In 2013, the major credit card schemes American Express, MasterCard and Visa developed a framework for tokenization of the payments industry. The driving force is as follows. In light of the increasing scope of the digital economy, consumers want to use their cards in emerging channels of commerce. In order to protect the primary account numbers (PANs) as they appear in more and more digital devices, tokenization is developed to hide the PANs from the payment environment.
Here is how tokenization works: in the purchase environment, the 16-digit account number is replaced with another 16-digit number called a token, which is used to complete the transaction. The token can be limited to a specific channel, such as a mobile device or a merchant website. Therefore, even if the token is compromised by a criminal, the damage of the fraud will be limited, reducing the incentives for a criminal to commit the fraud in the first place.
Apple Pay Tokenisation Process
Let’s look at tokenization step by step through the example of Apple Pay. First, the credit card holder, also the iPhone owner, links her PAN to a token which is stored on the iPhone, through a process called provisioning. When the consumer uses her iPhone to pay for purchases at an Apple Pay-enabled terminal of the merchant, the token is sent to the credit card network for transaction processing, instead of the PAN. The network then validates and de-tokenizes the token back to the PAN, which is passed onto the cardholder’s bank for authorizing the transaction. The token and PAN is then passed back to the card network, which then re-tokenizes the PAN and sends the authorization back to the merchant.
It should be noted that the whole process, a matter of less than one second, happens in the background and is largely invisible to the cardholder. It is largely compatible with the existing payment environment, minimizing the frictions while adding an extra layer of security for all kind of digital payments. If a token is compromised, the card does not need to be reissued, only the token. This saves costs and efforts for the financial institution that issues the card. In addition, merchants do not need to store confidential account information as the tokens are used instead.
The rapid rise of mobile payments and online e-commerce makes tokenization all the more important. With the proliferation of smartphones and tablets, more merchants of all sizes and kinds are accepting digital payments through mobile terminals. Furthermore, more commerce are happening on the internet. Tokens remove sensitive account information from these diverse environments, lowering the possibility of frauds and data breaches, hence improving trust and security in the digital commerce environment.
Looking further into the future, the portfolio of connected devices will grow beyond smartphones to include wearables and connected home appliances. The internet of things, or IoT, is becoming mainstream. The growth is happening quickly and the industry is bullish on future developments. Cisco predicts that there will be 50 billion devices connected to the internet by 2020. The world’s population is predicted to hit 7.7 billion people that same year. And according to Gartner, by 2020 more than half of new business processes and systems will incorporate some element of the internet of things.
In such a future, tokenization removes the need to put sensitive account information into all these devices, paving the way to securely transform any connected device into a payment vehicle.