Payment Token is simply using a surrogate of the primary account number (PAN) of a payment card to process a payment transaction instead of the actual card PAN. Token payment helps to secure the actual card details from the bad guys because the actual card data is never required to be entered again to make a payment. It helps merchants to reduce the scope of PCI DSS and enhances the convenience of both online and in-store transactions.
Payment Token Generation:
Payment Tokens are usually generated by the Token Service Provider (TSP) as defined by EMV.
The process is as follows:
- The merchant captures the cardholder’s PAN and other card details
- The details are passed to the TSP via a Token Requestor (Token Requestor can be the Merchant)
- The TSP contacts the card issuer for authorisation to issue a Token in place of the card PAN
- If the card issuer approves, the TSP generates a Token in lieu of the PAN using one of the following methods as defined by PCI:
- A mathematically reversible cryptographic function, based on a known strong cryptographic algorithm and strong cryptographic key (with a secure mode of operation and padding mechanism)
- A one-way non-reversible cryptographic function (e.g., a hash function with strong, secret salt)
- Assignment through an index function, sequence number or a randomly generated number (not mathematically derived from the PAN)
- The TSP sends the generated Token to the Token Requestor
- The Token Requestor makes the Token available to the Merchant
The Merchant can then use the Token for payment depending on the Token domain restrictions.
The Token domain restrictions are defined at the time of the payment token request. e.g the restriction could be that the Token is only permitted for e-commerce transactions, only be used via NFC or both. It also, specifies where the Token shall be stored such as on-file, shared storage, on phone etc. This specified location cannot be changed throughout the Token lifecycle.
The Token Requestor is responsible for managing and controlling how have access to the Payment Token.
The card issuer is responsible for validating how the cardholder was authenticated (usually referred as cardholder verification method) before authorising the TSP to generated a Token for the corresponding PAN.
A PAN (card) can have multiple Payment Tokens associated to it. This could be used for different purposes by different merchants.
Token Users (merchant) usually have a direct relationship with the Token Requestor especially where the Payment Token is used by multiple merchants – this is referred to as Shared Payment Token.
Token Payment:
To make a payment with Tokens, the merchant has to get the Token either from its storage or from the user device (like in Apple and Android Pay) and pass it on to the TSP as follows:
- Merchant gets Token from user device or storage
- Sends Token and related payment data to the Acquirer (the Merchants bank)
- The Acquirer sends Token and related payment data to TSP
- TSP validates the necessary Token domain restrictions
- TSP de-tokenizes the Token to the corresponding PAN
- Sends the PAN and Token to the card issuer to authorise the transaction
- Card issuer authorises or declines the transaction and sends the response of its decision to the TSP
- TSP forwards the card issuer’s authorisation decision to the Acquirer
- The Acquirer completes the transaction process and informs the merchant of the transaction status.
The only major difference here is that a Token is used in place of a PAN and the involvement of a TSP. All the other things are the same as using the card PAN to process a payment transaction.
Tokenization of sensitive authentication data (including magnetic stripe data or equivalent on a chip, CAV2 / CVC2 / CVV2 / CID data, and PINs/PIN blocks) is not permitted per PCI DSS Requirement 3.2.
Benefits of Token Payment:
Token Payment provides lots of benefits especially in helping the merchant to reduce the scope of PCI DSS . According to PCI:
- Any system component with access to PAN data, or that has the ability to retrieve a PAN in exchange for a token, must be located in a PCI DSS compliant environment.
- PCI DSS controls apply wherever PAN is processed, stored, or transmitted—such as at the point of capture—as well as at any de-tokenization points.
If a Token Payment is implemented properly, the merchant only needs to handle the PAN at the point of capture and afterwards, deals with only Tokens which cannot be reversed or at least is of lesser value to an attacker.
De-tokenization is usually handled by the TSP, so, doesn’t concern the merchant.
This goes along way in reducing liabilities on the merchant side and as well preventing the user payment card data from being harvested by attackers in case of a security breach.
Token Payment makes online payment more secure and convenient.