It all started with software vendors changing their model from on-site, installed software to Software-as-a-Service. These days, everyone seems to have an “as-a-Service” delivery model. In the payments security industry, Tokenization-as-a-Service is an emerging model. If data breaches occur, tokenization protects merchants by devaluing the data they need to hold. This mitigates or cancels out data leakage or the work of hackers, which appeals to card issuers, merchants and regulators as well.
By replacing the primary account number (the PAN) with non-sensitive data (of the same size and format), typically known as a token or alternative PAN, tokenization functions as a payments security solution. The merchant either requests a token for the PAN from a tokenization provider (who may be a card issuer, bank acquirer or another trusted third party) or receives a token rather than a PAN in the original payment transaction. The merchant never has to store real PAN data and, importantly, does not need to change the way payments are accepted or authorized.
Malicious actors need specific decryption keys in order to breach the tokenization server. This is a significant benefit for retailers, for whom PCI DSS compliance is a major headache; tokenization helps to take them out of scope for compliance and greatly reduces their security burden. Significant industry standards bodies including the PCI Security Council and EMVCo are developing guidelines and security frameworks covering multiple use cases for tokenization which should prove a significant benefit to merchants in the long term.
Tokenization to defeat three fraud vulnerabilities
There are three primary fraud vulnerabilities that tokenization technology can protect merchants from: card present, card not present (CNP) and mobile channels. First, tokenization is able to protect card present transactions where a user pays for an item or service with a card at a merchant's physical point-of-sale (POS) terminal. In this scenario, the focus is to ensure that the PAN stored by the merchant (primarily to handle chargebacks) is tokenized. In most cases, the tokenization process with be carried out on behalf of the merchant by their processor or acquirer. Massive data breaches of the type we have seen recently at major merchants would no longer yield data useful to attackers – it could not be used to create counterfeit cards or conduct online payment transactions due to the real PAN being required in each case, not its tokenized value.
When merchants accept card not present (CNP) transactions, mainly where they deploy “card on file” solutions, tokenization can assist here as well. If the real PANs are stored as part of the customer records, even if encrypted, there is still a vulnerability in the case of theft, especially where insider fraud is involved. Replacing PANs with tokens automatically reduces the scope of PCI DSS compliance for the merchant. This type of solution is likely to become commonplace in the future when the final EMVCo specifications are available and a formal certification process for tokenization is established. It works using a concept of token providers (the acquirer, processor or card scheme typically) and token requesters (the merchant). The new standard will allow for interoperability for authenticating payments tokens from different vendors, card schemes and payments processors, and create a standardised and secure environment across all payments channels including CNP solutions, mobile wallet solutions, HCE solutions, card on file merchants and general physical card transactions.
When mobile contactless payments use host card emulation (HCE) at the physical POS, tokenization provides protection here as well. With HCE solutions, the mobile phone can store and make use of a tokenized PAN rather than a real PAN (which will be stored in the issuer's cloud or data center). In conjunction with the use of limited or single-use keys stored inside the phone, this has the benefit of isolating the mobile channel from the other payment channels and means that if data is stolen from the phone, it cannot be used to perform fraudulent transactions at POS or in e-commerce situations.
Data security – and new revenues
It is little wonder that the card schemes and other major stakeholders are sensing revenue opportunities, with tokenization potentially playing a central role in protecting many major types of payments that rely on cards, both physical and virtual. MasterCard is set to launch its MasterCard Digital Enablement System later this year, a Tokenization-as-a-Service offering for issuers to tokenize card payments on their behalf. Visa's Paywave and Visa Checkout service – which replaces V.me in the U.S. but not in Europe – both use tokenization.Whoever the leaders in this new field turn out to be, it is expected is that the adoption of this “parent model” for tokenization will dramatically reduce the impact of a data breach for smaller retailers, with sensitive data under the protection of much larger players.