By : Andy Brown
April 19, 2016 09:00 AM
Tokenization promises to be a defining trend in payments as the industry seeks to boost security across the ecosystem and momentum behind the approach is steadily gathering pace.
Interac, the Canadian debit network, has just announced it will make digital payments more secure with the launch of a tokenization service. The Interac Token Service Provider (TSP) means financial information is substituted with a secure token consisting of a unique, randomly generated sequence of numbers only for use on the user’s mobile. It’s said to be “device agnostic,” meaning that banks, payment service provider and merchants can build it into their payment products.
"The Interac TSP is core to our digital strategy and solidifies our position as a driver of innovation and champion of secure debit payments," said Mark O'Connell, president and chief executive officer of Interac Association and Acxsys Corporation. "It offers the security and customization that our consumers and clients demand with the capability for tokenized digital debit transactions on any device or mobile wallet that supports it."
This comes shortly after Nets Group and Carta Worldwide announced they had agreed a partnership deal to offer tokenization to over 200 banks across Northern Europe.
Meanwhile, Visa has also just announced it is expanding its tokenization service.
What is tokenization?
Tokenization involves replacing sensitive card data with 'tokens' that are completely useless to a fraudster. Usually this means the payment card primary account number (PAN) being replaced with a random code or token.
“Tokenization is one approach that can be used to safeguard payment credentials from being stolen and used for fraudulent transactions,” explains the Smart Card Alliance in a recent study.
Visa notes that security experts agree that payment tokenization is “the best currently available solution to significantly increase the security around payment card data without having to change anything on the cardholder end”.
Tokens can be single use or multi-use; and they can be stored and managed in the cloud, in a token vault, or at a merchant location.
More than a token gesture
One of the key reasons to embrace tokenization is the threat of cyber attacks and data breaches. Several high profile cases in the US seem to have acted as catalyst for change and the use of tokens is now accepted as an essential part of making payments more secure.
“Replacing PANs with tokens can reduce the financial impact resulting from data compromise, theft or unintended disclosure during disposal,” noted the Federal Reserve Bank of Boston in a discussion paper on the use of tokens in payments. “While data breach prevention is the key to reducing the risk of compromise, tokenization has the benefit of making the compromised data less valuable.”
Tokens also help give us more control, as Visa notes: “Because multiple tokens can be created for a single card, tokenization also makes it possible for financial institutions to flexibly control and manage the environments where a particular token can be used, helping them offer cardholders new ways to pay with their favorite card. For example, a token set up only for a particular mobile/in-app payment service cannot be captured and used elsewhere to make an online purchase.”
But there are new challenges
However many organisations have relied on using the PAN to link together customer data for analysis. Perhaps this is looking at patterns of usage in order to identify which transactions are the fraudulent ones or a merchant looking to identify which customers should receive a special offer. So, tokenisation of the PAN removes the ability to link customer activity in this way as every way the customer makes payments will have a different token assigned.
Hence the announcement from EMV Co that they have extended the tokenisation specification to allow the inclusion of a Payment Account Reference is good news. This reference will be unique to an account but cannot be used by the fraudster to make a payment as there is no link to the underlying account data. Now the issuers need to take advantage of this extension to the specification.
Tokenization doesn’t solve every security problem, but it’s now seen as an essential weapon in the arsenal to defeat fraudsters and with the payment account reference a major shortcoming is addressed.