By David Froud, Head of Global Compliance & Risk at myPINpad
During the first three quarters of 2014, global payments and transaction companies raised a combined $1.18 billion through 75 funding deals. More and more banks have launched plans to build mobile payments directly into their mobile banking apps. And a broad range of payment options and channels – from Apple Pay to Google Wallet, from Samsung Pay to Visa Checkout – have entered the market and are all vying for majority adoption.
But with the increasing amount of technology developed to create a fast and convenient payment experience and the rising number of high profile data breaches that have sprung within the last year, merchants, issuers, schemes and consumers are more than ever prioritising payments and data security.
In the ever active scramble to find new ways of protecting personal details and avoiding embarrassing data breaches, tokenization is being promoted as the defence against mobile payment fraud.
Of course, the use of tokens – the process of substituting a sensitive data element with a non-sensitive equivalent – is well respected in payments and financial services. Applied to the payments card industry, tokenization has been used as an encryption method for cardholder information post-authorization for many years.
In its most basic form, payment tokens are surrogate values that replace the Primary Account Number (PAN) and can be used for mobile point-of-sale transactions, in-app purchases, or online purchases in order to limit the impact of a data breach or sporadic card theft.
Payment Security Taskforce defines three different types of payment token:
- EMV (EMVco) Tokens: Tokens compliant with the EMV Payment Tokenization Specification, developed as a multi-scheme initiative by Visa, MasterCard and American Express.
- Acquiring Tokens: A token created by the acquirer, merchant or a Payment Service Provider (PSP) which is created after the cardholder presents their payment credentials.
- Issuer Tokens: Also known as virtual card numbers or alternate PANs, which are created by issuers to reduce risk in specific use cases.
Token credentials are limited to use on a specific device, at a specific merchant or for specific types of goods and services. Tokens on the acquiring side that don’t have anything to do with tokens on the payments and issuing side. Thus uses, advantages and disadvantage for each one of them are diverse.
Yet for all the promise of tokenization, it is not without significant criticism.
The first concern is the extent to which tokenization meets with PCI DSS security standards. In its most recent guide to the use of tokens in payment security, the PCI discusses the role of tokenization in “reducing the risk of unauthorized disclosure of a PAN”.
The use of the word “reducing” is critical here. Because this is what tokenization does. It reduces risk, it doesn’t eliminate it entirely.
Of course, the nature of risk is such that it is never entirely eliminated and it would be unfair to expect otherwise.
Yet it is a stark warning that tokenization is not elemental, nor should it be treated as beyond improvement.
Cybercriminals are improving their methods daily, proving that what used to be safe methods are now easily breached. In the coming years the proliferation of devices will continue to grow and will expand beyond smartphones and into wearables, Internet of things, and even more surprising devices.
Tokenization has a critical role to play in this, but only as part of a part of a multi-layered security solution that also incorporates other protective methods such as end-to-end encryption, biometrics and other user authentication; the latter of which can be implemented as a ‘step-up’ security method by a merchant, under predefined circumstance to maintain good customer experience.
We may hear that security, although essential, slows down the innovation process. Innovation cannot be stopped by security, but security itself needs to innovate and find new and multi-layered ways to help the payments ecosystem with compliance, risk and fraud reduction.
The payments industry needs further education around tokenization and understanding that although popular now, tokenization cannot be the only protection they have to ensure that sensitive data set, like payment card data, personally identifiable data, or financial account data, remains safe.