UL Researchers See Tokenization as Key to Security 'Triangle'

In its first year of heavy involvement in testing and certifying payment security technology, scientists at Underwriters Laboratories have determined that tokenization should be a significant piece of a strong security "triangle."

Tokenization, which replaces sensitive account information with a secure value called a token, has been around for years, but remains a strong tool when combined with EMV chip-card technology and the Payment Card Industry data security standards, said Maarten Bron, director of innovations for UL Transaction Security.

"PCI is the tunnel that protects the data on its voyage from the payment card to the issuer, and EMV technology makes sure that whatever the consumer is using at the point of sale is authentic," Bron said.

Tokenization completes the triangle by protecting card data in areas where PCI compliance and EMV technology remain weak, Bron said.

UL established itself as a player in 2014 by offering EMV technology certification as a way to help issuers and merchants with the migration to chip-based cards in the U.S. UL will make a "large announcement" soon regarding an expansion to this role, Bron said, though he would not share details at this time.

The company recently published an extensive report about the various fraud scenarios for cards and terminals during the transition to EMV in the U.S. EMV-chip cards improve security over magnetic-stripe cards by adding anti-counterfeiting measures.

When talking to companies about their EMV strategy, UL mostly advises adding tokenization to the equation.

"If a fraudster captures data that is a token, it will look like a payment credential, but it will not work for transactions," Bron said.

Fraudsters, knowing plenty of stolen data may actually just be tokens, have resorted to delivering a "guarantee" on some black market sites, Bron said.

"They are saying if you buy some stolen card data from them and it does not work for a transaction within an hour later, they will replace it with new data," Bron said. "They are trying to become commercial."

Apple has developed a strong tokenization strategy as part of its Apple Pay mobile wallet. It develops a token that is provisioned for the handset and is used for all transactions, Bron said.

In that way, merchants don't have to deal with multiple tokens and would have an easier time tracking a shopper's buying habits. The token itself is linked to a specific handset that requires biometric authentication through Apple's TouchID fingerprint reader.

Still, experts warn that fraudsters will be relentless in attempting to crack EMV and Apple Pay codes.

EMV cards will carry magnetic stripes to ensure their compatibility with older payment systems, but fraudsters will find the data on those stripes harder to exploit, Bron said. The cards will have coding that alerts the banks when EMV is supposed to be an option for that transaction, Bron said.

"The same would hold true if a fraudster took a stolen EMV card and tried to clone it into a mag-stripe card," Bron said.