Security Market Segment LS
Wednesday, 17 October 2018 11:33

Visa to use credential-on-file tokenisation to improve security

Visa to use credential-on-file tokenisation to improve security Pixabay

Digital payment company Visa has said it will introduce credential-on-file tokenisation following an agreement with payments providers, in order to improve ecommerce security.

In a statement, Visa said payments leaders CyberSource, Adyen, Rambus, G+D Mobile Security, SecureCo, Ezidebit, eWAY and Bambora had agreed to roll out the technology needed to use COF which makes storing card details, like account numbers and expiry dates, each time a purchase is made, unnecessary.

The statement said COF tokenisation would replace card details with unique digital identifiers ("tokens") that were used for payment without exposing a cardholder’s sensitive information.

Each token is merchant-specific and therefore can only be used with the merchant where it is stored.

For the technology to work, payments gateways and facilitators would need to connect to the Visa Token Service, enabling merchants to subsequently tokenise stored details.

“The collective commitment to drive tokenisation across the industry represents a win for Australian merchants, consumers, financial institutions and payments companies alike," said Matt Wood, Visa’s Head of Digital Product and Partnerships for Australia, New Zealand and South Pacific.

"This technology enhances the customer experience, enables greater conversion and loyalty for merchants, and protects against fraud.”

The Visa statement said COF tokenisation enabled vending outlets to update consumer payment details instantly when a card was lost, stolen or expired.

It cited a survey by YouGov that showed about a third (30%) of Australians took more than a fortnight to update their details when they lost a card or when it expired. Twelve percent took more than a month to do this.

Commenting on the Visa move, security firm Secureworks senior researcher Alex Tilley said the decision to limit the personal and card information that could be stored by companies was a welcome step.

"The drastic increase in fraudulent charges across Australia over the past two years indicate the current setup of PCI-DSS has potentially not been as successful as hoped in making sure companies were encrypting consumers' data while it was in transit and at rest," he said.

While there is no way to completely end credit card and identity theft - and hackers will no doubt search for new ways to get around these tokens - it’s a good sign of intent that Visa is serious about protecting users sensitive data.

“Online technology used for card not present transactions, coupled with the already successful emv (chip and pin) implementation for card-present transactions mean that credit card security is moving in the right direction.

"The concern is, if merchants or consumers do not use all security features available they can find themselves or their customers are still at risk of credit card fraud.”


Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.



Some of the most important records are paper-based documents that are slow to issue, easy to fake and expensive to verify.

Digital licenses and certificates, identity documents and private citizen immunity passports can help you deliver security and mobility for citizens’ information.

Join our webinar: Thursday 4th June 12 midday East Australian time


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments