Tokenization of Payments to be Industry Standard in 2018

Tokenization of payments is an old guard that has bounced back into the digital ecosystem as consumer adoption of e-wallets, mobile and online payments have grown. The rise in cyber-attacks and digital fraud have compelled business owners and merchants to make consumer transactions friction free…

By Archana Khatri Das

The rise in digitisation of payments has opened endless possibilities for data breaches or cyber-attacks. Fortunately, consumers and businesses are relying on payment tokenization to protect confidential data from hackers.

Tokenization helps merchants to comply with the global Payment Card Industry Data Security Standard (PCI DASS) that obliges the payment processors to keep cardholders’ data secure. The technology of tokenization can be applied through most of the modern point-of-sale equipment, on e-wallets, payment apps and make shopping for customers convenient and secure. Tokens have become a preferred mode of safeguarding user data in contactless payment applications like magnetic technology as in Samsung Pay, NFC (near-field communication), Apple Pay, Android Pay, as well as sound-based payment systems which use Ultra Sonic (Frequency) Sound waves to communicate between two devices.

Tokenization significantly reduces the risks that come with debit and credit cards, cloud-based, and mobile payment transactions, by replacing the identifying information like the payment card number, Primary Account Number, and other confidential data with a randomized identifier or token, which limits the impact of a data breach.

As per a Sage research paper published in 2017 ‘Payments Landscape Report’, nearly 80% of consumers feared fraud during an online payment transaction, while cyber threats concerned 65% of businesses. The 2017 Norton Cyber Security Insights Report Global Results claims that cyber-criminals have upped their ante compared to the previous years, resulting in record attacks in 2017.

Tokenization appeared on the fintech scene in 2005. Due to its cost-effectiveness, convenience of use and rise in digital payment system and data breaches, it has now emerged as one of the mainstream trends in fintech where more and more merchants or business owners are fortifying point-to-point encryption (P2PE) to safeguard payment transactions and credit data.

Tokens appear to be random numbers; however, a tokenised number always has the same number of digits present in the card. As a rule, the tokenization provider preserves the last four digits of the token as given in the real card. Also, the tokenized numbers should not start with 3, 4, 5 and 6, which are traditional numbers used by major card brands. Tokenized numbers always fail a Mod 10 check which is the international standard for validating card account numbers.

Here’s how tokenization works: As the customer shares a card with the merchant, the card details are sent for authorization, therefore generating a token (a random string of numbers and letters) in the tokenization provider’s API, which is then passed on to the merchant, who processes payments with that token instead of the card data. Since the card data is not stored on the merchant’s server, the risks of data breach become negligible.

Two types of tokens are commonly seen at work: for one-time use, which are also transaction-specific tokens, and for multiple uses, which are also durable tokens that replace payment card numbers. Many prominent card companies like Visa, MasterCard, and American Express have their own token system. Some digital payment experts recommend the process of generating a new token with every new transaction to make the security foolproof.

tokenisation — Editor’s Pick: Breaking Digital Gridlock empowers credit unions and community banks to make the shift to digital—even without a seven-figure consulting budget. From leadership, to technology, to security, and more, this book provides effective, real-world strategies for taking the leap without tearing your organization apart.

Not just card providers, even third-party payment gateways Stripe, Braintree, Bluepay, Chase and others, and numerous NFC-enabled mobile wallets like Apple Pay, Android Pay, and Samsung Pay offer payment protection through tokenization. NFC is a payment technology and stands for Near Field Communication. It enables smartphone devices to function as a virtual wallet.

There are also NFC-enabled wearables like bracelets, rings, watches that also use tokenization to protect sensitive data. Tokenization is making rapid strides in the mobile payments, ticketing, at point-of-sale and other platforms. As business owners and merchants win the confidence of customers with the promise of secured transactions, fintech experts agree that tokenisation will be mainstream in 2018.

Some may confuse tokenization with encryption. While both the methods are applied as data obfuscation technologies, particularly electronic payment data and secure end-to-end process, they are not interchangeable. The McGraw-Hill’s Encyclopedia of Science & Technology defines the two as follows:

Encryption – In Cipher systems messages are transformed through the use of a set of unchanging rules or steps called a Cryptographic algorithm and a set of variable Cryptographic keys.

Tokenization – Code systems that rely on Codebooks to transform plaintext into code text.

Or in simple terms, encryption uses ‘key’ while tokenization uses ‘tokens’ to protect confidential data.

So, which is better, tokenization or encryption? Well, the combination of both tokenization and encryption offers the highest level of security to any confidential data. The token vaults can be fortified further with an encrypted code and offer a truly secure payment environment.