Steven Anderson of PaymentWeek recently observed that tokenization is a critical aspect of the mobile payments revolution.
Essentially, tokenization protects payment credentials by replacing them with a randomly generated number that resembles the customer’s primary account number (PAN). The unique identifier, known as a ‘payment token’ or ‘tokenized PAN’, is worthless if stolen, as it acts as a reference for a consumer’s original card data which only the card networks and the consumer’s bank can map back to the original account.
“It’s one of the best ways to protect mobile payment information and some believe that tokenization is so critical to the mobile payments concept that [mobile payments] can’t reach its full potential without tokenization,” Anderson explained. “Basically, thanks to the growing number of mobile payments options there are out there—not just in platform, but also in places that accept said payments—there are as a result more potential failure points for security and more points where data can be intercepted, stolen and misused.”
As Anderson points out, while major breaches seem to be on the decline, there are still plenty of examples out there that will give any user pause.
“Tokenization works to protect data both in transit—being routed between platforms and agencies—and at rest, where a payment record is being stored for later referral or the like,” he continued. “Plus, with that data safely stored, there’s a clear value for things like loyalty programs and big data analysis, which are useful for the companies that accept the payments as they can use this data to offer new options.”
In addition, says Anderson, tokenization helps facilitate other technologies such as host card emulation (HCE). Put simply, mobile payment credentials have traditionally been stored in a smartphone hardware component known as the secure element (SE).
The SE can perhaps best be described as a tamper resistant hardware platform, capable of securely hosting applications and storing confidential and cryptographic data. However, the physical presence of an SE in the device creates dependencies and complexities that make it difficult and expensive within the NFC ecosystem to interact efficiently. For example, an application issuer would require agreements with a number of SE issuers who, in turn, need to connect with different types of mobile handsets.
HCE provides a bridge between the point-of-sale (POS), the remote SE and service provider, such as an issuing bank. Moreover, HCE does not require any changes to acquiring infrastructure nor optimization to specifically support NFC. Indeed, HCE is a technology that emulates a payment card on a mobile device using only software. By moving the SE to the remote environment of the cloud, the cost and complexity of managing a physical SE can be reduced significantly. HCE also allows consumers to make contactless payments, even without an internet connection, by using preloaded tokens.
Interested in learning more? You can check out our ebook on tokenization: