Tokens are the keys

We talk a lot about how digitalisation is simplifying everything, yet it feels like the opposite is happening. Yes, I no longer need to go to a bank branch to deposit a cheque – does anyone remember those days? – but I do have to go through an awful lot of clicks and checks before I can move money or do anything online. It seems to me that the more we digitalise, the more complex we are making the access and system processes.

By way of example, I am refuelling my children’s lunch wallet. Every day, they get fed by an external provider who email me regularly when funds are low. I logon to their website, click on their account, request to add funds, agree the account to add funds from, at which point the website then asks me to go to my bank account.

I open the app, enter the login code, see the request for funds and – after FaceID and swiping left – the transaction is confirmed. Returning the lunch account, I now see the purchase is confirmed and it eventually returns me to the home screen to move on with life.

The thing is that that whole transaction took almost ten clicks and swipes … why so complicated? Well, a lot of it is to do with the archaic security structures we’ve built.

Over the past quarter century, we moved from basic security – username and password – to secure keys to multilayered access to accounts to something that is no longer a great user experience or customer journey.

What’s the problem?

The problem is all about proving who I am and who you are.

Now, most of us have no problem with this. I want to know that I am making a payment to someone I trust; equally, the bank wants to ensure that their customers are making a payment to a trusted company. That’s a good start. Unfortunately, the ending is convoluted processes of proof and authentication that are just frustrating and awful.

What we should be doing in all financial security is exchanging identity tokens. Tokens that immediately authenticate and provide trust. We shouldn’t have usernames, passwords, keys, OTPs, text messages and more. We should just have one simple sign-on where my token is automatically recognised by your token and automatically authenticated by the bank’s token. One simple transaction system where I do nothing. No clicking or swiping or opening apps or logging in. It just happens.

We seem so far away from this that it is just imaginary but just imagine if we can get to a world where authentication, verification, identification and all the security that goes around that could be managed by tokens in the cloud.

There is work taking place on this to do this – just look at the discussions with Visa and MasterCard around tokenisation – but it is still a long way off. Bring it on.

 

Postscript: so what are Visa and MasterCard doing around tokenisation? Here’s a quick summary:

 

Visa

What Visa is doing

• Visa’s offering called the Visa Token Service (VTS) replaces actual card numbers (PANs) with a token — a unique substitute identifier — when cards are used in digital wallets, online, in-app or via contactless.
• Via this tokenisation service Visa enables banks, merchants and wallets to enable secure digital payments, reducing fraud risk and improving approval/transfer rates.
• Visa states that using tokenised transactions gives better authorisation rates (fewer declines) and lowers fraud. For example: “When Visa card holders use a tokenised transaction, there is about a five-percentage-point increase in the likelihood the card payment will be completed … and about 40% lower fraud rate.”
• Visa has provided a token management platform that works across devices, payment methods and is network-agnostic (for simplified merchant integration).

Key goals / strategic thrusts

• One major goal is to embed tokenisation broadly into card-on-file, digital wallets, mobile contactless, online checkout etc. For example, the VTS “is the foundational platform for global tokenization” says Visa.
• They emphasise that tokenisation not only helps security but also supports new business models and improved consumer experience (for example fewer interruptions at checkout).

Some metrics / results

• Visa said it issued its 10 billionth payment token globally — and claimed significant fraud savings (about US$650 million in one year) and incremental eCommerce revenue (> US$40 billion) tied to tokenised payments.
• Visa operates tokens in 198 countries and across thousands of issuers and merchants.

Mastercard

What Mastercard is doing

• Mastercard offers tokenisation via its Mastercard Digital Enablement Service (MDES) and other tokenisation services, turning the card number into a token and work with issuers/merchants to use this for online, mobile, wallet and card-on-file payments.
• Mastercard is pushing “network tokenization” (i.e., tokenisation at the card network level) so that tokens can span merchants, wallets, devices, and maintain dynamic updating of credentials.
• Mastercard has publicly set a goal: 100% tokenisation of online (eCommerce) transactions by 2030 (i.e., eliminate manual card-entry for online payments, shift toward one-click, tokenised checkout) .

Key goals / strategic thrusts

• Seamless checkout: Mastercard wants online payments to be as frictionless as in-store tap payments — thus moving away from manual card entry, static passwords/OTPs, etc.
• Security + business benefits: reducing fraud, increasing authorisation rates, simplifying compliance & card-on-file storage burden for merchants.
• Driving adoption across geographies: For example, in Europe Mastercard noted tokenised transactions have grown rapidly and they’re expanding their ambition globally.

Some metrics / results

• Mastercard says more than 30% of its global transactions are tokenised.
• In Europe, tokenised online transactions are now nearly 50% (or close) according to recent reporting.

Key similarities & differences

• Similarities: Both Visa and Mastercard view tokenisation as a foundational security/enabling technology for digital payments (mobile, online, wallets, card-on-file). Both emphasize fraud reduction, improved checkout convenience, and broad ecosystem adoption (issuers, merchants, wallets).
• Differences / nuances:
  • Mastercard has set an explicit target (2030) for full tokenisation of online transactions and is pushing toward “one-click” checkout.
  • Visa emphasises the service platform (VTS) and global scale; the business messaging focuses somewhat more on enabling innovation and merchant benefits from tokenisation (e.g., better visibility, working capital).
  • The way tokenisation is branded/packaged is slightly different (network tokens, token management service, etc).
  • Mastercard gives more emphasis (in their public communications) on phasing out card numbers and static credentials for digital channels.

Why this matters

• Security: Replacing a card’s PAN (Primary Account Number) or stored card credential with a token means if the merchant or wallet is breached, the attacker gets a token which is much less useful (often constrained to that merchant/device/context). This lowers fraud risk.
• Better authorisation/acceptance: Both companies indicate that tokenised transactions get higher authorisation rates (fewer declines) because tokens are better managed (wallet/device/merchant context, up-to-date credentials).
• Operational & compliance benefits: For merchants & issuers, storing less sensitive card data reduces compliance burden (PCI-DSS scope), and using network tokens means fewer card-on-file management issues (credential updates, expired cards etc).
• Checkout/consumer experience: By using tokens, processes like “Click to Pay”, in-app wallets, mobile and contactless payments become easier and more seamless, thereby potentially increasing conversions and reducing friction.

What to watch / key questions

• Adoption pace: While both networks have made strong progress, full ecosystem adoption (issuers, merchants, wallets) takes time. The 2030 target of Mastercard is ambitious.
• Merchant integration / support: For merchants (especially smaller ones) the technical/integration cost of tokenisation, updating systems, supporting network tokens can be non-trivial.
• Interoperability and standards: Tokenisation only makes sense if tokens work across devices/merchants/wallets/issuers, and are updated when cards expire/are replaced. Networks are pushing “network tokens” to solve this.
• User experience vs security trade-offs: While tokenisation enhances security, there may be user friction if wallets/devices don’t support tokens, or if merchants don’t support the token flows. Also the shift to “one-click” must ensure authentication remains robust.
• Regulatory / competitive implications: As tokenisation becomes more important, the roles of networks (Visa/Mastercard) in managing tokens becomes strategic — this might attract regulatory attention (though I didn’t deep-dive into that for this summary).
• New uses/customers: Tokenisation isn’t only about card numbers in wallets—it’s expanding into “account-based tokens”, direct debits, account-to-account payments.