In an effort to secure online and mobile payment transactions and in advance of the October 2015 deadlines for migration to EMV chip and PIN, American Express has introduced the American Express Token Service based on EMVCo's Payment Tokenization Specification and Technical Framework.
The EMVCo framework, published in March, offers “a detailed technical specification for industry-aligned and interoperable Payment Tokenisation solutions that will benefit Acquirers, Merchants, Card Issuers, and Cardholders.”
The tokens will replace traditional card numbers and can be used for online transactions or payments made through a mobile app or in a store using a mobile device enabled with Near Field Communication (NFC). The tokens eliminate the need for merchants or digital wallet operators to store sensitive consumer account information. And, American Express noted in a press release, they “can be assigned for use with a specific merchant, transaction type or payment device to provide further protection against fraud.”
American Express Token Service will provide a token vault where tokens can be stored and mapped to card account numbers, enables the issuance of tokens, and offers lifecycle management services that will guide the creation, suspension or deletion of tokens. It also serves up a menu of fraud and risk management services for financial institutions that issue cards, including authorization and payment data validation.
The payment card company also revealed network specifications for Host Card Emulation (HCE) that offer card-issuing partners “additional security options and solutions for payments made with mobile NFC-enabled devices that support Android OS KitKat.” Those issuers will be able to use a secure cloud server to store customer card account information, which “can be transmitted from the cloud server to an NFC-enabled mobile device and then to a Point-of-Sale terminal in a fast, secure manner.”
“By introducing this service, American Express confirms that contemporary data-centric security approaches are necessary to stem the onslaught of system-wide attacks that traditional payment card data defenses cannot sustain on their own,” Mark Bower, vice president of product management at Voltage Security, said in comments emailed to SCMagazine.com.
Noting that tokenization “provides a granular defense to reduce the exposure of live credit and debit card data in vulnerable systems,” Bower said approaches like that from Amex, “innovative mobile wallet-based payments can enable new ways for consumers to pay with the benefit of reduced breach risk.”
Once a consumer's card and mobile wallet are registered for payment tokens, “the smartphone acts like a virtual credit card by emitting a Payment Token instead of physical card data to the card reader,” he said. “The merchant POS and IT never see live data during this type of transaction.”
Tokens can also be use to restrict the range of transactions, according to business rules, to prevent the tokens from being “stolen or abused,” Bower noted.
Although the U.S. is moving away from the less secure magnetic stripe to EMV cards and secure mobile payment, Bowers noted that “all three payment methods will be around a long time.”
That means that data security strategies must protect them all. Bowers suggested that “contemporary tokenization and point-to-point encryption provide a formidable combination to neutralize malicious attacks to payment streams across the spectrum of mobile, EMV, traditional brick and mortar, and e-commerce payment flows.”
The American Express announcement comes just a week after hackers stole email addresses from Apple Pay rival CurrentC and caused consumers and industry pros alike to cast a wary eye on mobile payment apps.