tokenization.
REGULATORY / FRAMEWORK CONDITIONS TOKENIZATION (IDENTIFICATION)
As a general rule, when storing and transmitting data, any encryption method must ensure that the need to accurately protect that data is met.[1] In the card business, the regulator pays particular attention to securing payment transactions and strengthening consumer protection. These issues have been considerably strengthened in recent years, particularly by implementing both PSD2 requirements and secure customer authentication. In that context, a need for technical regulation to ensure interoperability or to meet a minimum standard of safety might be identified. With the tokenization of card numbers which is regulated through the PCI standard and generally accepted by all participating schemes, this need can definitely be met.[2]
Regulations for overall solutions including tokenization (e.g. tokens with an update function) are established by the corresponding solution provider, the latter being a payment system or a specification institution on a supervisional level such as EMVCo.[3]
TECHNOLOGIES/ FUNCTIONALITIES OF TOKENIZATION (IDENTIFICATION FOR CARD PAYMENTS)
While in the last years, the security of card-present transactions has been enhanced by introducing
EMV chips as a substitute for a technology based on
magnetic stripes, in card-not-present transactions a
check digit has been the only additional security feature.
In general terms, a token can be generated in three
ways:
- a mathematically reversible cryptographic function is applied to protect the card or account number
- non-reversible encryption (e.g. hash functions)
- a token from a token inventory is assigned to the number that is to be protected
Depending on the mechanism used for encryption, even agencies that cannot ascertain the original
number are enabled to conduct an authenticity
check. Therefore, parties using a token have access
to a large variety of token role models.
Reversible tokens offer the benefit of enabling the
authorized body to reset the token into the respective
original number at any given time. For instance,
the Payee may use the same token for a number of
subsequent transactions without having to store the
number. However, in case money laundering is suspected
of if a fraud case is being investigated, the
Payer’s PSP will be able to identify the number for
corresponding investigations.
Tokens can be deposited with a Payee for several
regularly (subscriptions) or irregularly (e. g. central
travel cards) recurring payments. Technically, different
Payee-related tokens are generated in order to
differentiate the tokens when being used digitally,
too.
Central token service
USER EXPERIENCE WITH TOKENIZATION (IDENTIFICATION FOR CARD PAYMENTS)
The UX varies strongly depending on the area that tokenization is applied at. In general, when the Payer makes a payment, he either passes on card/account details or a token received from his PSP. The token may already contain additional data, e. g. an expiration date. Both handling and UX can be further simplified by depositing the token in a payment wallet. The Payer then has to enter the usually very long card or account number only once, at the moment of registration, in order to automatically employ this information in future transactions. This simplification could also be achieved without tokenization, but is then associated with a significantly higher risk on data security.
The Payee’s UX depends on whether he only needs to handle a token transmitted by the Payer or whether he himself tokenizes transmitted card/account data. Appropriate standard solutions for the tokenization of data are available in the Payee’s environment. The effort of installation is by far compensated by the higher level of security in storing the data. As an example, when storing non-tokenized card data the strict PCI regulations with mandatory audit checks do apply.
STRATEGIC POTENTIAL OF TOKENIZATION FOR CARD PAYMENTS (IDENTIFICATION)
Tokenization is seen as a key technology to transform open payment systems securely into the digital age.
It’s through tokenization that large number of payment methods, especially cryptocurrencies, are made functional. Others, e. g. card payments, mainly work without tokenization - even on the Internet. However, tokenization noticeably increases the level of security. It reduces the risk of millions of chargebacks of fraudulent transactions and the replacement of numerous compromised cards. Tokenization thus contributes to the economic processing of Internet payments via cards and accounts. When combined with update functions, tokenization enables the permanent deposit of cards for subscriptions, such as streaming. Should the card expire, the subscription can still continue. As a result of tokenization, the loss of the plastic card in the real world or the compromise of the card data in the digital environment no longer have any effect on the respective other area of application. While at a mature stage both cryptocurrencies and card data tokenization are already experiencing strong growth of usage, tokenization in other fields is still in the early or trial stage.
Back to Cards.