Token Efforts on Security Are More than Gestures

By Bill Grabarek, Senior Editor 

Coming tokenization specifications will help fight fraud in online and mobile payments.

As consumers and merchants embrace card-not-present (CNP) transactions, such as online and mobile payments, the industry is looking for ways to further secure these channels. During the last holiday season alone, the National Retail Federation reported non-store transactions, an indicator of online sales, grew 9.3 percent to $95.7 billion, compared with the previous year. That upward trajectory is not lost on fraudsters, who continue to develop more sophisticated means of filching financial information used in CNP transactions.

To combat the digital dangers posed to consumers, merchants and the payments industry, several industry entities, including major payments networks and financial institutions, are developing payment tokenization standards. Specifically, EMVCo and The Clearing House (TCH) have announced separate plans for creating tokenization standards to tighten security around CNP transactions and mitigate the scope of damage if a breach occurs. EMVCo is a global technical body collectively owned by MasterCard, Visa Inc., American Express, Discover, JCB and UnionPay. TCH is a banking association and payments company whose member banks include Bank of America, U.S. Bank, Comerica and Citi. For the merchants’ part, several groups—including the NRF, the Merchant Advisory Group and the National Restaurant Association—recently have proposed creating an open, technology-neutral tokenization system based on industry-wide standards as established by the International Standards Organization or the American Standards Institute.

“As more consumers make purchases online with mobile phones, tablets and PCs, it’s important to establish the foundation for a global, interoperable payments environment now, in advance of digital payments and mobile payments truly taking off in the marketplace,” says Mike Matan, head of American Express global network business.

“In the near-term, we think online mobile payments are going to continue to grow and gain more traction,” he tells Paybefore. “Consumers today already can shop anywhere, anytime with their mobile phones. What comes next is making the online checkout experience on the mobile phone even easier and more secure, in addition to providing consumers with added value through the delivery of relevant, customized offers or new streamlined services.”

What Is Tokenization?

Tokenization is the process of temporarily replacing a traditional primary account number (PAN) with a unique payment token, a series of numbers the same length as the PAN, that is restricted in how it can be used either to a specific device, transaction type, channel or merchant. The process, which is invisible to the consumer, enables industry participants to store payment tokens that can be used only for their designated purpose instead of storing card account numbers that can be used for multiple purposes.

“Those PANs, which are the same numbers embossed on our cards, sit in servers of e-commerce merchants or in various digital wallets. They’re basically scattered around the Internet,” explains James Anderson, group head of platforms, MasterCard. “What we want to do is replace the copies of the true card number with something that is less sensitive but still routable across the networks,” he explains. “We see tokenization being relevant in all places other than where the [physical] card is going to be used, which includes all merchant card-on-file use cases and all device-based use cases, like NFC payments.”

The fundamental purpose of the new tokenization specification is to enable tokens to be used universally in the same way card account numbers are used, according to Mark Nelsen, Visa vice president of risk products and business intelligence.

“Card account numbers will be ‘tokenized’ along the payments value chain in ways that provide security to the cardholder, even though the cardholder may not know a token is being used instead of the card account number.”

Payment Versus Local Tokenization

All this talk of developing a tokenization specification doesn’t mean tokenization doesn’t currently exist. While standards for payment tokenization are in the works, local tokenization is being used today.

Payment tokens can be used in the same way card numbers are used to initiate transactions, such as an online purchase, to redeem offers, to initiate a bill payment or to make P2P payments. For example, an online retailer wants to store a consumer’s credit card so he can check out more efficiently by eliminating the need to enter payment information every time he shops on the site. But, the merchant doesn’t want the consumer’s actual credit card number on its server because of fraud risks and PCI data security compliance, says MasterCard’s Anderson.

Companies, such as payments processors or acquirers, today store payment data and provide a local token for the merchant to hold, so every time a specific consumer wants to make a purchase, the processor either passes back the real card number to the merchant to process the transaction or submits the card number directly.

“This approach is valuable because it improves security, but the primary card number is still someplace and remains at risk,” explains Anderson.

Christina Hulka, EMVCo Board of Managers chairperson, agrees local tokenization is helpful, but those programs “have been developed and implemented in a proprietary manner, which limits their scalability and global interoperability. This is why specifications are needed.”

Global Security

The PAN on a card is all-purpose, whether it’s being used at the POS to make a purchase at a brick-and-mortar retailer, to conduct transactions at an ATM, to make a purchase on a merchant’s Website or to facilitate purchases using a mobile device. Given that the PAN can be used at myriad places, if that series of digits is compromised, fraudsters have numerous ways to steal funds.

On the face of it, tokenization appears to be the process of replacing a consumer’s PAN with a temporary series of numbers to execute a CNP transaction, which limits the exposure of the real number. But, the security tokenization provides goes deeper. If a token is compromised, domain controls placed on that token can significantly reduce the damage a fraudster can do, according to Anderson. Because a token is tied to a specific token requestor, any transactions submitted from an entity other than that token requestor can be rejected. Domain controls also could block transactions at ATMs for tokens issued to support card-on-file use cases.

“I think we are just scratching the surface as to how domain controls can be implemented,” Anderson continues. “The hard work is getting the infrastructure upgraded to support the use of payment tokens. Once that’s done, people can start getting very creative about how tokens are used.”

If the token were issued to a specific e-commerce merchant, for example, controls could be put into place preventing that token from being used at other merchant Websites or programmed onto a bogus plastic card to extract cash from ATMs.

“Because use of a given token is limited to a specific domain, such as a particular merchant, payment channel, digital wallet or device, the token’s value to a fraudster is greatly reduced because it is not usable elsewhere,” Visa’s Nelsen tells Paybefore.

“Additionally, the token can be unlinked from the original card number if that token is either no longer needed—for instance, if the consumer decides to cancel his account at a merchant or if he loses the mobile phone or other device in which the token is stored,” he says.

With all of the safety features being built into the tokenization specification, EMVCo’s Hulka stresses that “tokenization is not expected to unilaterally eradicate fraud but offers a tool that can be deployed as part of a layered security approach by merchants and acquirers to minimize and contain CNP attacks. By increasing the defensive measures against malicious, unauthorized use of card numbers, the payments industry is continuing to accelerate its vigilance against fraudsters,” she says.

Industry Impact

As with any change, the move to tokenize CNP payments will affect companies and processes. One goal of the tokenization specification is to develop and implement it with as little disruption as possible. What helps is that many understand the need for the specification.

Little disruption for stakeholders also helps the tokenization efforts make a big impact more quickly, he adds. And, by developing a token that is routable through the existing payment networks, the standard uses everything that’s been built over the last 40-plus years, and takes “a couple of very basic [modifications] to make the process work.” That said, there will be “modest” impacts to a few players.“We [at MasterCard] talk to people in the industry all the time and there is recognition that things can happen that can materially impact all of our businesses, and that we need to be continually moving ahead of the bad guys with techniques that make our payments system stronger,” he says. “People are keen to understand how tokenization can help. Once they understand it, they generally see the benefits and what it can do to make the whole system safer.”

“There will be some changes for any entity that stores card numbers on a server site because instead of just storing the card number in a database, they’re going to have to [request a token from the token vault] and then store the token. It’s not a big change; it’s a moderate change,” Anderson says. The token vault is the entity responsible for issuing tokens. Payment networks likely will set up token vaults and perform that service for their issuers. Some issuers might prefer to set up their own token vaults.

“No changes are required for terminal manufacturers,” he notes. “On the issuer side, a few small changes are required to support token life cycle management, tasks like managing expiration dates on the tokens or deleting tokens if someone closes his account. You have to make sure you don’t keep approving transactions.”

Setting the Standard

Last October, Visa, MasterCard and American Express first proposed a framework for a tokenization specification because they “thought it was important to have a starting point and work together to get the ball rolling,” says Anderson.

Since then, that ball has been passed to EMVCo.

“We realized that to get [the tokenization specification] implemented, we needed the full force of the payments industry,” he adds. “Therefore, [the networks] agreed it made sense to hand it off to EMVCo.”

In mid-January, EMVCo, originally formed to manage and further develop EMV specifications, announced it was expanding its scope to include development of a tokenization specification. “EMVCo’s continued work to define specifications for the payment industry will establish a reliable, interoperable and secure framework to enable digital commerce to achieve its full potential,” Dave Meadon, EMVCo executive committee chairperson, said when the plan was announced.

American Express’ Matan says the tokenization specification must maintain compatibility with the existing payment infrastructure, and it must be complementary to existing specifications to ensure consistency across all payments environments.

“This will enable a more integrated and flexible payments infrastructure that can evolve to anticipate future marketplace needs,” he adds. “EMVCo has the strategic breadth, industry knowledge and technical depth to develop a holistic specification to support digital payments.”

Hulka tells Paybefore that the tokenization specification EMVCo is developing will complement EMV chip specifications. (See sidebar.) The U.S. payment card networks’ preparation for migration to EMV from magnetic stripe cards began with announcements in 2011 and 2012, with fraud liability shifts taking effect in October 2015. EMVCo, however, isn’t the only organization working on tokenization.

Last summer, banking association TCH announced it was working on a standard that also would replace consumers’ actual card numbers with a temporary number or, as it calls them, a dynamic credential. The system TCH is developing would protect consumers’ account information behind bank firewalls, thus lowering the potential for fraud without affecting consumers’ shopping experience.

Tokenization has been done on a smaller scale for a long time, but there had been no impetus to come to a standard, according to Richard Char, then head of digital networks and merchant relations, Citi Enterprise Payments, who spoke about TCH’s standard during the ATM, Debit & Prepaid Forum last October. Citi is one of TCH’s 22 member banks.

Though no formal announcement of cooperation has been made, both organizations appear amenable to working with others on one standard. Char said that the banks’ efforts through TCH aren’t intended to be exclusive to any sector of the industry and that it would be best for all stakeholders if they could agree on one standard.

“Addressing the security of payments effectively and completely will take collaboration of all participants in the payments ecosystem,” says Dave Fortney, senior vice president of product development and management at TCH. “We are actively working with card issuers, merchant groups and other participants to create open standards and a comprehensive solution to ensure security across all payment types.”

Likewise, EMVCo intends to engage other industry partners to advance its payment tokenization specifications to ensure cross-industry interoperability, says Hulka.

“As is our current practice, EMVCo will be seeking input from its [associate members], at both a technical and business level, to ensure global requirements are addressed,” she says. “EMVCo welcomes new participants who are interested in contributing to the tokenization effort to join its Associates Program.”

EMVCo already has published its Payment Tokenization Specification –Technical Framework v 1.0 for industry input. It will take time, however, for the industry to adopt and implement tokenization solutions, according to the organization.

Anderson says the work on a specification is a priority: “We don’t see any benefit until it’s in practice, so the sooner the better.”