More Card Conversation
By Elizabeth Judd
When Target Stores Inc. and other major retailers announced data breaches involving massive numbers of credit and debit cards used at their stores late last year, card security instantly became a high-profile issue for consumers, banks and merchants alike. Those retail breaches also revived industry talk about one security technology for foiling hackers and fraudsters tapping data on payments cards—tokenization.
Tokenization technology was designed to protect online payments in which a physical credit card is not present at a sale. It might reside within an online wallet on a mobile device in which a user clicks on an image of a “card” to begin a transaction. Instead of using a traditional account number, a consumer generates through the use of particular software a unique payment token—or digital account number—that changes with each transaction. Because a payment token can only be used for its designated purpose, the token is generally worthless to cyberthieves.
To understand why tokenization is a leap forward in terms of security, it’s important to remember how today’s payment cards function. David Fortney, senior vice president at The Clearing House Payments Co. in New York City, points out how credit card holders are “reusing the same secret information over and over, everything from the account number to the expiration date” to make purchases, whether online or at the retail point of sale.
“The simple idea behind tokenization is instead of using the same information, there’s a substitute—a dynamic token—that as soon as it’s used is no longer valid for a subsequent purchase,” Fortney says. “In other words, you take the value out of trying to steal payment information and reuse it.”
Tokenization and EMV
Payment tokens offer some additional benefits beyond security. Tokenization can include enhanced data files so that there’s more detailed information about transactions, including the circumstances under which a transaction was initiated.
“The simple idea behind tokenization is instead of using the same information, there’s a substitute—a dynamic token—that as soon as it’s used is no longer valid for a subsequent purchase.”
—David Fortney, senior vice president at The Clearing House Payments Co.
Tokenization complements EMV technology (named for Europay, MasterCard and Visa), which usually takes the form of a chip embedded within a physical card. Fortney explains that the EMV chip has been in use in Europe and elsewhere in the world for the past 20 years. EMV provides an attractive alternative to a magnetic stripe because EMV chips contain a cryptogram that transmits dynamic information that changes with each and every use. (See the July 2014 Payments Exchange column in ICBA Independent Banker.)
Fortney points out that because EMV debuted before widespread use of the Internet, the chip was designed exclusively for transactions that require a physical card. For EMV to quell fraud, it’s important that tokenization gains ground alongside of it. If, for instance, the United States embraced EMV chips within cards, then fraud might shift to the online and mobile realms—an unintended consequence that’s occurred in the past.
Although experiments in tokenization have been underway for the past several years, what’s new, says Fortney, is the push for a broadly used industry standard that would “work end-to-end, all of the way from the point of purchase at the mobile phone to the bank’s back end.” With a single standard, merchants could design common software and customers would then download a single application on their computers, smartphones and other mobile devices.
ICBA is involved with working with the card networks and payments industry organizations, including the Clearing House Payments Co., to support tokenization standard. EMVCo—an organization that distributes standards for EMV chips within credit and debit cards—is being tapped to distribute and make available tokenization standards as well.
In many ways, establishing a standard for card tokenization technology is easier than creating a standard for the EMV chip because the solution consists solely of software, Fortney says. For example, tokenization would not require merchants to purchase new terminals or devices at the point of sale.
Fortney acknowledges that banks have to be able to develop the capability to create, issue and manage various security tokens—all of which requires more effort than using a static number repeatedly. And yet while some banks will develop their own systems, known as “token vaults,” most will probably use token vaults created by third parties.
What the future holds
For banks, tokenization technology can look like a true blessing for card security. “Banks have been very supportive because first of all they feel a strong responsibility to make sure the payment system is safe and secure,” Fortney says. “And as these threats get more complicated, as we’ve seen in these advanced attacks that come in over the Internet, the banks feel they have to build better security ahead of the threats.
“We were already active working on this well before the Target breach. But recent data breaches have definitely rallied the industry to move more quickly.”
So far, tokenization has been tested only in pilot testing programs. That said, Fortney anticipates that the first commercial launch of card tokenization technology will take place very soon. “We’ll start seeing rollouts in the next 12 months,” he says, “and then we’ll see how long it takes for tokenization to get more prevalent.”
Elizabeth Judd is a writer in Maryland.