Recent Breaches Show the Need for Tokenization

Payments Leader

Posted on March 20, 2014

Major card security breaches, like the one that occurred at Target in late 2013, have exposed vulnerabilities that retailers continue to grapple with. They’ve also increased the momentum behind EMV smart card migration efforts.

EMV, which allows payments cards to be digitally signed, makes cloning of cards more difficult and will be a positive step. However, EMV will take years to fully implement; and, while it improves card-present security, it has no impact on card-not-present transactions, such as online ecommerce.

To truly make a difference, tokenization must become the card security standard.

How tokenization works

At its most basic level, tokenization is the creation of a secure link between an actual payment card account and a unique identifier. That identifier can be a “pseudonumber” – a number formatted to look like an actual card number – for compatibility with existing point-of-sale and processing systems, thus transmitting proxy information rather than real card information. However, that doesn’t have to be the case.

Most mobile wallets, such as Paydient (foundation of FIS Mobile Wallet), LevelUp and others, use two-dimensional barcodes (also known as QR codes) as tokens that can be read using a smartphone camera, facilitating mobile-only transactions. Other payment schemes, such as PayPal, use an e-mail address or mobile phone number as a token. The value is two-fold: first, it creates a layer of protection between a source of funds and an attacker, and, second, it allows existing payment methods to function in different contexts.

Benefits of tokenization

Added security is a great benefit, but FIS believes tokenization presents an even greater value proposition to financial institutions: the opportunity to add more value to customers.

Consider that a token does not have to be linked to a single account; instead, it can be linked to several sources of funding, with the user specifying rules for how those sources are to be tapped. For example, a coupon could be tokenized together with a payment card, so that when the token is presented, part of the payment comes from a gift card account and part comes from a deposit or credit account. Business logic also could be incorporated in a tokenization server, allowing for greater control over payments.

In the world of corporate cards, it is already common practice to use “ghost cards,” which are pseudonumbers that are activated for a specific period of time, have a specific spending limit and can even by restricted to use by a single merchant. This allows corporate cards to emulate purchase orders and invoices without the actual exchange of paper. Meanwhile, student cards – prepaid cards linked to a checking account – allow parents to provide their children with payment cards while maintain control over those cards are used.

Tokenization in digital wallets

Currently, card networks have proposed that digital wallets – which can serve as containers, storing multiple tokens in one easily accessible location – must request tokens from card issuers every time a consumer makes a transaction. This prevents the wallet from aggregating transactions in order to saving on interchange fees or from diverting transactions made from one network’s cards to another network.

While that may appear to be an effort by card networks to protect their position at the center of commerce, at FIS – network operators ourselves – we also understand the importance of knowing how your network is being used (or abused). Any attempt by a network to use tokens to drive out competitors would fail because consumers and merchants would simply revert to existing standards as their simplest way of doing business. For that reason, it makes sense for the entire industry to work together in good faith.

Limits to tokenization

One thing to keep in mind is that there’s no way to use tokens to exert control over commerce. If consumers or merchants feel that tokenization schemes are too restrictive, they can always fall back on the original card number in order to work around or ignore the token. For this reason, FIS is strongly advocating open and minimalist standards for tokens. In order to succeed, tokens have to be flexible and easily exchanged; anything that makes token exchange more difficult simply slows down adoption.

In fact, tokens can easily disrupt the power of intermediaries. Card issuers can partner with merchants to link rewards and offers to specific combinations of product and payment card, thereby preventing digital wallet platforms from capturing all the revenue associated with those offers. By linking acceptance of tokens to lower interchange fees, issuers can incent merchants and wallets to accept their tokens, offsetting the loss of fee revenue with commissions for influencing the way consumers and businesses spend.

At FIS, we believe that the true power of tokenization has only begun to be revealed, and look forward to exploiting this technology in partnership with others as new applications continue to be found.

In fact, we’re prepared to support card issuers that want to issue tokens under the scheme currently proposed by card networks and will work with all participants to ensure that tokens are quickly and securely generated. Meanwhile, we also continue to build token awareness in our card processing and loyalty systems so they can function seamlessly in a tokenized world.

Leave a Reply

Payments Leader

Payments Leader from FIS provides insights on credit, loyalty, fraud and emerging payments strategies through blog posts from our industry experienced authors.