data that businesses handle. PCI DSS compliance is required of all entities that store, process or transmit cardholder data, including financial institutions, merchants and service providers. PCI DSS applies to all payment channels, including retail (brick-and-mortar), e-commerce and mail or telephone order.

Payment tokens can move around the payment ecosystem between applications safely as the encrypted data it represents is securely stored by the Token Service Provider. A Merchant, therefore, may have reduced PCI DSS compliance requirements if its systems no longer store or process sensitive data such as cardholder data but this depends on how its business operates.

Tokenisation will also help entities with their data protection obligations. One of the key principles of data protection is having appropriate technical and security measures to protect against unauthorised processing or loss of personal data and tokenisation provides enhanced security against the loss of personal data.

This is especially relevant given that the data protection landscape is rapidly changing in the EU in the form of the General Data Protection Regulation (GDPR) which provides for significantly more severe penalties. The GDPR is proposed to apply to all businesses (including those outside the EU) that process personal data collected through offering services or goods to citizens in the EU. Therefore, it is entirely possible that a business in the US that, through its website, collects personal data on its EU customers will be caught by GDPR. The fines for non-compliance are currently proposed to be the higher of EUR 100 million or 5% of annual worldwide turnover, whichever is greater.


If a payment token is lost or stolen, it is not immediately critical in the same way as if a cardholder’s payment card details inadvertently became lost or stolen. Companies may see tokenisation as enabling them to better manage their exposure from required compliance. According to the research referred to above, the UK mobile payments boom will see an upsurge in the weekly value spend using mobile devices, with the market growing to an estimated £1.2 billion per week by 2020. To meet this demand, key stakeholders require solutions to assist its customers – something that is secure, convenient and robust so that the customer’s mind is focused on the goods/services as opposed to any concerns about paying. Tokenisation is such a solution.

Amandeep Singh is a Senior Commercial Lawyer, Milan Joshi is a Commercial Lawyer, and Steve Clough is a Senior Manager – Tokenisation at Visa Europe.