Tokenization, Encryption, EMV, and Biometrics: New Superheroes of Payments Fraud

Tokenization, Encryption, EMV, and Biometrics: New Superheroes of Payments Fraud
Posted: Feb 18, 2016
Comments: 0
Author: Lou Grilli

Part 3 of 3-Part Series

More on Tokenization

This is Part 3 of the 3-Part series “Tokenization, Encryption, EMV, and Biometrics: The New Superheroes of Payments Fraud.”  In Part 1, we reviewed tokenization, its background, and how it is now being used in mobile wallets.  In Part 2, we provided a deeper understanding of EMV and its use of encryption to protect payment credentials and we covered how NFC technology fits into the payments picture. In Part 3, the final installment of the series, we will look more closely at tokenization, the protection of payment credentials and some of the potential problems it will present the merchants.

Tokenization and CNP transactions – the final frontier

The goal of EMV, encryption, and tokenization is to minimize counterfeiting of payments cards at the POS. That leaves one final frontier of fraud, online fraud or Card Not Present (CNP) transaction fraud. In countries that have widely adopted EMV, counterfeit fraud at the POS has dropped to fractions of what they once were, and online fraud has ballooned. This is where tokenization, using the term much more loosely, can also be deployed to reduce fraud.

As long as merchants will accept their shoppers keying in 16 digit numbers and a CVV and expiry, there will be fraudsters obtaining card data, typically in large scale breaches.

Tokenization of card on file

Widely considered a technology to replace actual payment credentials as they are added into a digital wallet, tokenization will also play a big role in protecting payment credentials that were already stored in a wallet. Presently, internet-based retailers like Amazon, and brick-and-mortar retailers with an online presence like Best Buy, offer to store your payment credentials “as a convenience”. It serves the merchant well, by helping to reduce shopping card abandonment and to ensure that you will return to the same site. However, these stored credentials represent a treasure trove to fraudsters. This is where tokenization works it magic by making stored payment card numbers useless – through tokenization of the cards on file.

The same token vault used for mobile payment can be used – a one-time replacement of each of the card numbers on file with a token provided by the token vaults managed by the brand networks. Or, an alternative floated by a few merchant processors is to have private token vaults that safely store the credentials, and replace the merchant card on file with a token – in this case the token does not even need to be a routable 16 digit number – it could be an alpha-numeric of any length. Either of these alternatives would go a long way to make the value of the data obtained in the breach of very limited use. As a side benefit, this would minimize PCI compliance audits for merchants, as they no longer would hold or store true card data.

Tokenization and merchant challenges

While tokenization sounds like a panacea, it does come with some additional burdens. Many merchants use the PAN to track returns, prevent users from abusing generous return policies, and to monitor, track, or to dispute chargebacks. Some merchants go further with use of the card data, for sales reports and marketing analysis. Finally, recurring payments, such as popular subscription services like Netflix, are all presented with a problem. That problem is that once the actual card number is replaced with a token, that linkage for returns, for chargebacks, for recurring payments, is affected.

There are many loyalty programs that make use of the card number to allow a cardholder to redeem points at the point of sale (e.g. fifth sandwich free, or roll-back at the pump). If the customer is presenting a token instead of the actual card number, the loyalty program may need to be remediated to accommodate the fifth sandwich purchased by the loyal customer.  The problem is further complicated by using multiple devices – a person who owns an iPhone and an Apple Watch – both devices have the same credit card replaced by a different token each. But the loyalty program needs to know that it’s the same person, regardless whether the customer is paying using a phone, a watch, or an actual card.

This disconnect between the token and tracking the cardholder for returns and loyalty and sales, is not insurmountable – the loyalty platform can request the token be exchanged for a loyalty ID, the sales tracking system can use anonymized data, and returns can be tracked by “de-tokenizing”. The major token vault service providers currently offer merchants the last four digits of the PAN when merchant presents the token used in a transaction. That plus last name and sales date is usually enough to research a chargeback or track returns abusers.  There are several other solutions being proposed, all of which maintain the security and integrity of the tokens, while enabling merchants to conduct their business as usual. But they will take time and effort to implement.

Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance and is responsible for providing leadership to the organization on emerging payments and industry trends, as well as managing the product portfolio.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories