Digital tokenization is a security technology that converts user confidential data such as credit card number (PAN or CVV etc.) into a dummy data called token before sending over internet. Tokens are dummy strings of alphanumeric digits that do not contain actual information. The actual information is stored in a token vault (stored inside bank premises) and the original data is retrieved back from a token through a mapping process before the transaction is completed. Tokenization secures online transactions as it sends dummy tokens instead of sending user private financial data which could be compromised by hackers or other malware during transit over internet and may lead to financial or reputational loss of the user. The reverse process, i.e. recovering actual financial information from the tokens, is called de-tokenization and takes place inside bank premises under secured environment. Like encryption,tokenization is also a coding process that hides the private and confidential user information from external hackers in order to protect user interest but there is a fundamental difference between the two. Encryption applies a mathematical algorithm called private (or public) key that converts actual data into another of data and during the process, both data type and data length are changed. Also the mathematical process requires considerable processing power and other resources such as storage etc. On the other hand, tokenization does not change original data, it merely replaces the data with a token. The de-tokenization requires a mapping process to replace token data with original data and no processing is required. Thus tokenization does not require sophisticated hardware and is suitable for low power and low memory mobile devices. For these reasons, tokenization is widely used for securing credit/debit card based mobile wallet payments such as Google Pay and Apple Pay.
Mobile wallets (or digital wallets) store user credit/debit card information such as PAN (Primary Account Number – the 16 digit credit/debit card number that is printed on the top of credit/debit card), CVV number or the expiry date. Sometimes users store multiple credit/debit card information in a single wallet. In contactless NFC (Near Field Communication) based mobile payments, at the time of making payment, the credit card information is converted into electromagnetic signal and the signal is sent wirelessly to a nearby card reader. In order to secure the payment, instead of sending original credit/debit card information, tokens are generated for each piece of credit/debit card information (such as PAN, CVV etc.) and tokens are sent in the form of electromagnetic signal towards the merchant card reader. The tokens are created and distributed beforehand by card issuer banks (such a Citibank or Axis bank) and are used at the time of making contactless wallet payment. For each piece of financial data such as PAN, CVV or expiry date, separate tokens are issued. In order to add an extra level of security, the token data is encrypted before sending over wireless medium. Once the tokens are received inside the merchant card reader, they are forwarded towards bank payment gateway. Banks, after receiving the tokens, apply de-tokenization process and original payment data is retrieved from the token using the token vault through a mapping process after which the payment transaction is completed.
Apart from payment transactions, tokens are widely used for a variety of non-payment online transactions involving various types of confidential documents such as patient medical records, driving license, loan application, academic documents, stock trading documents or voter registration documents. Depending on the usage, three types of tokens are available. These are as follows:
1.Asset Tokens: Also knows as security tokens or blockchain tokens, they represent various types of financial documents such as securities, bonds or equity certificates. They are often exchanged over the blockchain for security purpose. Blockchain is a public ledger that offers complete security against any type of security malpractices and users prefer blockchain for online transactions of high value financial documents. Before sending over blockchain, the financial documents are first digitized and tokenized and tokens are sent instead of actual documents over the blockchain.
2.Utility Tokens: These tokens are used for transaction of different types of user private documents such as driving license, medical records, academic documents, loan applications or stock trading certificates. Instead of sending actual documents, tokens are sent over the internet and at the receiving end, before making the transaction, original documents are retrieved from the tokens by de-tokenization process.
3.Payment Tokens: These are tokens used for payment transactions. User private financial data such as credit/debit card PAN number, CVV number, expiry date, bank account number or PIN are converted to corresponding tokens (issued by banks) and are sent over the internet for security reasons.
Another type of classification is there for tokens. These are: High-value & Low-value tokens. Low-value tokens are used only for transmission purpose, they cannot complete any transaction on their own. Before completing the transaction, de-tokenization must be done using a token vault to retrieve the original information. High-value tokens, on the other hand, have the power to complete the transaction. They are often called vault-less tokens as they have an in-built algorithm that can retrieve original information from the token without the need of a de-tokenization process and a separate token vault.
Tokens are usually issued for a particular mobile device (such as Apple iPhone, Samsung Galaxy S series etc.), particular payment apps (such as Google Pay, Apple Pay or Samsung Pay mobile wallet), or e- commerce vendor (Amazon.com or Walmart.com). The tokens are issued for a limited number of usage (5 uses, say) after which it will be expired.
During the pandemic induced lockdown, people were forced to embrace digital technology for performing various day-to-day operations such as online education, online payment, online shopping, online banking, online entertainment, online news reading and so on. In post-Covid era, this digital trend will continue as people will find it more convenient as well as time & cost-friendly. However, the issue of cyber security will be more prominent. As more and more people will turn to online transactions, cyber-criminals will become more active and as a result security of user private financial data will be threatened. The only way to remain safe will be to follow stringent security protocols so that private & confidential data are not compromised in the hands of hackers or other fraudsters. Digital tokenization will play a major role in this regard as it will offer complete security of user private documents against all types of fraudulent attempts. As tokens do not require any sophisticated hardware (high power processor or large storage) or complicated mathematical algorithm, they offer fast & efficient response even with low power mobile devices and is very effective in securing all types of payment or non-payment transactions. Thus tokens offer total protection against cyber-attacks and keep online transactions safe and secured. For these reasons more and more online transactions such as mobile wallet payments, mobile QR code payments, mobile banking transactions, stock trading applications, various government and non-government registration processes have started relying on digital tokenization and it will become more and more popular in the coming days.
Written by: Prof. Karabi Bandyopadhyay Faculty, IT & Systems, ISB&M, Kolkata