How Visa’s tokenisation works

It seems as if each time a new payment technology is introduced, consumer funds are laid open to greater risk of cyber theft.

Since the emergence of online shopping, payWave and other ways to make purchasing more convenient, many consumers have lost total control of their accounts, thanks to scammers and hackers.

Each year, the Reserve Bank of Australia sounds a warning that, at more than $400 million a year, the cost of online credit card fraud is too high.

Visa has recently heeded the call to beef up credit card security by devising ‘tokenisation’.

Formally known as the Visa Token Service (VTS), it enables payments to be processed without merchant systems having to access or store customers’ account numbers.

Essentially, VTS claims to add another layer of security to your transactions so hackers can’t easily pinch your banking details.

“The existing SWIFT infrastructure has been shown to have many risks, and a move towards tokenisation will reduce these risks, as there are enhanced security and auditing methods applied to each transaction,” Edinburgh Napier University computing professor Bill Buchanan told web security journal The Daily Swig.

With VTS, customer card details, such as account numbers and expiry dates, are replaced with tokens – unique digital identifiers that are not stored each time a consumer makes a purchase.

The payment system can be used to shop instore, online and from a mobile phone app.

American Express is also understood to be rolling the technology out soon, with Mastercard announcing it will also set up a tokenisation program by mid-next year, with the aim of enabling the technology on all cards by 2020.

This is how Visa tokens are created:

  • a consumer enrols their Visa account with a digital payment service (such as an online retailer or mobile wallet) by entering their primary account number (PAN), security code and other payment account information
  • the digital payment service provider requests a payment token from Visa for the enrolled account
  • Visa shares the token request with the account issuer (such as the consumer’s bank)
  • Visa shares the token with the token request for online and mobile (NFC) payment use
  • and, with the account issuer’s approval, Visa replaces the consumer’s PAN with a unique digital identifier – the token.

Once a customer initiates a payment online, instore or through the app, the digital payment service provider (e-wallet, eCommerce merchant or app) passes the token to the merchant.

The merchant sends the token to Visa’s network to begin processing the transaction. The token along with the payment card details are then sent to the card issuer for authorisation.

The issuer either accepts or declines the transaction and communicates this to Visa. If the token is accepted, the merchant’s bank receives the payment.

Payment tokens can be limited to a specific mobile device, eCommerce merchant or a limited number of purchases before expiring.

Do you have faith that this new payment system will keep your details more secure? Or do you think it will create more avenues for hackers? Have you ever been defrauded of funds from your credit card? If so, what happened?

Written by Olga Galacho


Credit card fraud on the rise

What to do if you believe you have been targeted.

Top three online scams revealed

The ACCC has revealed its list of tricks most likely to catch unwary Aussies.

Scam puts smartphone users at risk

Scam risk for 95 per cent of Android users.