Security check

Digital payments ecosystem gets a security boost with introduction of tokenisation


THE JANUARY announcement allowing tokenisation of debit, credit and prepaid card transactions to enhance the safety of the digital payments ecosystem in the country is a welcome move. It will be highly beneficial to address the safety concerns of payment channels, especially when card information is stored and saved for future transactions. With strong industry backing, clear guidelines and well-devised reference implementations, tokenisation is a positive move.

India has been undergoing a number of changes and developments in the form of reforms in the last few years. The reforms have led to higher growth rates, stable economy and improvement in macroeconomic stability and global integration. Further, there is an improvement in the business environment with the implementation of stable governance standards. The financial landscape, both in India and globally, has changed significantly over the last decade. Key forces driving this change include increased customer expectations, emergence of new disruptive technologies, new-age technology competitors and evolving regulatory requirements.

All this is making us redesign our strategy and allocate investments around technology. The payment ecosystem in the country has witnessed a series of innovations that has helped the industry grow. This holds true for payment data security as well, wherein there have been significant initiatives over the last few years. Leading the charge is a technology that has become a game changer for the industry: tokenisation.

Kalpesh J. Mehta Kalpesh J. Mehta

Tokenisation is a highly-secure method of protecting payment and customer identification credentials. It is the process in which sensitive information is replaced with a randomly generated unique token or symbol. These tokens would ensure that data is not transmitted or stored in an insecure format. However, for the use of tokenisation to be efficient in the payments industry, a universal standard must be created to ensure that merchants can support the technology across multiple providers, and without negatively impacting customer experience. Moreover it protects the cardholder data at many points in the transaction lifecycle, especially during post-authorisation, and for recurring transactions once a card has been presented.

Essentially, tokenisation shields bank account numbers and credit card numbers in a secure, virtual vault that can be transmitted across wireless networks without adding unnecessary risk. To work, a payment gateway is needed to store sensitive data, which allows the random token to be generated. When customers swipe their credit or debit cards at the checkout counter, their personal account numbers (PANs) are not stored in the merchant's payment system. Instead, these 16-digit PANs get replaced with randomly generated token Ids.

Tokenisation offers a higher level of security as long as the system is logically isolated and segmented from data processing systems and applications that process or store the sensitive data replaced by tokens. Once the transaction goes through, the payment processor sends a confirmation back to the merchant with the randomly generated token ID which is stored in place of the PAN data in their system. At no point does the credit card data ever get stored within the retailer's environment. Furthermore, tokenisation can be the answer to securing not just payments, but other aspects of commerce as well, including the transmission and storage of electronic health records and age verification identity checks.

Over the course of time, it can be integrated with other technologies. However, to make the best of this technology, its elements cannot be adopted in a silo, and instead, they have to be deliberately ingrained into the core enterprise architectural fabric, which, in turn, must be driven by a lean, agile and dynamic operating model. In a majority of the cases, new-age channels and offerings have been layered onto an ageing core infrastructure, severely limiting their ability to integrate seamlessly and respond to the changing business demands.

For this, like in any payment initiative, the existing applications and infrastructure need to be updated and built to acclimatise the change. Also, the interoperability aspect that makes digital wallets far more convenient needs to be applied to tokenisation as well. This will h elp the technology be accepted at all point-of-sale terminals.

Mehta is a partner, Deloitte India.