Apple Pay has breathed new life into tokenization and the use of tokenization has seen a revival due to new technology approaches that remove associated operational risks and complexities and enable increased scale and high performance transaction processing, especially in financial services and banking.
PCM investigates how this technology made a comeback and is taking its place in the
driving seat of mobile payment.
The concept of tokenization, as adopted by the industry today, has existed since the first currency systems emerged centuries ago as a means to reduce risk in handling high value financial instruments by replacing them with surrogate equivalents.
In the physical world, coin tokens have a long history of use replacing the financial instrument of minted coins and bank notes. In more recent history, subway tokens and casino chips found adoption in their respective ecosystems to replace physical currency and cash handling risks such as theft.
Similar substitution techniques have been used in the digital world since the 1970s as a means to isolate real data elements from exposure to other data ecosystems. In databases for example, surrogate key values have been used since 1976 to isolate data associated with the internal mechanisms of databases and their external equivalents for a variety of uses in data processing.
Protecting cardholder data
Historically, tokenization was applied to payment card data by Shift4 Corporation and released to the public during an industry Security Summit in Las Vegas, Nevada as far back as 2005. The technology is meant to prevent the theft of the credit card information in storage and is one means of protecting sensitive cardholder data in order to comply with industry standards and government regulations.
To protect data over its full lifecycle, tokenization is often combined with point-to-point encryption to secure data in transit to the tokenization system or service, with a token replacing the original data on return. Encryption takes place within the confines of a security hardened and validated card reading device and data remains encrypted until received by the processing host. The PCI Council has also specified point-to-point encryption (P2PE) for different service implementations in various PCI Council Point-to-point Encryption documents.
System operations, limitations and evolution
First generation tokenization systems use a database to map from live data to surrogate substitute tokens and back. This requires the storage, management, and continuous backup for every new transaction added to the token database to avoid data loss. Another problem is ensuring consistency across data centres, requiring continuous synchronisation of token databases. Storing all sensitive data in one service creates an attractive target for attack and compromise, and introduces privacy and legal risk.
Tokenization technologies are limited in measuring the level of security for a given solution through independent validation. With the lack of standards, the latter is critical to establish the strength of tokenization offered when tokens are used for regulatory compliance, hencethe PCI Council recommends independent vetting and validation of any claims of security and compliance.
The method of generating tokens may also have limitations from a security perspective. With concerns about security and attacks on random number generators, which are a common choice for the generation of tokens and token mapping tables, scrutiny must be applied to ensure proven and validated methods are used versus arbitrary design.Random number generators have limitations in terms of speed, entropy, seeding and bias, and security properties must be carefully analysed and measured to avoid predictability and compromise.
With tokenization’s increasing adoption, new tokenization technology approaches have emerged to remove such operational risks and complexities and to enable increased scale suited to emerging big data use cases and high performance transaction processing, especially in financial services and banking.
Recent examples of entrants in to the market include the ‘big three’ – Visa Inc launched Visa Token Service early last year and Visa Europe is following suit with the launch of a tokenization service “customized for the needs of the European market”, available for financial institutions from mid-April 2015. American Express announced the launch of its American Express Token Service in November 2014 and MasterCard announced early in February this year that it is to incorporate tokenization technology into its MasterPass digital wallet in the near future, with CEO Ajay Banga being quoted as saying, “We are very focused on tokenization; it’s a very important aspect of where we’re going for safety and security.”
Application to alternative payment systems
Building an alternate payments ecosystem requires a number of entities working together in order to deliver near field communication (NFC) or other technology based payment services to the end users. One of the issues is the interoperability between the players and to resolve this issue the role of trusted service manager (TSM) is proposed to establish a technical link between mobile network operators (MNO) and providers of services, so that these entities can work together. Tokenization can play a role in mediating such services.
Currently, tokenization is used primarily in financial transaction environments to secure electronic, card-based payments and the widespread adoption of tokenization has ushered in substantial increases in security and an overall reduction in compliance costs for organizations around the world.
Tokenization can be applied across multiple industries and sectors to protect sensitive data such as Personally Identifiable Information (PII) and Protected Health Information (PHI). It can be expected that a wide range of organizations will begin seeing the tangible benefits of using this versatile and powerful technology, a case in point being the launch of Apple Pay in October last year.
“Apple has managed to make effective use of technology and concepts that have been around for a while, but that nobody has yet been able to implement successfully in concert,” says Vaughan Collie, Partner with Accourt Payment Specialists.
“Apple Pay is definitely an improvement on previous implementations of certain aspects of the technology, but there remain risks associated with it, specifically with the way that some value chain stakeholders such as issuers have implemented some components of Apple Pay to date.
“It is also important to note that although the Apple Pay ecosystem is likely to grow rapidly, there are still only a relatively small number of consumers that have Apple Pay capable devices (i.e. iPhone 6/6 Plus) at this time.There is absolutely nothing stopping criminals ignoring these relatively more secure ecosystems and targeting the huge numbers of other ecosystems where this level of tokenisation-enabled security is not implemented,” continues Mr Collie. “Criminals generally gravitate towards the weakest point. The card schemes probably have a significant role to play here – they could elect to mandate certain aspects and thereby ‘incentivise’ issuers, acquirers and merchants to implement tokenization-enabled solutions.”
Apple may not have invented tokenization, but by taking this route it could be looking to ride the security wave all the way to payment success, especially considering the rising number of merchant data breaches and instances of stolen credit card information that continue to hit the payment and retail industries. “It is important to note, however, that a burden of care remains with value chain stakeholders and how they manage cardholder information,” says Mr Collie.
But Apple Pay has more than one security trick up its sleeve. Apple says using TouchID, which implements fingerprint scanning technology (biometrics) on the phone strengthens the bond between the payment, the device and the consumer, so the assurance levels go up and the risk associated with these transactions goes down, thereby significantly raising the bar on security, and that is reflected by the fact that the brands and issuers are willing to extend the lower ‘card present’ transaction rates to Apple for NFC transactions (in-app transactions are assessed as card not present transactions).
One reason that the security of Apple Pay has so far been unmatched is the fact that they control both the device and the operating system – two key components of the ecosystem. Other mobile wallets exist across multiple hardware platforms, with no consistency to support biometrics or other verification aspects such as location information.
Apple Pay could soon face strong competition from other players entering the market. Samsung Pay, the tokenized mobile payment system introduced with the Samsung Galaxy S6, enables MasterCard credit, debit and prepaid cardholders to use the new Galaxy S6 to pay in-store for purchases. And as recently as 2 March this year Google announced a rival mobile payment service called Android Pay, which will likely take over from Google Wallet.
Commercial success – adoption is crucial
Apple Pay is available on the latest iPhones, so adoption of the platform will depend on the device upgrade cycle.Yet even when consumers get their hands on a new iPhone, there’s no guarantee that they’ll make use of Apple Pay.
According to BloombergBusiness Apple will collecta fee for each transaction from banks when consumers use an iPhone in place of credit and debit cards for purchases, giving them a cut of the growing market for mobile payments. BloombergBusiness states the people familiar with Apple Pay declined to specify the size of the fee, which they said could vary, or whether it’s tied to the value of purchases.In an online introduction to Apple Pay, however, the company said it won’t charge users, merchants or developers for transactions.
Of course, the best-case scenario for not only Apple, but also merchants, card issuers and credit card networks would be for consumers to take notice of the security potential of tokenization and opt to use it over the established payment card method that still reigns supreme.