Introduced in mid-noughties to protect cardholders from the growing risk of public data breaches, tokenisation quickly became the industry standard for data security in payments. But unlike other standards, such as EMV, that demand significant investment, tokenisation can help retailers achieve cost savings by reducing PCI DSS scope and reconciling chargebacks and payments without handling payment data. And given that it is also compatible with the vast majority of current retail systems and merchant acquirers, tokenisation is ready to power the next generation of card based transactions.
Tokenisation is a security technology that involves the process of substituting a sensitive data element with a non-sensitive equivalent or ‘token’ that has no extrinsic or exploitable meaning or value. Only tokenisation systems can gather data to create tokens, or decrypt the sensitive data. Tokenisation overall significantly limits the ability of cyber criminals to reverse engineer information to reach sensitive and potentially lucrative personal and financial data.
Tokenisation currently underpins in-store card transactions, but has the potential to serve as the foundation for fast-growing transaction types, driven on by the growing popularity of mobile card based payment services including Android Pay, Apple Pay and Samsung Pay. These ‘Pay’ services improve the customer payment experience by reducing the number of clicks to complete transactions by as much as 75% while enabling more secure transactions.
The Pays are already available in many countries and improved customer experience suggests that mobile based e-commerce is set to proliferate. According to estimates, by 2019 mobile based e-commerce sales will reach over £38 billion and account for nearly 45% of all retail e-commerce sales.[i]
It seems likely that the Pay services and the benefits of tokenisation will extend beyond the mobile channel and will be deployed in the latest wearable devices (Apple Pay is already available on Apple’s smartwatch), a segment that could see strong growth in the future. Further developments will drive consumer device preferences and additional innovation. Expect a decline in card based transactions while tokenisation continues to provide the additional security benefits regardless of device or channel. Tokenisation will even serve a critical role in securing sensitive customer data, after the implementation of the Revised Payment Services Directive or PSD2 in 2018, since it isn’t tied to card data and therefore masks sensitive account and personal information.
With the implementation of PSD2, new payment service providers called Payment Initiation Service Providers (PISPs) will be enabled to make pull payments directly from customer accounts. PISPs will bypass traditional card networks and make payment transactions more cost effective for merchants. PISPs will use tokenised customer information and new fintechs have emerged, such as Token, that promise to deliver tokenised transactions for banks in a PSD2 compliant ecosystem. This industry shift to tokenisation means that any investment in capabilities today, will generate long-term value in return.
In the past few months, Apple Pay and Samsung Pay have announced further international expansion with the next market launches for Apple Pay set for Japan and New Zealand later in the year and expected launches in Canada, Malaysia, Turkey and the UK by year end for Samsung Pay. The result - tokenisation is fast becoming the gold standard in data security and banks risk being frozen out unless they respond to the growing popularity of the Pays among consumers. The longer banks resist investment in tokenisation or consider alternative white label or internal wallets, the higher the probability customers will leave for another bank offering one or more of the Pays.
The UK and European payments landscape is set for increased competition and disruption in the years ahead. Digital disruptors like the Pays as well as newly created PISPs are set to play a larger role in the customer payment experience. While the Pays are at the forefront of the tokenisation movement and are responsible in part for the bank push to offer this platform, PISPs should also consider their tokenisation strategy and how best to leverage this technology in their new operating models.
 PCI DSS is a worldwide standard that aims to reduce card fraud. The standard puts forward rules on storage, transmission and processing of cardholder data that businesses handle.
 Based on Capco research and bank issued mobile wallet transaction click comparison.
Tristan Hugo-Webb is a Consultant at Capco’s London office, with over four years of experience in global payments research and consulting. Tristan served as the International Payments Analyst at Mercator Advisory Group, where he produced research on a broad range of payment topics, including consumer payment preferences, emerging payment technologies and alternative payment service providers.
Jeff Tijssen is the EMEA Head of Fintech and Partnerships at Capco. He chairs the Fintech Working Group and the China Working Group at Tech London Advocates, and leads the International Workstream for the City of London Fintech Advisory Board. Jeff advises a number of technology start-ups, is a mentor at several accelerator programmes such as Virgin Startup and Startup Bootcamp, and an Advisory Board member of CodeFirst:Girls.
The content and opinions posted on this blog and any corresponding comments are the personal opinions of the original authors, not those of Capco or FIS.