Mobile Tokenization Solves Payments Security Woes

LoopPay, founded in 2013, is a provider of a mobile wallet solution that currently works for most existing retail locations. LoopPay Chief Technologist George Wallner sat down with MPD CEO Karen Webster to  explain why he believes Loop is not only a technology breakthrough but a superior technology solution that that can be implemented right now.

Loop’s MST (magnetic secure transmission) technology formats card data into simulated magnetic stripe tracks and transmits them via a pulsed magnetic field which can be read by any POS terminal that accepts a mag stripe today. Loop takes this process one step future by doing something Wallner calls “Mobile Tokenization” which uses Host Card Emulation to tokenize and distribute cardholder data that is presented to a retailer’s existing mag stripe terminal via Loop’s MST technology. Tokens are issued by a secure, central location.

Webster got Wallner to open up about why Mobile Tokenization is not only available now, but is a far better security solution for retailers than EMV, at a much, much reduced cost since it puts the risk of keeping the job of authenticating cardholder data with the issuer, who would issue the tokens, which is where Wallner says that responsibility belongs.

KW: So the environment that is necessary to secure mobile payments, I imagine, has to be very different than what is used in the physical card environment, which is really about a single card with static data.  The mobile environment is all about lots of methods to pay, all encapsulated in a container or a wallet that is hosted, so to speak, by a mobile phone.  What security challenges does that present and why?

GW: A card is manufactured in a second facility, and especially a smart card which is made in a secure environment and is encapsulated and sealed.  And then it’s shipped out to the user.  A mobile phone, at no point in the transaction cycle, will be under the control of the card issuer.  Therefore, a mobile phone is much more difficult to make secure, much more difficult to turn into a secure, trusted entity.  And there have been a lot of efforts to do that and I believe that the global platform and the provisioning system used today by many third party wallets don’t achieve that particularly.  But the complexity they bring about is very high and, therefore they — it has to come friction to the needs of card provisioning to get used by consumers.

KW: The ingenious aspect of Loop is that it uses technology to basically communicate with existing point-of-sale terminals so that those terminals believe that they are simply processing a mag stripe transaction.  But if in fact those machines think that they’re processing a mag stripe transaction, and mag strip is the security vulnerability that we’re trying to work our way out from under, what makes Loop’s solution so secure?

GW: What makes Loop secure is that we are able to change the data that we transmit from static data to a token which changes with every transaction.  And once a token is transmitted and used in a transaction, it expires and is no longer usable in a subsequent transaction.  By modifying the card data, Loop adds security, keeping it compatible with the existing retail infrastructure.  So the retailer can possess secure transactions without having to upgrade his hardware or software.  We think that this is about the easiest way to add security to the existing card acceptance involvement. 

KW: You’ve mentioned in some of our earlier conversations that the mobile phone environment really takes a transaction out of the control of the issuer. Does Loop put that control somewhat back in the hands of the issuer?

GW: That’s correct.  What Loop does is deliver a secure transaction that contains the token that is generated by the card issuer.  So if a card can create a code token, Loop relies on the card issuer to generate the tokens used in transactions.  The issuer authenticates the cardholder just as they do today.

KW: So what has to happen on the back end to facilitate the Loop mobile payment environment?  Merchants don’t have to do anything.  Does anyone else? 

GW: Yes, the card issuers have to support the token generation, the token validation.  It’s a relatively easy process, but it does require new software.  This software is very similar to what is used for authorizing NFC transactions.  Where Loop is significantly different, apart from being compatible with the existing retail infrastructure, is that a provisioning of tokens into the phone is significantly simpler than the provisioning being used in alternative mobile payment methods. Because the phone does not have the ability to make its own tokens, it doesn’t need the same level of security as an NFC phone would require.  And all through the process, the card issuer is in charge.  Every token used is actually created by the card issuer system.  So the card issuer can control where and how a token is transmitted to the phone, and can essentially dole out the tokens on an as-needed basis.

KW: So, today, if I have a Loop device attached to my phone, and I go to a merchant today and initiate a transaction, I can do that without the issuer having to be involved. What’s different with this new mobile tokenization capability you mentioned? 

GW: Loop can do the transactions today in static mode, where the card data is just the static mag strip data, but that doesn’t add security.  To add security, Loop has to be used in its tokenized dynamic mode.  And that requires the card issuer to support that mode.

KW: Consumers are going mobile anyway.  It’s the future we just don’t know all of the details yet. Issuers and networks like the tokenization concept.  Why isn’t this mobile tokenization solution something that we stop right now and deploy as a solution that really accomplishes all of that outside of the EMV path that we’re currently taking?

 GW: Well, to be fair, what I am talking about is not an alternative to EMV. Loop provides tokenization for mobile payments to replace the magnetic stripe cards and protect mobile payments but, at the same time, add security to them.  Tokenization is a great solution to add security without creating a very risky or very complex infrastructure.  The only thing that has been missing until now is the means of delivering the tokens to the point-of-sale.  And that’s where Loop has a breakthrough.  It essentially enables tokenized card delivery through the existing card readers and retail systems.

KW: Let’s talk about the consumer side. We know you’ve had your fob in the market, in sort of a prototype testing kind of an environment, but you’ve evolved the form factor significantly and that should be in market soon.  Give us a sense of the timeframe associated with that and what else you’re doing along those lines.

GW: The fobs are being tested today and we are getting extremely valuable data, some interesting numbers.  We have users that use their mobile phone or fob to pay with more than six times a week. So they derive some enjoyment from paying with their phones. We also have another product coming out in the early-May timeframe that is similar to the charge case but it contains a small detachable unit that is just like the fob.  It can deliver what we call “Button Pay” where the fob is detached and the press of a button initiates the transmission of a default card.  And a lot of people like using their fob in the detached mode. The product that will contain a sleeve and a detachable module will essentially combine the two:  you can pay with your phone but, when you have to, you can detach the payment part and you can give it away to the restaurant or some other situation.

With Loop, we think we’ve managed to achieve a breakthrough where we can deliver mobile payments without having to change the point-of-sale.  When we add tokenization to this, we will create a secure mobile environment that will not require a complex, cumbersome, and slow support infrastructure.

KW: Thanks, George, for taking the time to share this interesting mobile security alternative with me today. Sounds like a simple and secure alternative that can be made available to all merchants without a whole lot of additional cost in a relatively short timeframe.

 GW:  Yes, that’s right. If securing cardholder data as quickly as possible is the objective at a reasonable cost, then we think what Loop enables thru mobile tokenization is a real breakthrough.

For more information on Loop’s Mobile Tokenization technology, please download their free white paper with a complete technical explanation and architecture diagrams.