Loading...

We recently talked about how PCI (with the help and influence from different monetary authorities) govern the security standards related to the processing, transmission, and/or storage of credit card data. Next, we want to dive a bit further on the security implications of tokenization for online payments specifically.

Payments security 101: Explaining payment tokenization

As you can imagine, the process of transmitting payments data in a completely digital environment without physical interaction presents both opportunities and challenges when it comes to privacy and security. We’ll try to provide some high-level context on a few trendy, buzz-wordy topics below. We’ll most likely do a deep dive on specific topics in the future so if there are any specific areas you’d like to learn more about, please email us any time!

What is credit card tokenization?

We, and most other ecommerce stores, use a process called tokenization to capture your credit card information and ensure it is processed in a secure and compliant manner. Tokenization adds an extra level of security and ensures that no sensitive credit card details ever touch our servers. On our side, your card details are never fully revealed and we only see basic information like the last 4 digits of your credit card, expiration date and card brand. Your primary account number (PAN) is automatically replaced with a series of randomly-generated numbers called the token. These random tokens (unique to each card) are used for processing the actual payment as the actual card number is held safely in a secure token vault.

With tokenization, your credit card information is safe even in the presence of a security breach (knock on wood!). If you are shopping on HKTV Mall or Lazada, your personal credit card information is safe even if their internal system is hacked. As with Reap, the retailer may never actually see or store the entire raw credit credit card number so if the system is attacked by a hacker, (which may happen even for larger companies like in the Home Depot breach, for example), all the culprit would see are randomly-generated tokens. In case you were wondering, tokens are also unique on a merchant by merchant perspective -- this means that even if one merchant has a security, you would need to disable your card on Reap as you’ll have a different token in all of the different places you’ve made a payment to.

A few commonly asked questions around tokenization

How does it work for recurring payments?

If you’re a subscriber to common consumer apps like Netflix or Spotify, you should be familiar with subscription payments. Similar to one-off purchases, online platforms can also reference the same token for future recurring transactions as well. One a customer’s card details are tokenized, they’ll be referenced and the card would be charged automatically in the next billing cycle.

How do you ensure that data is passed securely?

To reduce the risk of your credit card details being compromised during the transmission process, Reap’s payment pages are secured using Transport Layer Security (TLS). Next time when you log into your favourite website, check the website URL for “HTTPS” instead of just “HTTP”. This is how you know that the website is securely transmitting data from the app/browser to their server.

What’s the difference between tokenization and encryption?

Tokenization is typically used for online ecommerce transactions (including those on Reap!) and replaces sensitive credit card details with a randomly generated token. Encryption is applicable for in-person physical retail (ie. coffee shop, Apple store) transactions and as the name suggests encrypts credit card details when it is swiped through the POS terminal.

Both methods are typically used by merchants to reduce the scope of PCI compliance.
Tokenization can be a pretty complicated topic, but given the widespread adoption of this security measure in the payment industry, it raises the baseline security measurements related to the processing of payments.

較早前我們提到PCI 支付行業安全標準(在不同金融管理當局的協助和管理下)如何監控與信用卡相關的數據處理、傳送和儲存以確保安全。接著,我們想進一步探討支付憑證代碼化在進行網上支付時,實際上於保安層面發揮了什麼作用。

安全付費101: 講解一下支付憑證代碼化

你可以想像一下,在網絡世界傳輸支付數據時,整個過程不涉及人手操作,在這樣的全數碼環境下,要保障私隱度和數據安全可以說是充滿機遇和挑戰。我們將嘗試為你提供一些高階的資訊,讓你了解支付世界的最新動態和熱門討論課題。我們很可能會在不久的將來針對某些主題再作深入研究,因此如果你想了解更多相關資訊,請隨時發電郵與我們聯絡

什麼是信用卡支付憑證代碼化?

我們和大部分的網上商店一樣都是使用了支付憑證代碼化的方法,確保可以在安全和合符規格的情況下去獲取你的信用卡資料。支付憑證代碼化為卡主提供了多重保障,它確保信用卡的敏感資料不會接觸到網店的伺服器。商戶接收到的永遠不會是信用卡的所有詳細資料,他們只會收到卡的基本資料,如信用卡的最後4位數字、到期日和發卡銀行名稱等。而且你的主帳號(PAN)會自動轉換為一列隨機產生的數字,稱為支付憑證代碼。這些隨機代碼(每張卡獨有)會在實際支付的流程中使用,而實際卡號則安全地保存在加密的代碼庫中。


有了支付憑證代碼後,即使出現保安漏洞(上天保佑!),你的信用卡資料亦絕對是安全的。如果你在HKTV Mall或Lazada購物,即使它們的內部系統遭黑客入侵,你的信用卡資料也是安全的。與Reap一樣,零售商永遠不會看到或儲存到你信用卡的完整卡號,因此如果系統受到黑客的攻擊(即使大公司如Home Depot亦會有機會遇到這種情況),黑客亦只會看到隨機產生的代碼。如果你仍心存疑問,我們可以告訴你即使使用同一張信用卡,每個商戶亦會收到獨一無二的代碼 - 這意味著即使某一個商戶有保安漏洞,你也無需要在Reap上取消你的信用卡資料,因為你在不同地方付款,不同的商店都會收到不一樣的代碼,以策安全。

幾個關於支付憑證代碼化的常見問題

做定期付款時它會如何操作呢?

如果你是Netflix或Spotify等常見消費者應用程式的訂閱者,你應該不會對訂閱費用感到陌生。與單次購物雷同,網上平台也可以在你下一次作重複交易時引用相同的代碼。當客戶的卡資料被代碼化後,資料將會被存檔,在下一個收費周期時自動徵費。

你如何確保數據能安全地傳輸呢?

為了降低信用卡資料在傳輸過程中遭外泄的風險,Reap的支付頁面使用了傳輸層保安(TLS)以進行加密保護。下次當你登錄你喜歡的網站時,請檢查確認網址是“HTTPS”而不是“HTTP”。這樣你就知道網站是否已進行加密,只有加密了的網站能安全地確保數據能從應用程式/瀏覽器傳送到他們的伺服器上。

支付憑證代碼代跟保安編碼有什麼不同?

支付憑證代碼化通常是應用在網上的電子商易(包括Reap!),它會將信用卡的敏感資料轉換成隨機產生的代碼。保安編碼則適用於實體零售店(即咖啡店,Apple商店)親身做交易時使用。而保安編碼顧名思義是當信用卡通過POS終端刷卡時會對卡資料進行保安加密。

商戶一般會選用這兩種方法,務求更容易達到PCI支付行業安全標準。支付憑證代碼化可以是一個非常複雜的課題,但有鑑於這種保安措施在支付行業中得到廣泛採用,它可以說在處理支付相關流程時提高了保安測量的基準。

More from Our Blog

You Might Also Like

更多文章

你可能還喜歡

Credit Cards

【信貸評級】4招妥善管理信用卡改善TU評級

信用卡的確為消費者帶來很多好處,不但付款變得方便,用家也能獲得許多優惠和回贈(想以信用卡支付所有支出,賺取更多優惠?使用Reap吧!),但信用卡這種產品是一個雙刃劍,如果不妥善使用的話,可能會弄巧反拙,影響你的個人信貸評級。環聯(TU)信貸評級與銀行信貸服務的審批程序息息相關,有一個良好的TU評級,對於你申請按揭、私人貸款,以致信用卡及銀行戶口等,都有很大好處。那麼,我們該如何從使用信用卡的習慣入手,改善TU評級?

Posted on 
Aug 12, 2019
  by
Neva Kwok

【信貸評級】4招妥善管理信用卡改善TU評級

信用卡的確為消費者帶來很多好處,不但付款變得方便,用家也能獲得許多優惠和回贈(想以信用卡支付所有支出,賺取更多優惠?使用Reap吧!),但信用卡這種產品是一個雙刃劍,如果不妥善使用的話,可能會弄巧反拙,影響你的個人信貸評級。環聯(TU)信貸評級與銀行信貸服務的審批程序息息相關,有一個良好的TU評級,對於你申請按揭、私人貸款,以致信用卡及銀行戶口等,都有很大好處。那麼,我們該如何從使用信用卡的習慣入手,改善TU評級?

張貼
Aug 12, 2019
  by
Neva Kwok
Managing Money

【理財心得】記錄開支有何用處?記賬對改善理財的4大好處

你上個月花了多少錢消遣娛樂?出街食飯的開支有幾多?信用卡的總消費額呢?如果你沒有記錄開支習慣,相信一時間很難回答這些問題。記賬是個人理財重要的一環,保持良好的記帳習慣,對改善財務有莫大裨益。

Posted on 
Aug 7, 2019
  by
Neva Kwok

【理財心得】記錄開支有何用處?記賬對改善理財的4大好處

你上個月花了多少錢消遣娛樂?出街食飯的開支有幾多?信用卡的總消費額呢?如果你沒有記錄開支習慣,相信一時間很難回答這些問題。記賬是個人理財重要的一環,保持良好的記帳習慣,對改善財務有莫大裨益。

張貼
Aug 7, 2019
  by
Neva Kwok

Subscribe To Our Blog

Stay on top of the latest SMEs Management, Cash Flow tips, and best practices

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

訂閱我們的 Blog

獲取最新中小企管理、現金流、商業趨勢、最佳營運方法資料

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.