Context

As per RBI guidelines, with effect from 1st July 2022, neither businesses nor payment aggregators can save customer card details on their platforms.

About

Tokenisation:

• Tokenisation refers to the process of exchanging sensitive consumer data in the form of non-sensitive tokens.
• In other words, tokens are a unique set of characters related to digital payments that retain the essential information without compromising the security of underlying sensitive data.
• In technical terms, tokenisation also refers to the process of replacing the 16-digit card account number with a unique identifier, known as a token.
  • This tokenized data is irreversible and undecipherable as there is no mathematical relationship between the randomly assigned token and the original number it replaces.
  • It also allows secure payment processing without exposing sensitive data that could result in a security breach.

Purpose of Tokenisation

• The primary purpose of tokenisation is the protection of sensitive payment-related information to preserve its utility.
• Using this process, organizations can continue to use the tokenized data for business purposes without worrying about the compliance issues related to storing sensitive data internally.

Benefits of tokenization

The main benefits of tokenization include the following:

• It is more compatible with legacy systems than encryption.
• It is a less resource-intensive process than encryption.
• The risk of the fallout in a data breach is reduced.
• It makes the payment industry more convenient by propelling new technologies like mobile wallets, one-click payment and cryptocurrency. This, in-turn, enhances customer trust because it improves both the security and convenience of a merchant's service.
• It reduces the steps involved in complying with PCI DSS regulations for merchants.

Types of tokens

There are numerous ways tokens can be classified.However, three main types of tokens as defined by the Securities and Exchange Commission (SEC) and the Swiss Financial Market Supervisory Authority (FINMA). These are:

• Asset/Security token: These are tokens that promise a positive return on an investment. These are analogous to bonds and equities, economically.
• Utility token:These are created to act as something other than a means of payment. For example, a utility token may give direct access to a product or platform, or as a discount on future goods and services offered by the platform. It adds value to the functioning of a product.
• Currency/Payment token:These are created solely as a means of payment for goods and services external to the platform they exist on.

Difference between tokenisation and encryption:

• Many individuals consider tokenisation as a synonym for data encryption, which is not true.
• Although both the processes may seem to work on ensuring data security, there are finer differences between the two.

width="100%">

Encryption	Tokenisation
Used to transform plain text into cipher text mathematically using an encryption algorithm	Used to generate a random token value for plain text and then stores the mapping in a database
Used for structured and unstructured data fields	Used for structured data fields, like card details
Easy to scale to large data volumes using a small encryption key	Difficulty may arise to scale securely as database size increases
Comes with a trade-off of lower strength with the format-preserving encryption schemes	Easy to maintain format without losing strength of data security
Make the original data leaves the organization but in encrypted format	Does not require the original data to leave the organization, which satisfies various compliance requirements