How Visa’s tokenisation works

It seems as if each time a new payment technology is introduced, consumer funds are laid open to greater risk of cyber theft.

Since the emergence of online shopping, payWave and other ways to make purchasing more convenient, many consumers have lost total control of their accounts, thanks to scammers and hackers.

Each year, the Reserve Bank of Australia sounds a warning that, at more than $400 million a year, the cost of online credit card fraud is too high.

Visa has recently heeded the call to beef up credit card security by devising ‘tokenisation’.

Formally known as the Visa Token Service (VTS), it enables payments to be processed without merchant systems having to access or store customers’ account numbers.

Essentially, VTS claims to add another layer of security to your transactions so hackers can’t easily pinch your banking details.

“The existing SWIFT infrastructure has been shown to have many risks, and a move towards tokenisation will reduce these risks, as there are enhanced security and auditing methods applied to each transaction,” Edinburgh Napier University computing professor Bill Buchanan told web security journal The Daily Swig.

With VTS, customer card details, such as account numbers and expiry dates, are replaced with tokens – unique digital identifiers that are not stored each time a consumer makes a purchase.

The payment system can be used to shop instore, online and from a mobile phone app.

American Express is also understood to be rolling the technology out soon, with Mastercard announcing it will also set up a tokenisation program by mid-next year, with the aim of enabling the technology on all cards by 2020.

This is how Visa tokens are created:

  • a consumer enrols their Visa account with a digital payment service (such as an online retailer or mobile wallet) by entering their primary account number (PAN), security code and other payment account information
  • the digital payment service provider requests a payment token from Visa for the enrolled account
  • Visa shares the token request with the account issuer (such as the consumer’s bank)
  • Visa shares the token with the token request for online and mobile (NFC) payment use
  • and, with the account issuer’s approval, Visa replaces the consumer’s PAN with a unique digital identifier – the token.


Once a customer initiates a payment online, instore or through the app, the digital payment service provider (e-wallet, eCommerce merchant or app) passes the token to the merchant.

The merchant sends the token to Visa’s network to begin processing the transaction. The token along with the payment card details are then sent to the card issuer for authorisation.

The issuer either accepts or declines the transaction and communicates this to Visa. If the token is accepted, the merchant’s bank receives the payment.

Payment tokens can be limited to a specific mobile device, eCommerce merchant or a limited number of purchases before expiring.

Do you have faith that this new payment system will keep your details more secure? Or do you think it will create more avenues for hackers? Have you ever been defrauded of funds from your credit card? If so, what happened?

Related articles:
Dodgy deals cost consumers
Top three online scams
Smartphone users scammed

YourLifeChoices Writers
YourLifeChoices Writers
YourLifeChoices' team of writers specialise in content that helps Australian over-50s make better decisions about wealth, health, travel and life. It's all in the name. For 22 years, we've been helping older Australians live their best lives.
- Our Partners -


- Advertisment -
- Advertisment -