Ai Editorial: Tokenization - you can't ignore this!

Tokenization, yellow path authentication…impossible to ignore all of this

When one hears that no Apple encryption has been broken yet it comes as a big relief considering the level of fraud that is happening today. Ritesh Gupta, Ai Correspondent takes a closer look at tokenization.

No one likes to waste time on routine tasks that hamper the experience of shopping. One always feels like completing a transaction as soon as possible. The world of mobile commerce has made significant progress in this context, with travel e-commerce entities besotted by the idea of one-click payment.

All of this means no one wants to fill up mundane information again and again. Understandably then a lot is being said and evaluated when it comes to tokenization of payment data.

Going by the spate of fraud incidents in the recent past, more than how PCI compliance requirements shift from the merchant to the payment associate, relatively more important issue is the security of tokenized data. As much as the industry is contemplating about how to modify existing systems to accept tokenization, airlines and other travel companies are also keenly looking at its prowess in terms of combating fraud. Topics like data protection, user authentication and device authentication are valid discussion points in today’s travel shopping environment.

Are consumers savvy enough?

So what is tokenization – just in case one needs to know how it works. It is all about shielding consumer’s data, replacing the payment account information found on a plastic card with numbers that can be utilized to authenticate payment without revealing real account details. When uses a mobile device to complete a contactless transaction, a token is submitted. So customers only need to register their cards once.

Even though Apple didn’t come up with any new payment security standard, the introduction of Apple Pay has aroused immense interest in the arena of mobile commerce. The promise of paying via Apple Pay is enticing enough, considering the popularity of whatever Apple does, but do consumers understand the repercussions of something going awry with their data.

“Absolutely, cardholders are very savvy,” says Melissa Santora, product strategist - Card Services, Fiserv.    

She adds, “In fact, security concerns have been one of the top inhibitors to mobile payments adoption. Consumers are being educated by their financial institution and the industry that their card number is not stored on their connect device nor is it seen by the merchant. It’s a powerful differentiator to how mobile payments were introduced to consumers in the past.”

What does Apple Pay support?

Before we understand what Apple Pay is supporting, it is important to know more about dynamic and static tokenization. 

Santora explains dynamic tokens change with each transaction whereas a static token remains as one token per connected device. Therefore if you happen to lose your device, you can suspend or delete your token rather than reissuing your card. Additionally, this token can be found on your device as the ‘device account number’. This information can be found on your connected device by either flipping over the card within the wallet or by accessing the Settings portion of the device.

“It’s important to note that tokenization through Apple Pay and the EMVCo. specifications support static tokens only,” says Santora.

Here are some other key aspects about tokenization that are worth knowing:

· HCE: Host Card Emulation or HCE is another flavor of tokenization. When asked about this, Santora mentioned: “We do not have enough information to comment on HCE and the impact/ role that it may have on tokenization however we are actively understanding how HCE may play into tokenization and mobile payments.”

· Benefits and drawbacks associated with tokenization: Just as EMV solves for fraud in the card present space, tokenization is part of offering to mitigate fraud in card-not-present space and digital payments, says Santora. “It’s important for consumers to know that their card number is not stored in their connected device. Also, someone cannot take your phone and use your phone for payments. Touch ID or your Passcode is also required for a tokenized transaction to be completed,” elaborated Santora.  

· Definition: It is being highlighted that as per EMVCo specification on tokenization, the definition of token is alternate PAN, which is not the same as one-time use data. Santora says this refers to dynamic vs. static token discussion. The token is considered an alternate PAN or the device account number which is just a surrogate value for the real PAN.

· Not broken yet: It is being emphasised that no Apple encryption has been broken, it’s more to do with how the banks themselves issue credit cards and verify the identities connected to those cards. Santora says, “We have not seen fraud related to Apple Pay and have adhered to the standards and regulations set by the networks for yellow path authentication. We do offer call-center services for yellow path authentication and are thorough in our questions to ensure that cardholder is the rightful owner of that card and provision that cardholder and card with a token.”

When passengers and airlines are confident enough about the role of tokenization, then one can expect a spurt in the use of mobile payment services such as Apple Pay and others.

Follow us on Twitter: @Ai_Connects_Us and Checkout our Events at: