With all the innovation and momentum around consumer wallets and payments, payment security is a huge concern to banks, merchants, issuers, payment networks and any new wallet provider. Tokenization promises to keep payment data safe in transit and at rest.
As consumer adoption of disparate, diverse payment channels grows, more data is at risk along more points in the payments chain and the implications of a security breach intensify. Demonstrated by the number of high profile data breaches that have plagued the U.S. within the last couple years – adversely affecting reputable businesses from hotels to home improvement stores – payment data security is absolutely essential.
Up to this point, the
As a baseline definition, tokenization aims to lower the value of sensitive data stored on mobile devices or on merchant servers and transmitted over networks during payment. Tokenization is a security technology that consists of replacing a payment card’s static credentials (like the 16-digit PAN and expiration date on a plastic card) with virtually substituted credentials that limit the impact of a data breach or sporadic attacks. Applying the technology provides protection for issuers, merchants and cardholders alike.
There are, however, two different types of tokenization that can sometimes be conflated. The first is the
One of the major distinguishing factors between the two types of tokenization is that the former pertains to payment data “in transit” and the latter to payment data “at rest.” It’s imperative to note that securing both types of data is of utmost importance to financial institutions.
When card or mobile payment data is used to underwrite a transaction at a merchant’s POS, it needs to be protected against interception as it makes its way to the bank for instant verification and back to validate the purchase. Payment tokenization can secure that in-transit data.
Database tokenization can shore up the data at rest. To be sure, there are several benefits to storing that data – outcomes range from quick access to loyalty programs to predictive purchase behavior analytics – but if you’re going to be the guardian of that valuable information for so many consumers, it’s your responsibility to protect it by any means necessary. Visa and MasterCard do intend to eventually extend their tokenization methods to those stored card-on-file payment details as they sit on servers or in the cloud, but proprietary database tokenization is an important bridge in the meantime.
Aside from its utility for both data in transit and data at rest, there are a few main reasons why implementing tokenization just makes good sense for banks and other players in the payments ecosystem:
Whether payment card credentials are being provisioned onto an
Thanks to payment tokenization, emerging alternatives like
Before the introduction of payment tokenization, digitizing payment cards for increasingly popular mobile payment options often involved a review and approval process by the issuing bank, which could take anywhere from minutes to days. Banks and wallet providers have understandably been asking for a way to complete enrollment instantly and minimize registration abandonment. E-commerce, as a comparative example, can have an
Payment tokenization has made customer enrollment to mobile payment applications near-real-time, which means customers can sign up and be ready to go on banks’ services within seconds – a huge factor in convenience and adoption.
The road to deploying both types of tokenization technology is fast and straightforward for all involved parties. Payment tokenization has no impact on physical retail POS terminals or on the acquiring side of payments. There’s no need for merchants to invest in new hardware or software and, for issuers, implementing tokenization is light-touch, with little impact to their existing infrastructure. Database tokenization has a similarly benign impact on back-end infrastructure for any type of organization storing card-on-file data.
Banks generally don’t have an issue with
Frankly, there are few reasons banks and payment innovators shouldn’t apply tokenization at multiple points to improve security; it even
The dynamic payments landscape brews healthy competition and innovation, giving banks and issuers plenty of options that align with their business and security strategies. While payment and database tokenization have many unique benefits and solve many security challenges, we have to remember that securing payments doesn’t stop here. Security is always a moving target as fraud techniques evolve. Even after tokenization becomes ubiquitous, financial institutions and their ecosystem counterparts should continue challenging themselves and ask: Beyond tokenization, what’s the next technology that can make omnichannel payments that much more secure for consumers and providers alike?
Naomi Lurie is Gemalto's director of mobile payments.