Is Tokenization the Future of Payment Security???

Tokenization – An extra layer of Security for Cards Payment!!

The PCI Council defines tokenization as “a process by which the primary account number (PAN) is replaced with a surrogate value called a token. De-tokenization is the reverse process of redeeming a token for its associated PAN value.

The replacement of card numbers with unique one-time only codes also knows as Token. Just like EMV chip has brought security to the physical world, tokenization everywhere is critical to secure the digital world.

Tokens can be generally identified as either single use or multi use.

  • A single use token is typically used to represent a specific, single transaction.
  • A multi- use token represents a specific card number and may be used to track an individual PAN across multiple transactions. A multi-use token always maps a particular card number value to the same token value within the tokenization system. Determining whether single use or multi use tokens, or a combination of both, are appropriate for a particular merchant environment will depend on the merchant’s specific business need for retaining tokens

Tokenization vs Encryption:

The Concept of tokenization is different from Encryption. The purpose of encryption techniques is to mask original data, then allow it to be decrypted. Encryption uses an algorithm to credit card information that makes the data unreadable to anyone without a proper key. The original card data, however, stays intact and often resides on a company’s internal networks — thus creating vulnerabilities.

Tokenization completely removes card data from a institution internal networks and replaces it with a “token”. Merchants use only the token to retrieve, access, or maintain their customers’ credit card information. Meanwhile, their customers’ real card data is stored at a highly secure, offsite location.

How Does Tokenization Work?

When used in card transactions, tokens are created to replace your card number. The token in this case would be a string of seemingly nonsensical letters and numbers, which represent your 16-digit account number. The token, rather than your actual cardnumber, would be used to complete the purchases.

But if a token – rather than your account number – is passing through all the systems involved in authorizing your transaction, your payment information stays safe. The token can only be “unlocked” when it has reached its payment processor. Until then, it’s meaningless to anyone who might encounter it.

Below are the five steps that will explain the Authorization process with Tokenization:

  • A credit card is swiped in a POS machine or entered into an ecommerce site.
  • The POS machine (or ecommerce site) passes the PAN to the credit card tokenization system.
  • The tokenization system generates a string of 16 random characters to replace the Card Number or retrieves the associated token (if it has already been created) and records the correlation in the data vault.
  • The tokenization system returns the token to the POS terminal (or ecommerce site) and is used to represent the customer’s card in the system.
  • If the business is using a payment processor’s tokenization solution, the token is sent to the payment processor, who, using the same tokenization technology, can de-tokenize and view the original credit card number and process payment.
  • If the organization is using a third-party tokenization solution, the token is sent to the third party, who then de-tokenizes it and sends it along to the payment processor for credit card processing.

Benefits:

The main benefit for banks is significant reduction of fraud losses related to PAN compromise. Reduced card and payments fraud also means fewer disputes.

In addition to protecting against card number compromise, rolling out a tokenization-based contactless mobile payment application provides other benefits for banks. As an example, a PAN-based payment application that only provides payment functionality for POS-transactions can be optimized into a smart token application to provide payment functionality at online checkouts from mobile devices as well. Mobile payment applications based on smart tokens can also provide greater insights into customer payments, enabling banks to recommend and provide services and promotional offers during payments and at checkout.

Furthermore, banks can set accurate risk ratios and transactions limits and authorize high value transactions for genuine customers. These benefits are more difficult to achieve with a PAN-based solution because of security implications and incompatibility of supporting e-commerce checkouts.

Scheme Compliance Advantages:

In the payments industry, merchants handling customer payment card details are required to comply with industry standards, such as the Payment Card Industry Data Security Standard (PCI-DSS). This costly and time-consuming compliance requires stringent audits and implementation of security controls.

For merchants, tokenized customer payment records are exempt from PCI-DSS compliance. This is not to say that merchants should not implement adequate security controls to safeguard data from compromise, but the risk of tokenized records being breached is minimal.

Risks of Tokenization:

There might be a risk in Tokenization. With cross-domain tokenization, businesses request the ability to tokenize data across all of their customers in a single data vault.“This scenario creates will a situation where a token for one merchant can be used across all merchants in that vault – essentially making a token a card.

“Organizations that opt for a phased approach to tokenizing data can actually end up storing payment card data as well as tokens in their databases. This can create a challenge with some token schemes, as it makes it nearly impossible to determine what is a token and what is a payment card number.”

Future of Tokenization with Payment Security:

Summary:

The tokenized payments add an extra layer of security for payment transactions and offer improved functionality and customer insights. Although used by contactless mobile payment applications such as Android Pay and Samsung Pay, token-based solutions market share remains small compared to that of the less secure PAN-based solutions.

The tokenized payments technology will likely gain more popularity in coming years. This would translate into fewer financial losses from fraud and greater cost savings for financial institutions, which can be passed on to consumers as well as merchants.

Nitin Sharma

Nitin is Senior Consultant @ Verinite. Passion to learn about Cards and Payment domain. Loves to travel and explore nature a lot.