In light of recent security breaches, the question among many consumers is: “How can I protect myself and be more secure?” Security threats emerging from the Target Home Depot, and Kmart breaches are putting a fire under the payments industry to quickly find a solution to ensure that sensitive payment information can be kept safe. While many options are available to combat against data breaches, new technology is also emerging to help consumers pay in a more secure way.
More and more consumers are making purchases on their mobile devices. Retailers are noticing this trend and are helping to push consumers in this direction by adopting mobile payment technology. Consumers have the opportunity to make mobile transactions now with products like Apple Pay, Google Wallet and CurrentC mobile wallets. This also raises the concern about mobile device security. How can consumers make secure purchases for person present, card not present (CNP) transactions? This is where tokenization reigns supreme when it comes to better securing mobile transactions.
What is Tokenization and How Does it Work with EMV?
Tokenization technology replaces the 16 digit card number on the front of your debit cards with an encryption that is more secure called a token. There are two different forms of tokens: ones that are used as a mechanism for authenticating your purchase and another as an item that can be mapped to your card on file or your bank account. If you pay with your EMV™ chip card, NFC-enabled, or NFC token-enable phone at the POS, the device generates a unique authentication token, also commonly known as a “cryptogram”, which masks your information. Tokens can only be tied back to sensitive information kept on highly secure servers affectionately called the “vault.” Without access to the vault, these numbers are useless. So if in the event of a breach, the tokens are of no use and the payment data is kept secure from hackers. Tokens do not replace EMV, but rather complement for mobile payments.
Concerns with Tokenization
Convincing both retailers and consumers to adopt tokenization may be a bit tricky. Cryptograms, in many ways, offer secure payment solutions but they also have their own limitations. For instance, tokens do not get carried all the way through the transaction; rather they are passed in the clear after the token vault. There’s still a portion of the transaction where the card number or bank account number (PAN) is present. As a result, this limits the cryptogram’s security, leaving a loophole for data compromise. Because of this, many retailers such as Walmart and Best Buy, have opted out of tokenization and instead looked at other options to provide their customers with secure transactions. Furthermore, there are also challenges to implementing tokenization into the market. One limitation is the current technological infrastructure. These structures must be built to support tokenization so that tokens can be the market normality for transaction security. Aside from having common systems that accept cryptograms, the other barriers to adoption include initial cost of transition for merchants and the loss of the familiar for the consumer at the POS and not to mention, competitive solutions such as Google Wallet, SoftCard, etc.
These barriers to adoption could potentially be overcome in these ways:
- Offering incentives for consumers to enroll in tokenization, such as reducing the price of items at the POS.
- Card Issuers can lower interchange fees to merchants.
- Offering the convenience of new technology accepting tokenization such as Apple Pay and Wal-Mart’s CurrentC mobile wallet.
The benefits of tokenization far outweigh the barriers to adoption as exhibited by the monetary losses associated with security breaches at major retailers. While it’s a step in the right direction, is tokenization really going to be the universal standard going forward? Or is MCX going to drive QR codes to be the industry norm? Here at FIS, we strongly advocate for open and minimalist standards for tokens to allow for mass adoption and widespread use. As new payment technologies are emerging to protect your customer’s personal financial information, take advantage of the opportunities presented and find a way to make them work for you.