Exciting articles several times a month
26 October 2016
After several major data breaches, ensuring the security of consumer data has become a key concern of all businesses working in the payments industry. To reduce the risk of fraud and enhance customer experience, many payment processors use the “tokenization” method that supposes the replacement of payment card number and other sensitive information with a randomized identifier also called token. Let’s have a closer look at this cost-effective and elegant security solution that is quickly becoming mainstream in Fintech.
Tokenization vs. encryption
A common misconception is that tokenization and encryption are the same and can be used interchangeable. However, the situation is quite different – despite the fact that both methods are used in the fight against digital breaches and cyberattacks, they propose different approaches to data protection. Encryption can be considered as a “scrambling” or “obscuring” tool which transforms the original information by using algorithms or ciphers and makes it unreadable without a proper key.
The main disadvantage of encryption is that it is potentially breakable – if hackers have powerful computers and enough time, they can easily crack the encryption algorithm and unlock your protected files. That’s why encryption can be considered as data obfuscation rather than real data protection. Plus, it will be much more difficult to achieve and report your organization’s compliance with PCI DSS requirements if you use just encryption tools to protect consumer data.
Unlike encryption, tokenization is “data substitution” – it actually removes sensitive data from a merchant system and replaces it by a randomly-generated and totally unique alphanumeric value that cannot be mathematically reversed. Only special tokenization systems can detokenize the token and restore the original information – but not to decrypt it. This means that if tokens are compromised or stolen, they will be absolutely useless for fraudsters – there is no mathematical relationship between the token and the original data.
Securing credit & debit card transactions online
Typically, there are two types of tokens used for sensitive data protection: for one-time use (transaction-specific tokens) and for multiple uses (durable tokens that replace payment card numbers). However, some digital payment experts insist that every purchase requires its own unique token and that it is not desirable to assign a token to a plastic card for a life-long association because it lowers its protection level.
In the electronic payments world, tokenization is often used to comply with PCI DSS requirements obliging payment processors to safeguard cardholder data. In this case, the token represents a unique string of characters that replaces customer’s primary account number (PAN) and may contain the last 4 digits of the card number for reference purposes. Depending on the use case and payment domain, one PAN may be linked to several different tokens.
Durable tokens are often used to substitute live data in different web-based stores and payment apps that keep customers’ credit/debit card numbers for recurring payments and subscription billing. Plus, they also help minimize the risk of data breach in online stores that offer their frequent customers to save their payment data for repeated transactions. In these cases, a merchant redirects the encrypted card number to a token service provider which replaces it with a unique identifier and sends back to the merchant for storage.
All major payment card brands have already developed their own tokenization systems. The Visa Token Service provides various tools and payment solutions to help its partners build their own tokenized sites and apps. The MasterCard Digital Enablement Service enables users to make and receive electronic payments using card tokens. The American Express Token Service is a comprehensive security service designed to replace sensitive data with tokens.
In addition, tokenization is getting quickly adopted by numerous third-party payment gateways that offer their own payment APIs – for example, this security solution is offered by Stripe, Braintree or Bluepay. 3Delta Systems provides various payment tools based on the use of durable tokens masking real card numbers. MyGate Global offers a robust payment platform with an advanced tokenization technology.
Data tokenization for mobile apps
Tokenization also offers a great way to secure payments within numerous mobile applications, especially within NFC mobile wallets like Apple Pay, Android Pay, and Samsung Pay. When you make a payment with your NFC-enabled device at a point of sale, your transaction is usually validated with a unique authentication token designed to protect your payment information and make it an unappealing target for fraudsters.
For example, Apple Pay doesn’t store any sensitive card-related information on iPhones, iPads or other supported devices: instead, Apple sends the encrypted data to your bank issuer which creates a unique Device Account Number (DAN) and redirects it back to Apple. That number is stored in a special chip embedded into your hardware device. When you make a payment using Apple Pay, your purchase is authenticated using your DAN and a one-time-use cryptogram generated specifically for this transaction.
Visa wearables, such as NFC-enabled watches, bracelets and rings also use tokenization to accomplish greater security. Visa replaces card numbers and other valuable information with a unique set of characters that will be used for making purchases on the go. During the authorization request, the acquirer receives just the token and sends it to Visa to validate the transaction. The token can be swapped to a real card number only in the credit card network.
When it comes to the payment processing sector, one of the biggest headlines of the recent years has been connected with data breaches at companies like Target or Home Depot. To attract and retain users, any payments processor definitely needs to ensure a high level of data protection. Tokenization helps replace sensitive authentication values and reduce the risk of their accidental exposure. However, there is still no universal tokenization standard that everyone would follow, so this technology has great potential for further development and improvement.
Exciting articles several times a month