Choosing the Right Tokenization Scheme: Complexity
As is well known and documented, a series of highly-publicized data breaches has the financial services industry betting on tokenization as a means of improving the security around payments. Though the use of tokenization is not new, using it to secure the sensitive information that exchanges hands in payments is. As with most things, tokenization has many sides to it. This post sorts through the different approaches to delivering tokens to the point of sale.
EMVCo payment tokens are used in the card-present channel to provide increased protection against counterfeit, account misuse and other forms of fraud. Media for facilitating the payment token exchange between consumer and merchant use a variety of technologies such as EMV cards for contact interactions, Near Field Communication (NFC), Quick Response (QR) codes, and Bluetooth Low Energy (BLE) for contactless interactions, such as those initiated using mobile devices. Much of this represents new technology that requires modifications or upgrades of existing technology. With release cycles introducing innovations at an increasing rate, these types of impacts are inevitable, but have been resisted until the last possible minute, especially if the attending cost for hardware, software and training is material.
When it comes to unlocking the benefits of tokenization for more merchants and consumers, navigating the complexity created by the labyrinth of various smartphones, point-of-sale (POS) terminals and implementation options is challenging. The most obvious is the EMV chip card, where the primary account number (PAN) encoded on the chip is replaced by a token that is then delivered by the consumer to the merchant’s POS terminals. By layering EMV chip and tokenization technologies, all parties involved in the transaction are further protected against card fraud.
The EMV chip provides cryptographic card authentication that deters counterfeiting of cards, while tokenization replaces card data with payment tokens that cannot be used outside a specific merchant or channel (token domain) and, therefore, hold limited value for a criminal. But, given the U.S.’s dependence on the magnetic stripe, there is a weakness in this approach as the chip card still needs to support a static magnetic stripe, effectively incorporating a poorly-secured back door into the card structure. This magnetic stripe is vulnerable to counterfeit and could be used in a card-not-present environment, such as an eCommerce website.
Currently, EMV cards aren’t in everyone’s hands, although this is rapidly changing. Aite Group estimated that by the end of 2015, approximately 70% of credit cards and 40% of debit cards in the U.S. supported EMV. These consumers armed with EMV cards will be able to easily find an in-store merchant to accept them. The Payments Security Task Force estimates that at least 47% of U.S. merchant terminals were enabled for EMV chip technology by the end of 2015. While this is good news, the use of tokenization within this environment needs to be given more thought. Most of the resources available to consider the topic were focused on meeting the deadlines around converting the large universe of cards in the U.S. to the EMV-standard until recently. Issuers and merchants will need more time to tokenize and use EMV cards in stores at the point of sale.
Meanwhile, other schemes have emerged that facilitate payment token exchange using mobile smartphone technologies based on NFC. The secure element (SE) scheme stores tokenized payment credentials in the SE of the device. Apple Pay and Samsung Pay use this approach. An alternative scheme is host card emulation (HCE), where the tokenized payment credentials are stored in a host environment and delivered to the mobile device on an as-needed basis. Google Wallet, Tim Hortons (Canada), Royal Bank of Canada (RBC) and BBVA (Spain) are examples of this type of HCE-based deployment, as is Android Pay.
These complex conditions continue to impact consumer use of these emerging models for mobile payments. To date, no single model has carried the day, which has an impact on an additional stakeholder within the payments ecosystem that must figure out how to overcome this mild level of chaos: the retailer. More on that conundrum in the next posting.