What is Tokenisation?

• Tokenisation replaces sensitive data with tokens to ensure the original data remains secure.
• Tokenisation is widely used in fintech, e-commerce and mobile wallet technology to secure payment data.
• Tokenisation helps businesses comply with PCI DSS regulations by replacing credit card data with secure tokens.

Tokenisation works by substituting sensitive data with a unique token that acts as a placeholder. This token has no intrinsic value or meaning outside the system where it’s used.

For example, instead of storing a customer’s credit card number in its raw form, a system can tokenise it into a string like “8g57-dh39-qw28.” This token is used in transactions to ensure the actual credit card number remains protected.

Organisations and processes that tokenise sensitive credit card information include:

• Mobile wallets, such as Google Pay and Apple Pay
• Online retail platforms
• Businesses that store customers’ card details

Tokenisation involves three key steps:

1. Data Identification: Sensitive information, such as credit card numbers, is identified.
2. Token Generation: A secure algorithm generates a token to replace the sensitive data. This token has no value or meaning outside the system where it’s used.
3. Data Storage: Sensitive data is securely stored in a token vault (a highly protected database) while the token is used for operations.

Most systems that use tokenisation involve a token vault. However, some systems use algorithms to generate and manage tokens without storing the original data. This method is known as vaultless tokenisation.

Tokenisation can be categorised based on reversibility and format.

These tokens can be converted back to the original data either by using a cryptographic key or by referencing a database that links the token to the original data through a specific function.

These tokens cannot be converted back to the original data. Irreversible tokens are further divided into:

• Authenticatable Tokens: Created using one-way mathematical functions that allow verification without exposing the original data
• Non-Authenticatable Tokens: Do not allow verification or reconstruction of the original data.

These tokens retain the structure of the original data, such as a credit card number. For example:

• Original Card Number: 4111 8765 2345 1111
• Format-Preserving Token: 4111 1111 1111 1111

Format-preserving tokens are used in systems designed around the original data format. However, systems must distinguish between real data and tokens to avoid accidentally exposing sensitive information.

These tokens do not resemble the original data in appearance or structure. For example:

• Original Card Number: 4111 8765 2345 1111
• Non-Format-Preserving Token: 25c92e17–80f6–415f-9d65–7395a32u0223

The Payment Card Industry Data Security Standard (PCI DSS) prohibits retailers from storing customers’ credit card numbers on point-of-sale (POS) systems or in their databases after transactions.

To comply with PCI DSS, merchants have two options:

• Install costly end-to-end encryption systems.
• Outsource payment processing to a service provider that offers tokenisation.

When outsourcing, the service provider manages the generation of tokens and ensures the security of cardholder data. The provider supplies the merchant with a POS driver that converts credit card numbers into randomly generated tokens.

These tokens are not primary account numbers (PANs) and can only be used within the context of a specific transaction with a particular merchant. For example, a credit card token often includes the last four digits of the original card number, while the remaining characters are alphanumeric and represent transaction-specific details.

With over three million scams reported in the UK in 2022, payment card fraud remains a significant threat. According to the latest statistics, remote purchase fraud accounted for £395.7 million, while fraud on lost or stolen cards reached £100.2 million. These statistics highlight the urgent need for effective security measures to protect sensitive data.

Tokenisation provides a powerful solution by replacing sensitive information with meaningless tokens, drastically reducing the risk of data theft and fraud.

It also offers other advantages, including:

• Regulatory Compliance: Tokenisation helps organisations adhere to strict data protection laws and standards, such as PCI DSS.
• Data Minimisation: Since sensitive data is stored in a secure token vault, businesses minimise the amount of high-risk data they handle.
• Scalability: Tokenisation is highly scalable and can be implemented in various systems and processes without compromising performance.

While tokenisation and encryption are often mentioned together, they are distinct methods of data protection:

• Encryption involves transforming data into an unreadable format using an algorithm and a key. Encrypted data can be decrypted back into its original form with the right key.
• Tokenisation replaces data with a token and stores the original data in a secure location. Unlike encryption, tokens have no relationship to the original data, making them immune to certain attacks.

Both methods are complementary and often used together to enhance security.

PCI DSS training is essential to ensure compliance with data protection standards and safeguard sensitive payment data.

Our online PCI DSS Training course is designed for employees responsible for handling card payments. It equips them with the essential knowledge to ensure compliance with the Payment Card Industry Data Security Standard. The course teaches employees their responsibilities and provides strategies for securely handling sensitive cardholder data during both in-person and remote transactions.

After completing the course, employees will understand how to reduce the risk of data breaches and fraud, helping the organisation maintain strong security standards and comply with industry regulations.