We recently talked about how PCI (with the help and influence from different monetary authorities) govern the security standards related to the processing, transmission, and/or storage of credit card data. Next, we want to dive a bit further on the security implications of tokenization for online payments specifically.
As you can imagine, the process of transmitting payments data in a completely digital environment without physical interaction presents both opportunities and challenges when it comes to privacy and security. We’ll try to provide some high-level context on a few trendy, buzz-wordy topics below. We’ll most likely do a deep dive on specific topics in the future so if there are any specific areas you’d like to learn more about, please email us any time!
We, and most other ecommerce stores, use a process called tokenization to capture your credit card information and ensure it is processed in a secure and compliant manner. Tokenization adds an extra level of security and ensures that no sensitive credit card details ever touch our servers. On our side, your card details are never fully revealed and we only see basic information like the last 4 digits of your credit card, expiration date and card brand. Your primary account number (PAN) is automatically replaced with a series of randomly-generated numbers called the token. These random tokens (unique to each card) are used for processing the actual payment as the actual card number is held safely in a secure token vault.
With tokenization, your credit card information is safe even in the presence of a security breach (knock on wood!). If you are shopping on HKTV Mall or Lazada, your personal credit card information is safe even if their internal system is hacked. As with Reap, the retailer may never actually see or store the entire raw credit credit card number so if the system is attacked by a hacker, (which may happen even for larger companies like in the Home Depot breach, for example), all the culprit would see are randomly-generated tokens. In case you were wondering, tokens are also unique on a merchant by merchant perspective -- this means that even if one merchant has a security, you would need to disable your card on Reap as you’ll have a different token in all of the different places you’ve made a payment to.
If you’re a subscriber to common consumer apps like Netflix or Spotify, you should be familiar with subscription payments. Similar to one-off purchases, online platforms can also reference the same token for future recurring transactions as well. One a customer’s card details are tokenized, they’ll be referenced and the card would be charged automatically in the next billing cycle.
To reduce the risk of your credit card details being compromised during the transmission process, Reap’s payment pages are secured using Transport Layer Security (TLS). Next time when you log into your favourite website, check the website URL for “HTTPS” instead of just “HTTP”. This is how you know that the website is securely transmitting data from the app/browser to their server.
Tokenization is typically used for online ecommerce transactions (including those on Reap!) and replaces sensitive credit card details with a randomly generated token. Encryption is applicable for in-person physical retail (ie. coffee shop, Apple store) transactions and as the name suggests encrypts credit card details when it is swiped through the POS terminal.
Both methods are typically used by merchants to reduce the scope of PCI compliance.
Tokenization can be a pretty complicated topic, but given the widespread adoption of this security measure in the payment industry, it raises the baseline security measurements related to the processing of payments.
有了支付憑證代碼後，即使出現保安漏洞（上天保佑！），你的信用卡資料亦絕對是安全的。如果你在HKTV Mall或Lazada購物，即使它們的內部系統遭黑客入侵，你的信用卡資料也是安全的。與Reap一樣，零售商永遠不會看到或儲存到你信用卡的完整卡號，因此如果系統受到黑客的攻擊（即使大公司如Home Depot亦會有機會遇到這種情況），黑客亦只會看到隨機產生的代碼。如果你仍心存疑問，我們可以告訴你即使使用同一張信用卡，每個商戶亦會收到獨一無二的代碼 - 這意味著即使某一個商戶有保安漏洞，你也無需要在Reap上取消你的信用卡資料，因為你在不同地方付款，不同的商店都會收到不一樣的代碼，以策安全。