Tokenization: a new step in the security of payment data
Hans Croon, Connective Payments team
May 2021
The move to tokenization
More than 226 million credentials of 23,000 websites are out on the open road, Australian security researcher Troy Hunt reported in November. The hack was just outside the top 10 of the largest data breaches ever. In April, a data breach was announced at webshop Allekabels.nl. As a result, passwords and private data of 3.6 million Dutch people were offered for sale on a hacker forum. Not a day goes by without a message about a new data breach, hack or fraud. Criminals are increasingly moving their business to the online world, where they make good use of the digital naivety of many users – and unfortunately many system administrators too. Usually it concerns passwords, email addresses, birth dates, etc. that are used to access potential victims.
But what about all those billions of personal payment data that travels over the internet every day? Despite numerous security specialists at banks, PSPs and the police who are actively involved in cybercrime, (credit) card hacks are all over the news. As an example, in 2019, hackers breached e-commerce hosting company Volusion servers. They inserted malicious JavaScript code to record payment card details when they were entered into checkout forms. The details of the stolen cards have been put up for sale on a dark web hacking forum. Thousands of online stores were affected. Hacks like these are becoming more and more common.
Advanced techniques are used to avoid fraud, of which encryption is one of the best known. But in addition to encryption, a smart technology has become more mainstream for some time now, both for POS payments and online: tokenization.
What is tokenization?
Tokens have been around for much longer
It seems as if you suddenly encounter the word tokenization everywhere. Think of the NFT (non-fungible token) that was sold for $ 70 million in March as a certificate of ownership of the digital painting Everydays: The First 5,000 Days. Or the first tweet by Twitter founder Jack Dorsey, which also turns out to be worth (a lot of) money in the form of a unique token. But the principle of tokenization has been around for much longer. If you ever visit a casino, festival or stadium, then you are used to exchanging some money for tokens and paying for your purchases for the duration of the event.
Tokenization in the payments industry
Since the introduction of Apple Pay, consumers may have been unaware of a similar technology in regular payment transactions (1). With tokenization, sensitive card data is replaced by a unique, configurable security token. In concrete terms, the PAN (Primary Account Number) of a card is protected by replacing it in real time with a unique series of numbers during the execution of a payment transaction. The original data remains in a secure cloud vault. If the token is intercepted by a fraudster during the transaction, it will be of little use to him. It is also unknown to the consumer. Each token is perishable and can only be used by that particular retailer. The scope of the token is not global.
A token can be issued by a Token Service Provider, which can be a card issuer, a card scheme or a PSP. Only the TSP knows how to “detokenize” the token to the original PAN to complete the payment transaction.
The difference between encryption and tokenization
Tokenization and encryption complement each other. Most secure payment environments use both fraud-prevention solutions:
- Tokenization to swap payment details with unique iDs
- Encryption when sending data across unsecured networks
The main difference between tokenization and encryption is that tokenization is irreversible. With encryption, the original data can be derived from the encrypted version with an algorithm. In theory, a fraudster can calculate the mathematical key, provided he has sufficient computing power. With tokenization, the secured data, such as the PAN, cannot be traced back in any logical way.
The benefits of tokenization for retailers
For retailers, both in the physical POS environment and online, tokenization is attractive for several reasons:
- Tokenization is virtually hacker-proof
Fraudsters cannot use stolen tokens to pay online.
- Tokenization means less data security related costs
The use of tokenization reduces data security costs. According to the definition of PCI-DSS, the tokens are not considered as cardholder data, unlike encryption. After all, the original card details are securely stored outside the merchant’s data environment.
- Seamless checkout
Tokens can be issued once, but also for multiple use. This is also referred to as “merchant tokenization”. The merchant stores the token in a data vault to enable future payments by the same customer with one click. This is particularly interesting for customers who often purchase something from the same (web)shop or service provider. Think of platforms like bol.com or Uber, or subscription services like Spotify or Netflix (2).
Incidentally, the “card-on-file” technology has been around for some time. Many merchants offer their customers the option of adding the 16-digit number of their debit or credit card to their customer account. This has a significant conversion-increasing effect. Tokenization further secures this shopping convenience.
Connective Payments has an extensive track record developing innovative payments products:
- whether your business is POS oriented or online, we can translate your customers’ needs into value added products,
- set the right priorities and advise you on your development roadmap,
- benchmark your portfolio with competition,
- and staff your project organisation to tackle complex, while maintaining short development cycles.
Click the button to find out more about our service.
Notes
- As far as is known, payment tokenization was first developed in 2001 by TrustCommerce for Classmates.com. Because keeping credit card information in their systems was considered too risky by Classmates.com, TrustCommerce developed a system where customers could use a token to make a purchase instead of their actual credit card information. TrustCommerce handled the actual payment processing on behalf of Classmates.com. (Source: Very Good Security)
- August 2020, ING announced a merchant tokenisation proposition in collaboration with food retailer Albert Heijn, to be used both in physical shops and online. First, only in the Netherlands, to be extended to other clients and other countries when proven successful. In the trial, customers link their debit card to an Albert Heijn token in the ING app or in the AH app. ING has published an insightful infographic to explain the offer. (Source: ING Wholesale Banking).
Hans Croon
Connective Payments
hans.croon@connectivepayments.com
(031) 650278932