Tokenisation – Behind the Scenes

If you read our previous post on tokenisation you will already have an overview of what the term means, the benefits to ecommerce businesses, and a basic idea of the process. In this post we explore how tokenisation works in more detail.

How Does Tokenisation Work?

To recap. Tokenisation is a method of processing transactions to ensure that:
• Payment card details are kept secure,
• Merchants do not have to store customer’s card data,
• Information retained by the merchant has no value to anyone else.

The key advantage of this is that businesses can reduce their PCI compliance burden, and offer customers a secure and user-friendly shopping experience. This is especially valuable to those retailers with repeat customers who would like to offer quick checkout services like ‘one-click’.

So, when a new customer is ready to checkout their basket, what steps take place before you receive their payment and can dispatch their goods?

Diagram of the tokenisation process

Step 1: Typically when a customers clicks on “checkout” or “continue securely” they may either be asked to create an account, given the option to continue as a ‘guest’, or directed straight to your payment profile form. At this point your new customer enters their contact details and payment card information.

Step 2: The customer’s data is then encrypted and sent via SSL (Secure Sockets Layer) to your Payment Gateway, such as Secure Trading, where a request is made to create a new profile and issue a token. The customer’s payment card data and personal details are stored securley on the payment gateway provider’s PCI compliant servers* (data vault), reducing your businesses PCI DSS liability.

Step 3: Your payment gateway provider generates a unique token (customer code) that can only be used between you, the merchant, and your chosen payment gateway provider. It is unique to the customer’s card and the platform they use to make their purchase. For example, a token generated when a customer makes a purchase in-store, cannot be used when they buy online. This token is sent to a URL specified by the merchant.

Step 4: To collect the payment your payment gateway provider requests payment from the customer’s bank using SSL to encrypt the card owner’s data.

Step 5: Once your payment system receives confirmation of the new token you can process the customer’s transaction. The merchant then stores the token so that when the customer returns they do not need to enter their full card details again.

Step 6: Having successfully processed the new customer’s transaction the token can be used again for future purchases; while the payment card that it is associated with is valid. However, the customer will need to create an account to do this. Therefore if an account was not created before processing their payment, the last step of the transaction should be the option of setting an account.

Step 7: If the customer returns to make further purchases they only need to enter the login details that will enable your payment system to retrieve the token. If necessary any refunds can also be processed using the token, making it a quicker and easier process for both the customer and the merchant.

Clearly, there are real benefits for all parties concerned in using tokenisation. Although this has yet to become a standard method of payment processing and data security, many of the large payment organisations and payment card companies are working towards it. Of course there are costs associated with setting up this system. However, these may be mitigated against by the reduction in PCI compliance costs, and the value it adds to the user-experience for your customers.

As any online retailer knows, simplifying the checkout process is a sure-fire way to prevent abandoned shopping baskets, and encourage loyalty and repeat customers.

Related Posts: What Is Tokenisation?

* Secure Trading are Level 1 PCI compliant.