June 24, 2015
By Katie Flood, CardNotPresent.com
For those in the CNP payment space, the words on everyone’s lips this year have been, “EMV is coming.” It’s not quite “Winter is coming,” but it does carry a certain portent of doom, a sense that our collective destiny is tied to the arrival of EMV. No doubt there is some truth to this: Once fraudsters can no longer use stolen cards in stores, it stands to reason they won’t simply throw in the towel. Rather, they will seek out easier targets for their criminal activity, with e-commerce being the most obvious.
The extent of this problem remains to be seen, but regardless of what happens in October and beyond, tokenization is expected to be a major security solution in CNP payments environments going forward. Tokenization is the process by which a piece of data with value (e.g., a credit card number), is fed through an algorithm to generate a piece of data which has no inherent value. The benefit to e-commerce merchants is reduced risk and PCI scope. [hide for=”!logged”]
‘Hurts the Criminal Element’
Tokenization is not new to the CNP payments space—many CNP merchants have been implementing it in some form since shortly after PCI standards were issued in 2004. But the present need for increased security has made tokenization more relevant than ever. According to David Lott, payments risk expert in the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta, “the overall goal is that once all transactions are tokenized, it really hurts the criminal element, and this could cause them to move their attacks away from the payment systems and into other areas, because the cost and effort required to defeat this will have gone up considerably.”
While the Fed has no legislative or executive power over the CNP payment space, its role has been to facilitate discussion among key players in the field on security and technology issues. Lott is co-author of the Fed’s recently released document, Is Tokenization Ready for Primetime? He explains the paper was drafted to “serve as a primer on what tokenization is, and what its use cases are. We thought it would be a big advantage for the industry to put together a landscape of where things are today, knowing it will likely change in the next couple of years.”
So what do merchants need to know about tokenization today? First of all, “tokenization offers the ability to not only answer the security, risk, and compliance questions that are out there, but it also is an enabler,” says Alex Pezold, CEO and co-founder of TokenEx, a token service provider (TSP) that offers a stand-alone data security solution.
“If you’re using a service provider that will work with you on how tokens are generated and what the format of those tokens look like, you can actually continue to use tokens for chargebacks, for remittance, for analytics, for order fulfillment, for any number of different tasks,” he says. “[Our technology is] just functioning in the background, not interrupting the merchant-customer interaction, not interrupting the business unit interaction internally. All we’re doing is accepting the risk of handling [our clients’] data.”
Moreover, Pezold says, tokenization is not just for payment data; it can be a security solution for any sensitive data a company handles. He highlights the value to merchants of being able to tokenize multiple data streams in a variety of ways. For example, an insurance company needs to accept payments and would want to tokenize payment card information, but they also can tokenize sensitive data such as social security numbers, healthcare information, and other personal data that could be used to steal a customer’s identity if it fell into the wrong hands. Each of those pieces of data can be tokenized into different formats, so that, for instance, a social security number token allows the company’s service representatives to see the last four digits of a customer’s social to confirm his identity over the phone. The customer’s payment card token can show the last four digits of the card number and card expiration date, so that the rep can credit a payment back onto his card without ever having access to the full card number.
Security Tokenization vs. Payment Tokenization
Merchants will also want to be aware that there are currently two different types of tokenization: security tokenization and payment tokenization. The Fed’s document outlines the differences between the two in detail, but in short: With security tokens, the token is generated after the customer submits his card number, whereas a payment token is generated before the transaction begins and is stored within the secure element of the customer’s phone. The payment token is then presented at the time of checkout, and the card number never enters the merchant’s system.
While there are a wide variety of TSPs offering security tokenization, the only TSPs for payment tokenization are the major card networks. The debit card networks and several major banks have expressed interest in becoming payment-token TSPs, but they will have to be certified and work within EMVCo’s forthcoming standards on payment tokenization, which are expected to be issued in late 2015 or early 2016.
Security tokens, on the other hand, are not standardized with respect to how the tokens are issued and formatted, though the TSPs obviously have to implement their method of tokenization in such a way that their clients will be in compliance with PCI standards. Pezold believes that keeping security tokenization unstandardized “is actually a huge industry risk reducer. If you’re following a standard for token generation, you’re going to create a cross-domain tokenization issue where [hackers] can use a token generator for one merchant with another. And all you’ve done is recreated credit cards at that point.” Though it is possible that standards for security tokens could emerge at some point down the road, for now, none are in the works.
Currently, security tokenization is what the majority of merchants are using across all channels of e-commerce, and payment tokenization is essentially limited to mobile payments. Some speculate that the friction of learning a new in-store payment process with EMV POS systems could drive mobile payment adoption. The EMV chip card requires that customers leave their cards in place during the transaction rather than swiping, thus increasing the potential for accidentally interrupting checkout or leaving a card at the store. The theory is that some customers may decide it’s easier simply to pay through an app than to use their card at checkout. For now, though, the theory remains just that, and mobile remains a very small piece of the e-commerce pie.
Whatever happens with EMV implementation in October, one thing is certain: Tokenization is not a mere flash in the pan. Says Pezold, “Tokenization isn’t going away and is a very sound technology … to reduce scope and risk.” Lott agrees: “The industry has been searching for a long time, trying to find a way to improve the security of the payment system, [and now] has widely and eagerly accepted tokenization. I think tokenization is here to stay.”
Read EMV Part 4: Take it From Me [/hide]