Will Tokenization Transform Payment Security?

Apple (News - Alert) recently launched is Apple Pay mobile wallet offering, and tucked away inside it is a security feature considered to be one of the most fraud-proof and secure payment mechanisms available: tokenization. Consumers need to feel a strong sense of trust these days, in the wake of nonstop data breaches that have exposed millions of sensitive records. Apple’s use of tokenization positions the company as a trustworthy provider of mobile payment services.

In our world of “as-a-Service” delivery, the payments security industry has launched various “tokenization-as-a-service” offerings. If they prove successful, the implications for retailers are significant, including greater security, reduced compliance burden and reduced risk. But first, how does tokenization work for payment security? It replaces the Primary Account Number (the PAN) with non-sensitive data (of the same size and format) typically known as a token or alternative PAN. Depending on the use case, the merchant either requests a token for the PAN from a tokenization provider (who may be a card issuer, bank acquirer or another trusted third party) or receives a token rather than a PAN in the original payment transaction. The consequence is that the merchant never has to store real PAN data and, importantly, does not need to change the way payments are accepted or authorized.

Malicious actors must have access to specific decryption keys if their goal is to exploit the tokenization server. This is a significant benefit for retailers, for whom PCI (News - Alert) DSS compliance is a major headache – tokenization helps to take them out of scope for compliance and greatly reduces their security burden. Significant industry standards bodies including the PCI Security Council and EMVCo are developing guidelines and security frameworks covering multiple use cases for tokenization, which should prove a significant benefit to merchants in the long term.

Defeating Three Types of Fraud

There are three main areas of fraud vulnerability: card present, card not present (CNP) and mobile channels. Tokenization technology can protect merchants in all three areas. First, tokenization is able to protect card present transactions where a user pays for an item or service with a card at a merchant’s physical point-of-sale (POS) terminal. In this scenario, the focus is to ensure that the PAN stored by the merchant (primarily to handle chargebacks) is tokenized. In most cases the tokenization process with be carried out on behalf of the merchant by their processor or acquirer. Massive data breaches of the type we have seen recently at major merchants would no longer yield data useful to attackers – it could not be used to create counterfeit cards or conduct online payment transactions due to the real PAN being required in each case, not its tokenized value.

If the real PANs are stored as part of the customer records, even if encrypted, there is still a vulnerability in the case of theft, especially where insider fraud is involved. Therefore, the second area where tokenization can assist merchants is when accepting card not present (CNP) transactions, mainly where they deploy “card on file” solutions. Replacing PANs with tokens automatically reduces the scope of PCI DSS compliance for the merchant. This type of solution is likely to become commonplace in the future when the final EMVCo specifications are available and a formal certification process for tokenization is established. It works using a concept of token providers (the acquirer, processor or card issuer typically) and token requesters (the merchant). The new standard will allow for interoperability for authenticating payments tokens from different vendors, card issuers and payments processors, and create a standardised and secure environment across all payments channels including CNP solutions, mobile wallet solutions, HCE solutions, card on file merchants and general physical card transactions.

For mobile contactless payments using host card emulation (HCE) at the physical POS, tokenization provides protection here, too. With HCE solutions, the mobile phone can store and make use of a tokenized PAN rather than a real PAN (which will be stored in the issuers cloud or data center). In conjunction with the use of limited or single use keys stored inside the phone, this has the benefit of isolating the mobile channel from the other payment channels and means that if data is stolen from the phone it cannot be used to perform fraudulent transactions at POS or in e-commerce situations.

Hidden From Harm

Tokenization protects merchants, card issuers and regulators from three key areas of vulnerability: card present, card not present (CNP) and mobile channels. By replacing a PAN with a token, this process hides sensitive data from harm. This not only protects user data but also reduces compliance burden. Card issuers are beginning to offer tokenization-as-a-service as they realize the revenue opportunities inherent in this security approach. Consequently, smaller retailers stand to enjoy a reduced security risk as sensitive data remains under the protection of much larger players.