Explained: How Visa’s tokenisation works

Credit cards are about to become more resistant to fraudsters.

Explained: How Visa’s tokenisation works

It seems as if each time a new payment technology is introduced, consumer funds are laid open to greater risk of cyber theft.

Since the emergence of online shopping, payWave and other ways to make purchasing more convenient, many consumers have lost total control of their accounts, thanks to scammers and hackers.

Each year, the Reserve Bank of Australia sounds a warning that, at more than $400 million a year, the cost of online credit card fraud is too high.

Visa has recently heeded the call to beef up credit card security by devising ‘tokenisation’.

Formally known as the Visa Token Service (VTS), it enables payments to be processed without merchant systems having to access or store customers’ account numbers.

Essentially, VTS claims to add another layer of security to your transactions so hackers can’t easily pinch your banking details.

“The existing SWIFT infrastructure has been shown to have many risks, and a move towards tokenisation will reduce these risks, as there are enhanced security and auditing methods applied to each transaction,” Edinburgh Napier University computing professor Bill Buchanan told web security journal The Daily Swig.

With VTS, customer card details, such as account numbers and expiry dates, are replaced with tokens – unique digital identifiers that are not stored each time a consumer makes a purchase.

The payment system can be used to shop instore, online and from a mobile phone app.

American Express is also understood to be rolling the technology out soon, with Mastercard announcing it will also set up a tokenisation program by mid-next year, with the aim of enabling the technology on all cards by 2020.

This is how Visa tokens are created:

  • a consumer enrols their Visa account with a digital payment service (such as an online retailer or mobile wallet) by entering their primary account number (PAN), security code and other payment account information
  • the digital payment service provider requests a payment token from Visa for the enrolled account
  • Visa shares the token request with the account issuer (such as the consumer’s bank)
  • Visa shares the token with the token request for online and mobile (NFC) payment use
  • and, with the account issuer’s approval, Visa replaces the consumer’s PAN with a unique digital identifier – the token.

Once a customer initiates a payment online, instore or through the app, the digital payment service provider (e-wallet, eCommerce merchant or app) passes the token to the merchant.

The merchant sends the token to Visa’s network to begin processing the transaction. The token along with the payment card details are then sent to the card issuer for authorisation.

The issuer either accepts or declines the transaction and communicates this to Visa. If the token is accepted, the merchant’s bank receives the payment.

Payment tokens can be limited to a specific mobile device, eCommerce merchant or a limited number of purchases before expiring.

Do you have faith that this new payment system will keep your details more secure? Or do you think it will create more avenues for hackers? Have you ever been defrauded of funds from your credit card? If so, what happened?



    To make a comment, please register or login
    28th Nov 2018
    Yes, my credit card was used without it ever leaving my purse. Somehow they got the number and made a purchase overseas. The bank alerted me and issued me with a new card and refund. I always use PayPal for internet purchases, so have no need for this technology esp. as I don’t fully understand it.
    28th Nov 2018
    Similar story, obtained number somehow, bought items online but bank called me before I knew (within an hour) - refund made three days later and new card in my hand on the fourth day. Great service and I still use my credit card everyday knowing that the bank will back me 100%.

    The banks are keen for us to use these cards so make sure that when something does go wrong they fix it fast.

    In dollar value frauds on credit cards for 2017 were 0.074%, an extremely small percentage. In terms of transaction numbers 0.037% were frauds, again an extremely small number.
    28th Nov 2018
    Same here, my credit card was hacked, my bank rang me up, cancelled my card and issued me with a new one. I also got the purchases made refunded - thank goodness. I always use Paypal online, but this time I made a donation to Greenpeace of $20 and bingo. I hardly use the damn thing and only have it for emergencies. The above sounds too complicated for me, I will stick with Paypal and no Credit card on the internet.
    28th Nov 2018
    I have one special card with only a little money in for on line purchases
    28th Nov 2018
    Sounds more like a "big brother" idea than a "security" idea to me. Yes I have had details of my credit card fall in to the wrong hands - decades ago. Funds returned by provider but did take a few months at that time. Have used Paypal ever since and see nothing wrong with this solution.

    You May Like