After years of protecting card payments,
The Payment Account Tokenization software will help central banks and clearinghouses across the globe protect account-based transactions such as ACH and the real-time payments that flow over into direct credit or debit and P2P payments. Tokenization replaces sensitive information like card or account numbers with a random, non-sensitive series of characters or numbers.
Simple math tells security providers that fraudsters are going to have far more interest in ACH and faster payments that would cover payroll, invoices, monthly billing installments and high-ticket items like automobiles.
When EMV chip cards were launched in the U.S., the initial fear in the security and payment industries was that fraud would migrate to e-commerce. But the migration has actually moved further along into a far more lucrative playing field.
"There are far more interactions with account-to-account payments than in the card payment world, especially in terms of being significantly higher in value than all of the card payments put together," said David Worthington, vice president of strategic business development at Sunnyvale, Calif.-based Rambus.
The need for account protection is becoming critical, considering that more than 35 countries have real-time payments schemes in operation or under development, Worthington said.
Nacha and the Federal Reserve put
The concern all along was that faster payments equates to faster fraud and undermines a common fraud mitigation procedure at 83% of U.S. banks — that of the manual review of a suspicious transaction when a payment took a few days to clear.
In that type of atmosphere, The UK Cards Association has reported that online banking fraud losses increased 270% in the six years following the introduction of the country's RTP.
Rather than view it as a new fraud migration, it's probably more accurate at this stage of the digital payment era to consider it a fraud expansion, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"We often see that new forms of payments are heavily targeted by fraudsters who will poke and prod to find the soft underbelly," Conroy said. "With RTP, not only do you have new payments, but you have real-time and non-repudiable payments as well, which represents great opportunity from a fraudster’s perspective."
The payments industry is seeing increases in traditional forms of fraud like card-not-present, account takeover and new-account fraud as well, Conroy said. "I think we’re just seeing fraudsters maximize the opportunity available to them," she added.
Rambus customers who are token service providers in the card payments space can confirm that. Some were also involved in account-to-account payments such as government pensions, taxes or personal transactions — and were seeing more fraud occur in those areas.
"With all of the account numbers and personal information and credit scores available to fraudsters, it was making it possible for very easy fraud," Worthington said. "A person with a fake ID and fake credit score could go buy an expensive truck, and the first time the bank would know was when the real person got their first installment payment bill from Ford finance."
To combat that, Rambus has taken its core technology from tokenizing card payments and using it in different infrastructure, creating tokens for 27-digit BANs and managing its life cycle to operate as protection for monthly bill payments and other special uses.
It would also provide cryptogram protection for any account-to-account transaction calling for digital signatures, as well as providing different tokens for different purposes. A Payment Card Industry-compliant token vault in the system operates as the secured database to establish and maintain payment tokens and is the only area in which the token can be mapped back to original card or account details.
"In card payments, the card number is being tokenized as a one-way function in pushing transactions to a merchant," Worthington said. "With Payment Account Tokenization, we can tokenize both ends of the account to protect both sides."
In that way, different billers get different tokens, providing protection from being hacked through a business email compromise in which a fraudster with a stolen email account masquerading as a CEO can't call for a payment to be sent out without the system flagging a problem with the token, Worthington added.
Rambus will target central banks and clearinghouses as clients for the Payment Account Tokenization software, or a regulated bank association that handles transactions on behalf of banks. Ultimately, these top-level transaction settlement institutions are the ones in need of an upgraded tokenization service, one that has application programming interfaces to add a token gateway for mobile and other services as well.
"I don't see any central bank turning around and saying that a tech provider can go ahead and run its transactions through the cloud," Worthington said. "They won't say, 'It has the payment volume from my entire country running through it, but I'm not going to worry about that.' "
