As the volume of both card-based payments and digital payments continue to grow significantly year-on-year, the importance of securing sensitive card data (and in particular the primary account number or PAN) has never been a more critical and challenging task. In the recent Thales eBook, ‘PCI Compliance and Data Protection for Dummies’, we cover the main technologies that can be used, such as encryption and tokenization, to help with such efforts in protecting the payment prior to a successful authorization and secure storage of selected elements afterwards.
Encryption, which in this context is often referred to as point-to-point encryption or P2PE, was the first method of defence deployed to ensure that cleartext PANs were not readily accessible to fraudsters if a data breach occurred at a merchant server (which is often a vulnerable point in the network). This in itself was sufficient in the early days when face-to-face card transactions dominated the payment landscape. As other forms of mobile, online and in-app payments grew in popularity, it became obvious that other defence mechanisms were required to safeguard the presence of consumer PANs across a wide range of payment devices – hence, tokenization became the next sought after solution to tackle the problem of increasing data breaches and in turn growing fraud.
Different tokenization solutions to protect against different risks
To complicate matters, there are lots of specific implementation options to choose from and many different ways for the various payment ecosystem players (including issuers, merchants, acquirers and payment gateways) to support tokenization. In the specific case of payment transactions linked to a PAN (or token as a proxy for the PAN) there are two distinct types of tokenization:
- Acquirer or non-payment tokenization which protects the merchant from damage caused by a data breach by ensuring only tokens rather than PANs are stored after authorization (this is the focus of PCI efforts where the original guidance can be found here and supplementary information here.
- Issuer or payment tokenization which protects the issuer through creating clear segregation across payment channels by ensuring that the token used for one payment channel is not valid for use on another (this is the focus of EMVCo efforts where further information can be found here).
The EMVCo tokenization efforts are where the most focus is at present, especially with an emerging range of new mobile, IoT and connected devices being used as payment instruments and often relying on a consumer credit or debit card accounts to facilitate the payment. Issuers now are regularly turning to tokenization solutions to ensure that such non-card payment instruments utilize a token as a substitute for the PAN as part of their risk mitigation strategy. It is not surprising that the card brands, as part of their EMVCo activities, predicted such a need and hence developed a robust globally applicable tokenization standard to improve security and reduce time to market.
Credit card tokenization services are available now
Three of the major global card brands have launched their own credit card tokenization services, which are available to issuers and service providers who need to support the digitization of card credentials across a broad range of payment instruments that are consumer owned and controlled rather than being under issuer control (as is the case in the credit and debit card world). The first use case of such solutions (and one of the primary drivers for their development) was to support contactless mobile payments such as those which are part of the Apple Pay and Android Pay ecosystems.
The Mastercard credit card tokenization service offering is part of its Mastercard Digital Enablement Service (MDES) solution set. Visa offers a range of network-level encryption and tokenization services under its Visa Data Secure Platform (VDSP) suite. American Express also offers a tokenization solution simply called the American Express Token Service. There are other participants in the EMVCo compliant tokenization ecosystem, and details about registered token service providers can be found here.
payShield HSMs simplifying integration with token service providers
In the payments world, Thales has a proven track record of supporting the latest standards in a timely manner and offering a simple, secure interface to the major card brand tokenization services is another example. The company’s payShield hardware security module (HSM) is being used by various issuers and service providers to support all their issuance needs, especially the stringent requirements for key management and secure messaging when utilizing the tokenization services from the card brands in question.
Please visit Thales dedicated solution page on tokenization to find out more.