Part 1 of a 3-Part Series
Many credit unions have asked us which is better, tokenization or encryption; or which is more secure EMV or NFC? Focusing on these questions might not be the best approach. All of these technologies are different pieces of the puzzle intended to help fight fraud. Chip cards, tokenized mobile payments and fingerprint scans all play important roles in making data breaches less valuable to fraudsters, thereby reducing issuers’ costs when breaches occur. Since there is much ground to cover on this topic, we decided to divide the content into three parts. First up, Tokenization.
Tokenization’s Background and Role
Tokenization has become more mainstream thanks to Apple Pay, and subsequently Android and Samsung Pay (a.k.a. the Mobile Pay wallets). There is a general understanding that tokenization, at least in the FinTech space, means replacing the credit or debit card number (the Primary Account Number or “PAN”), with a number that looks like a different PAN, but is useless outside of that one particular mobile device.
Tokenization is not a new technology and it has been in use since the early days of computers. It is broadly defined as the process of protecting sensitive data by replacing it with alias values or “tokens” that are useless to someone who gains unauthorized access to the data. In the realm of payments, it represents one of the best ways of protecting Payment Card Industry (PCI) data.
Tokens and Tokenization – How it All Started
Physical tokens have been around since the city of Boston first issued subway tokens in 1919. Tokens were safer and easier to process through turnstiles. Later casinos started using only chips when affordable plastic poker chips became available in the 1940s. In both cases, a payment form, cash, was replaced with a token that could only be used in a limited manner. Digital tokens first appeared in the 70’s in early computer databases, where the primary key to a database entry was replaced with a token to be passed to external systems. This was extended to use in security systems to protect sensitive data.
Tokenization and Mobile Payments
Tokenization in the payments space came to the forefront with the introductions of mobile wallets. Tokenization happens prior to authorization, during the transaction process. Tokens replace card data with a surrogate value. This value is passed along during the transaction, while the real data is kept safe in a secure server. The tokens are worthless, so criminals that access them during transport won’t find any value in them.
Tokenization is done in two stages. When a person adds their payment credentials (by taking a picture or keying in card info) to their Mobile Pay app, the app, the respective Pay gateway verifies that the BIN (the number range of that card is enabled for that Mobile Payment app, then contacts the issuer to verify the cardholder. A phone call, email, or text message are most common. Once the issuer confirms identity, the Mobile Pay requests a token from a payment vault currently run by the network “brands.” The token is sent to the mobile phone (in Apple’s case, to store in a Secure Element (SE) on the iPhone) or to store in the cloud for Host Code Emulation (HCE) use on Android devices. While SE versus HCE sounds like two very different methods, they work pretty similarly from the cardholder’s perspective. At this point, the true PAN is not stored anywhere except in the vault corresponding to the token.
When the user makes a payment, only the terminal sees the token and sends it to the processor who in turn, sends it to the network. It is there that the token is replaced with the true PAN for authorization by the issuer. On the return, the authorization is routed again through the network so the response credentials are still tokenized from the merchant’s perspective. So even a breach at the merchant would yield useless tokens.
Be on the lookout for Part 2 of this 3-part series on “The New Superheroes of Payment Fraud,” where we will explore how encryption, EMV and Biometrics complete the puzzle.
Lou is the Director of Payments Strategy at CSCU and is responsible for providing leadership to the organization for emerging payments and industry trends, as well as managing the product portfolio.
Prior to joining CSCU, Lou was Director of Mobile Products within the North American Retail Payments division at FIS. There he was responsible for enabling seamless access from smartphones and tablets to FIS products and services.
Lou holds an MBA from Duke, and a Master’s degree in Computer Engineering from the University of South Florida.