Hacker News new | ask | show | jobs
by AmericanChopper 1648 days ago
To use card tokens for any kind of payment, you need to integrate with some kind of card data vault, which this rule seems to also prohibit. It seems to be instructing the card brands to issue unique tokens for ever cardholder + merchant pair. No idea how that would work…
1 comments
Dylan16807 1648 days ago
> To use card tokens for any kind of payment, you need to integrate with some kind of card data vault, which this rule seems to also prohibit.

Why would you need that?

The rule says nobody can store "actual card data".

If you're using the token for a new payment, you don't retrieve the card number, you use the token directly.

> It seems to be instructing the card brands to issue unique tokens for ever cardholder + merchant pair. No idea how that would work…

Pick a random number and store it in a database with those two other fields...?

link
AmericanChopper 1648 days ago
That number needs to be mapped to the PAN, and somebody has to have stored that PAN somewhere in order for it to be used to process payment. This rule says nobody other than the issuer and the card brands are allowed to store the PAN.
link
Dylan16807 1648 days ago
Sure, that's why you get the token from the issuer or card brand. That way there's only one entity that stores the PAN, and no third parties are storing it.

To quote the article linked above, "The central bank said the facility of tokenisation shall be offered by TSPs only for the cards issued by/affiliated to them."

link