You would have come across this term ‘tokenisation’ on all e-commerce checkout pages. In case you, like me need some visual anchors to develop understanding and still don’t know what is this card tokenisation- this might help.
In its bid to improve security of Card transactions, RBI rolled out tokenisation norms on Jan 08, 2019 (Ref: RBI/2018-19/103 DPSS.CO.PD No.1463/02.14.003/2018-19). It came into effect finally on 1st Oct 2022.
So let’s understand first what is tokenisation. In simplest of words it is sort of having an alternate code generated for your card details so that they can be transmitted from merchant, Payment gateway to Card network more securely. Basically, preventing your actual card details travelling over the network between various entities (Merchant, Banks, Payment Network etc) every time you make a payments.
Now with the basics out of the way, let try to understand- How does Tokenisation happen?
The information that every time your merchant transmits through the Payment Gateway includes the following identifiable: Card holder’s name, 16 digit Card no, Expiry/Validity, CVV no, Merchant/platform. Through tokenisation all these information are converted to a single code using an algorithm by process called Hashing (very similar to the world of Blockchains & Bitcoin..more on that in posts later).
As simple as this!
One such algorithm is SHA-256; just land on this page https://emn178.github.io/online-tools/sha256.html and have fun with it. If you spend some time playing around you might notice some of the most important facets of this process and why is the world so enamoured by this new tech. Will come back to this later in the post; for now back to tokenisation. Now in the process lets assume, you agree to tokenise a Visa Card with Amazon.in. Amazon will request for the token with the card information that you entered on the website. From now on Amazon will only store the last 4 digits of teh card to help you identify in case of multiple tokens and the Token itself. In short, merchants will no longer store your card details and it will only be available with the issuing bank. The issuing bank will be able to match the token coming in from a merchant with the token they have on file and if both match, the transaction goes through..Simple!
Now coming back to the features of this Token and what makes it so secure:
- You can generate token from the card details but you can’t get back the card details from the token; isn’t that fantastic!!
- A very small change in the input makes a significant change in the token, thereby making it very easy to identify tampering during transmission.
- Irrespective of the input data, teh output in SHA-256 is always 256 bits long, equivalent to 32 bytes, or 64 bytes in an hexadecimal string format.
On the first feature, you might ask- well what if someone cracks it. So, hashing is not an encryption hence you can’t decrypt it. It is a simple one way process (hashing is ‘not injective’ is you want to get technical). Even then, let’s say you just love probability so much that you do need a number. So this is how it goes- assuming the output has only nos. and lower case alphabets and you could do a million tries every second, then how long it would take someone-
36 character in set
64 number of characters
1,000,000 attempts/second
~315,36,000 seconds/year
((36^64)/100000000)/31536000= 12,700,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 years.
So let’s just agree that it’s pretty secure. Hope this answers some of your questions, feel free to ask if you have more- we will try to find the answers together.
Leave a Reply