Connect with us
Finance Digest is a leading online platform for finance and business news, providing insights on banking, finance, technology, investing,trading, insurance, fintech, and more. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

TECHNOLOGY

By David Froud, Head of Global Compliance & Risk at myPINpad

David Froud

During the first three quarters of 2014, global payments and transaction companies raised a combined $1.18 billion through 75 funding deals[1]. More and more banks have launched plans to build mobile payments directly into their mobile banking apps. And a broad range of payment options and channels – from Apple Pay to Google Wallet, from Samsung Pay to Visa Checkout – have entered the market and are all vying for majority adoption.

But with the increasing amount of technology developed to create a fast and convenient payment experience and the rising number of high profile data breaches that have sprung within the last year, merchants, issuers, schemes and consumers are more than ever prioritising payments and data security.

In the ever active scramble to find new ways of protecting personal details and avoiding embarrassing data breaches, tokenization is being promoted as the defence against mobile payment fraud.

Of course, the use of tokens – the process of substituting a sensitive data element with a non-sensitive equivalent – is well respected in payments and financial services. Applied to the payments card industry, tokenization has been used as an encryption method for cardholder information post-authorization for many years.

In its most basic form, payment tokens are surrogate values that replace the Primary Account Number (PAN) and can be used for mobile point-of-sale transactions, in-app purchases, or online purchases in order to limit the impact of a data breach or sporadic card theft.

Payment Security Taskforce[2] defines three different types of payment token:

  1. EMV (EMVco) Tokens: Tokens compliant with the EMV Payment Tokenization Specification, developed as a multi-scheme initiative by Visa, MasterCard and American Express.
  2. Acquiring Tokens: A token created by the acquirer, merchant or a Payment Service Provider (PSP) which is created after the cardholder presents their payment credentials.
  3. Issuer Tokens: Also known as virtual card numbers or alternate PANs, which are created by issuers to reduce risk in specific use cases.

Token credentials are limited to use on a specific device, at a specific merchant or for specific types of goods and services. Tokens on the acquiring side that don’t have anything to do with tokens on the payments and issuing side. Thus uses, advantages and disadvantage for each one of them are diverse.

Yet for all the promise of tokenization, it is not without significant criticism.

The first concern is the extent to which tokenization meets with PCI DSS security standards. In its most recent guide to the use of tokens in payment security, the PCI discusses the role of tokenization in “reducing the risk of unauthorized disclosure of a PAN”[3].

The use of the word “reducing” is critical here. Because this is what tokenization does. It reduces risk, it doesn’t eliminate it entirely.

Of course, the nature of risk is such that it is never entirely eliminated and it would be unfair to expect otherwise.

Yet it is a stark warning that tokenization is not elemental, nor should it be treated as beyond improvement.

Cybercriminals are improving their methods daily, proving that what used to be safe methods are now easily breached. In the coming years the proliferation of devices will continue to grow and will expand beyond smartphones and into wearables, Internet of things, and even more surprising devices.

Tokenization has a critical role to play in this, but only as part of a part of a multi-layered security solution that also incorporates other protective methods such as end-to-end encryption, biometrics and other user authentication; the latter of which can be implemented as a ‘step-up’ security method by a merchant, under predefined circumstance to maintain good customer experience.

We may hear that security, although essential, slows down the innovation process. Innovation cannot be stopped by security, but security itself needs to innovate and find new and multi-layered ways to help the payments ecosystem with compliance, risk and fraud reduction.

The payments industry needs further education around tokenization and understanding that although popular now, tokenization cannot be the only protection they have to ensure that sensitive data set, like payment card data, personally identifiable data, or financial account data, remains safe.

Continue Reading

Why pay for news and opinions when you can get them for free?

       Subscribe for free now!

By submitting this form, you are consenting to receive marketing emails from: . You can revoke your consent to receive emails at any time by using the SafeUnsubscribe® link, found at the bottom of every email. Emails are serviced by Constant Contact

Recent Posts