As fraudsters turn attention to card-not-present transactions, tokenization takes on more importance.
By Matt Herren
Following the shift from mag-stripe debit and credit cards to EMV in 2015, criminals and financial institutions have raced to adjust to the new digital payments landscape.
As expected, the switch to EMV has resulted in a significant decrease in fraud. In September 2016, Visa announced that fraud among retailers that had implemented EMV protocols had dropped 47 percent, compared to an 11 percent fraud increase among retailers that had not embraced the new standard.
However, while EMV increased the level of security for cards, especially when protecting the theft of card data at the point of sale or via mag-stripe readers, financial institutions have seen fraudsters and their tactics adjust to the new protections.
The switch to EMV marked a significant milestone against fraud, but the increased level of security primarily protects against in-person fraud and theft. Fraudsters are working diligently to outsmart payments technology, moving from point-of-sale fraud to a more vulnerable arena: card-not-present transactions. Most consumers who pay bills, frequently shop online or use Apple Pay or Samsung Pay are already familiar with CNP transactions. Here, EMV is less effective because there is no physical reader to ensure the chip credentials are valid.
So, what can counter the rise in CNP fraud? Payments providers are turning to tokenization to provide stronger protections for both mobile payments and CNP transactions online. Tokenization is a natural progression from EMV that limits access to vital card information and keeps payment and account data secure.
What Is Tokenization?
Tokenization is the process of replacing sensitive card data with unique identification symbols, or tokens, which retain all the essential information about the data without compromising its security. The vital part of this process is ensuring a consumer’s card credentials are unreachable by replacing the card number with a unique token. This token serves as an encrypted dynamic transaction number, keeping the valuable account data secret from the merchant and anyone who manages to steal the tokenized data.
A merchant sends a transaction that looks similar to an EMV transaction to the card network, and the payment processor matches it to its token vault. The token is then matched to the real card number and an approval is sent to the issuer for validation, creating an additional piece of dynamic data and an extra level of security.
The most important aspect of tokenization is eliminating the static card number, CVV and expiration date from the transaction. The temporary token data is useless to criminals, and as the transaction passes multiple sets of hands, the risk of compromise remains low.
Tokenization and an E-commerce Ecosystem
Tokenization is especially useful in battling online CNP fraud left vulnerable by EMV protections. By using a token, e-retailers can offer the same level of protection that EMV provides, with the encrypted token preventing a hacker from accessing personal financial data.
Likewise, tokenization will create a more secure environment for online transactions through digital wallets, or “card on file” transactions.
Traditionally with the COF concept, merchants store customers’ static card credentials to allow faster checkouts and forge stronger customer relationships. Now, with the help of the card networks, those credentials will be replaced by tokens. In fact, one major company has already begun to implement tokenized COF transactions; if a thief manages to steal a token, all he can do is pay the customer’s monthly bill with it. And many additional merchants have placed tokenized COF on their strategic roadmaps.
Further, if a card is lost or stolen, the card networks will automatically update the customer’s token information at all of their COF merchants, with no scrambling required on the part of the customer.
On the convenience side, this interaction between mobile wallets and e-commerce sites involves a single-button checkout process—an immense improvement over the cumbersome keying in of card numbers and expirations on a mobile device. Merchants would be wise to take notice: With mobile commerce growing by 47 percent a year, Gartner research projects mobile-based e-commerce will account for half of all online transactions by the end of 2017.
Currently, smartphones are required for tokenization, which needs connectivity to push and pull dynamic data—a capacity not available in cards.
What Role Does Your Bank Play?
To get on board with tokenization, banks must set up their cards in their network’s token vault and enroll in the three digital wallets that utilize the card network rails: Apple Pay, Samsung Pay and Android Pay. Ideally, a bank’s debit card processor will act as its partner during enrollment by completing agreements with MasterCard and Visa as well as managing its addendums with the digital wallet providers. This significantly streamlines the process and allows the bank to “go live” in about six weeks from start to finish. Without that kind of help, banks that go it alone—at least in the beginning—face a significant learning curve, with implementation possibly taking more than a year.
Hence, it’s accurate to say that adoption by banks will directly correlate to the level of support they receive, at a relatively low cost, from their issuer processors.
From the perspective of banks’ merchant customers, there is no difference in processing tokenized credentials and EMV credentials. While some wallets, like Samsung Pay, leverage magnetic secure transmission technology and can utilize legacy mag-stripe readers to transmit tokenized credentials, merchants still should implement near-field communication terminals to maximize their acceptance of token activity.
The Future of Tokenization
Tokenization also will drive the future commercialization of the Internet of Things. IoT is expanding at a rapid pace, and soon consumers will be able to shop directly from their smart TVs, refrigerators, even cars. Tokenization allows for optimal security of these devices, granting many household items the potential to become a secure online store.
So not only are these innovations useful, but safe. Financial institutions that utilize this method of fraud protection can ensure their customers’ data security, even when completing CNP transactions. After all, fraudsters are tireless, but if obtaining valuable personal information becomes too cumbersome and expensive to be profitable, the criminals will seek easier targets.
As the product manager for Payment Analytics at CSI, Matt Herren has expanded the firm’s ability to address fraud through early identification of merchant breaches and fraudulent testing techniques. For more information, visit www.csiweb.com.