In the payments security industry, tokenization initiatives have started to emerge, which would have important ramifications for retailers if they were to take off.
In the wake of the Target breach, payment card fraud, particularly card not present (CNP) fraud, is of increasing concern for regulators, the card schemes and merchants themselves. Tokenization protects merchants in the case of a data breach by devaluing the data they need to hold. It lessens or nullifies the effects of malicious hacks or data leakage making it an attractive security solution for merchants, the card schemes and regulators alike.
Tokenization in the context of payments security works by replacing the Primary Account Number (the PAN) with non-sensitive data (of the same size and format) typically known as a token or alternative PAN. Depending on the use case the merchant either requests a token for the PAN from a tokenization provider (who may be a card scheme, bank acquirer or another trusted third party) or receives a token rather than a PAN in the original payment transaction. The consequence is that the merchant never has to store real PAN data and importantly does not need to change the way payments are accepted or authorized.
Criminals cannot exploit the system without access to the specific decryption keys to exploit the tokenization server. This is a significant benefit for retailers, for whom PCI DSS compliance is a major headachetokenization helps to take them out of scope for compliance and greatly reduces their security burden. Significant industry standards bodies including the PCI Security Council and EMVCo are developing guidelines and security frameworks covering multiple use cases for tokenization which should prove a significant benefit to merchants in the long term.
Tokenization technology can protect merchants in three core situations where they are vulnerable to fraud card present, card not present (CNP) and mobile channels.
First, tokenization is able to protect card present transactions where a user pays for an item or service with a card at a merchants physical point-of-sale (POS) terminal. In this scenario, the focus is to ensure that the PAN stored by the merchant (primarily to handle chargebacks) is tokenized. In most cases the tokenization process with be carried out on behalf of the merchant by their processor or acquirer.
Massive data breaches of the type we have seen recently at major merchants would no longer yield data useful to attackers. It could not be used to create counterfeit cards or conduct online payment transactions due to the real PAN being required in each case, not its tokenized value.
The second area where tokenization can assist merchants is when accepting card not present (CNP) transactions, mainly where they deploy card on file solutions. If the real PANs are stored as part of the customer records, even if encrypted, there is still a vulnerability in the case of theft, especially where insider fraud is involved.
Replacing PANs with tokens automatically reduces the scope of PCI DSS compliance for the merchant. This type of solution is likely to become commonplace in the future when the final EMVCo specifications are available and a formal certification process for tokenization is established. It works using a concept of token providers (the acquirer, processor or card scheme typically) and token requesters (the merchant).
The new standard will allow for interoperability for authenticating payments tokens from different vendors, card schemes and payments processors, and create a standardized and secure environment across all payments channels including CNP solutions, mobile wallet solutions, HCE solutions, card on file merchants and general physical card transactions.
Tokenization can also protect mobile contactless payments using host card emulation (HCE) at the physical POS. With HCE solutions the mobile phone can store and make use of a tokenized PAN rather than a real PAN (which will be stored in the issuer's cloud or data center). In conjunction with the use of limited or single use keys stored inside the phone, this has the benefit of isolating the mobile channel from the other payment channels and means that if data is stolen from the phone it cannot be used to perform fraudulent transactions at POS or in e-commerce situations.
With tokenization potentially playing a central role in protecting many major types of payments that rely on cards both physical and virtual, it is little wonder that the card schemes and other major stakeholders are sensing revenue opportunities. MasterCard is set to launch its MasterCard Digital Enablement System later this year, a tokenization-as-a-service offering for issuers to tokenize card payments on their behalf. Visas Paywave and Visa Checkout service, which replaces V.me in the US but not in Europe, both utilize tokenization.
It is not yet clear who will be the major winners. However, what is expected is that adoption of this "parent model" for tokenization will dramatically reduce the impact of a data breach for smaller retailers, with sensitive data under the protection of much larger players.
Despite these advancements, merchants can take their foot off the gas, as they will still be privy to other personal data. In a world of targeted attacks, will it be enough to focus protection schemes primarily on credit card and password credentials? In the era of big data analytics, even innocuous personal data might enable attackers to connect the dots and build up a detailed view of each use, enabling them to stage convincing identity theft based attacks.
Ian Hermon is payments security specialist at Thales e-Security in Long Credon, U.K.