The rise of tokenization to secure the Internet of Things

There are many interesting technologies out there and I haven’t blogged much about one of them: tokenization.  Why am I talking about tokenization today?  Because it was referred to many times by Visa, MasterCard and the card processing firms at Money2020 last week as the key to future transaction security.

So what is tokenization?  If I’m honest, it’s talked about a lot but there aren’t many easy to understand descriptions out there.  This discussion with Dave Fortney of the Clearing House, in an interview with Computerworld last year, provides a good perspective however:

While EMV is great for securing card transactions at point-of-sale terminals, it is less useful for online payments and other card-not-present transactions. That is one of the major reasons why payment card fraud has migrated from point-of-sale systems to online channels in Europe and other places that have already adopted EMV.  Payment card tokenization is one way to address this gap.

Tokenization is a method for protecting card data by substituting a card's Primary Account Number (PAN) with a unique, randomly generated sequence of numbers, alphanumeric characters, or a combination of a truncated PAN and a random alphanumeric sequence.

The token is usually the same length and format as the original PAN, so it appears no different than a standard payment card number to back-end transaction processing systems, applications and storage.

The random sequence, or "token," acts as a substitute value for the actual PAN while the data is at rest inside a retailer's systems. The token can be reversed to its true associated PAN value at any time with the right decryption keys. Tokens can be either single use tokens or multi-use tokens.

Tokenization eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks.

With tokenization, credit and debit card data is encrypted at the point where it is captured and sent to the merchant's payment processor where the data is decrypted and the transaction is authorized. The processor then issues a token representing the entire transaction back to the retailer while the actual card number itself is securely stored in a virtual vault.

The retailer can use the token to keep track of the transaction and handle refunds, returns, exchanges and other transactions. The token itself would be of little value to data thieves because there would be no way to link the token back to the PAN without the decryption key.

Customers would do nothing different when paying for purchases using a credit or debit card. The card data is encrypted when the card is swiped through the payment terminal, sent to the processor where it is decrypted for transaction approval processes, and a token issued to the merchant all without the customer experiencing anything different.

Tokenization can also be implemented on-premise with the merchant itself hosting the server that does the decryption and token issuance.

Tokenization also offers a great way to secure emerging mobile payment applications. A mobile wallet operator like PayPal or Google could use the approach to store one-time use tokens in a consumer's virtual wallet rather than actual credit and debit card numbers. Consumers could use the tokens to make purchases like they would with an actual payment card while merchants would be able to complete a transaction without touching or storing actual PAN data.

One major advantage with tokenization is that it does not require merchants to make major changes to their current payment acceptance systems, like EMV does, Fortney said. Tokens are formatted in the same manner as card information so merchants have to make relatively minimal changes to their payment systems.

The real heavy lifting would happen at the banks, or other entities that store PAN data, generate tokens and keep track of them through the entire transaction chain.

That discussion pretty much summarises tokenization and tokens, but why is this so important?  Because Visa and MasterCard are doubling down their efforts to roll out tokenization around the world.  This was made clear during Money 20/20 with several key announcements, most notable of which was MasterCard’s tokenization to enable the internet of things.

So watch out for a token year you in the not too distant future.