The aging payment infrastructure needs a security boost from the digital age.
Tokenization is what brings us together today.
One day in the future, every transaction we make may actually be secure. Apple is leading the way in to the future of secure payments with Apple Pay and the mixture of biometric authentication and tokenization. Soon the rest of the industry will catch up.
Time To Update Aging Payment Infrastructure
In the past couple of years, my bank has issued me three new debits cards for my checking account. One day I get an email from the bank saying that my debit card was potentially compromised and that a replacement card has been sent. A week or so later the new card will show up and I will have to change the payment details for all my accounts on apps and websites.
To my knowledge, I never actually did anything wrong. Maybe I shopped at the wrong place. A hacker had infiltrated the system of some merchant—like Target or Home Depot—and gained access to millions of credit and debit card numbers. Hence I get a new debit card in the mail. As far as I can tell, no money had been siphoned from my account.
Data breaches that expose consumer transaction information is a sign that the current payment infrastructure in the United States—like the MBTA in Boston—is antique and fraught with cracks. The security of transactions is one of the reasons why so many companies are looking towards the future of payments with smartphones and mobile wallets.
But why are mobile payments more secure? Aren’t there stories every day about how companies are spying on our phones? Placing adware into new our computers? Installing “supercookies” that cannot be blocked?
“[Tokenization] is a very open standard and yes we have started the actual commercial deployment of that and yes we believe that this is going to become one of the main technologies for digital payments in the future,” said Mung Ki Woo, executive vice president of digital platforms at MasterCard, in an interview with ARC at the 2015 International Consumer Electronics Show in January.
Tokenization may be the key to securing payments in the near and long term future when the era of cash and the plastic card are finally done. Smartphones (or probably any Internet-connected gadget) will be able to make a transaction at nearly any store you walk into, with the knowledge that it is safe and secure.
What Is Tokenization?
Tokenization is a hot topic when it comes to payment security, but it is not actually a new technological concept. Tokenization is a data security method at its most basic level that substitutes a sensitive data element with one that represents the same object but has no explicit, exploitable value. This is called a token. The token then is mapped to the sensitive data through a software tokenization system. Tokens are used once and then discarded, meaning that if hackers were to get their hands on token information, there is nothing there to exploit for material or informational gain.
When it comes to payments, the Payment Card Industry Data Security Standard (PCI DSS) defines tokenization: “a process by which the primary account number (PAN) is replaced with a surrogate value called a ‘token.’”
Here’s how tokenization works for Apple Pay for the iPhone 6, iPhone 6 Plus and soon the Apple Watch:
- A user inputs their payment information from iTunes into the Apple Passbook app.
- The data is secured on a secure chip (called a Secure Element), partitioned from the rest of hardware and software in the iPhone.
- A “Device Account Number” is generated, encrypted and stored on the Secure Element. These account numbers live on the phone and do not touch Apple’s servers.
- When a user makes a purchase at a store, the Device Account Number and a randomly generated security code (the token) are passed to the merchant. The actual payment details of the card (the 16-digit string of numbers, expiration date and security code) are not passed to the merchant.
- The token is passed through the tokenization system where the required amount of money is unlocked and sent back to the merchant.
“I think that we just started rolling out tokenization. It is an industry standard, an open standard. So it is not a proprietary solution, it is a free published standard,” Woo said.
Apple did not create the notion of a token. Nor did it invite the Secure Element chip used in iPhones or the Near Field Communications chip that is used to connect to a merchants point-of-sale terminal in a store. Really, Apple did not create any new technology at all to create Apple Pay. Yet Apple Pay may be the technology that finally spurs mobile payments to general adoption by consumers and businesses because of the popularity and trust of Apple’s brand and the iPhone.
The greatest benefit of Apple Pay might just be to make tokenization—an open source standard launched and touted by the payment processors—a ubiquitous feature in all digital payments technology.
“For tokenization to take off, it almost goes hand-in-hand with mobile payments taking off and the proliferation of OEM adoption plays into that,” said Will Graylin, CEO and co-founder of payments startup LoopPay, recently acquired by Samsung. “We are in a perfect storm right now to be able to combine tokenization plus ubiquitous acceptance plus having OEMs adopt.”
Moving The Needle On Digital Payments
According to MasterCard’s Woo, 85% of worldwide transactions are still conducted in cash. This 85% figure has been the standard for years now, with no industry-wide inclination that it will change any time soon. The data set of all transactions is so big that it would take trillions of dollars changing hands from consumer to merchant to significantly move the needle.
“What happens is that the world economy continues to grow. Every year the proportion of cash reduces somewhat, but we are talking about huge volumes. So it is about the same,” said Woo.
Mobile payments are not going to put much of a dent in this ratio any time soon. The idea of paying at a store with a smartphone—a favorite topic of the Technorati—is still new to most people. Mobile payments are a curiosity, even with Apple Pay. The technological infrastructure of merchants across the world has not caught up with the capabilities of smartphones. Even a company like LoopPay which takes out much of the technological barriers to mobile payments for merchants, can only do so much in making people use their smartphones instead of plastic cards.
“When a consumer can feel like, ‘I can use it anyplace, this is my new payment method’ then you have converted one consumer at a time,” Graylin said. “You literally have to convert one consumer at a time otherwise they have alternatives they can use. They can use plastic cards.”
The slow transition away from cash and plastic cards to real-world digital payments is going to be decades in the making. Of course, the slow adoption of mobile and digital payments will be a hindrance to the acceptance of tokenization as a security method.
“[Tokenization] would be an additional standard on top of what already exists. Retiring anything of legacy in payments takes a very long time,” Graylin said. “MagStripe is going to be around for a very long time, so is chip card. Adding tokenization means that we can finally deliver one-time use across different channels. I am looking at more than just physical [paying in store with a smartphone], I am looking at it in ecommerce and online channels.”