Payments tokenization has its challenges and rewards, but retailers must be especially vigilant about choosing and implementing the right technology to ensure effective measures against fraud.
In a white paper titled “Navigating the Challenges and Benefits of Tokenization,” payments firm ACI Worldwide indicates that tokenization, with its unique technology and processes, is ideal for retailers looking for an added layer of protection against criminal activity.
By now companies and consumers alike are well aware of the dangers of cyberfraud. Millions of customer records have been compromised in the wake of high profile breaches in just the past few years alone, with marquee names such as Target, JPMorgan, and Blue Cross Blue Shield among the recent victims. The impact of such attacks can be both profound and far-reaching, as monetary losses are immediately felt and customer relationships can become permanently frayed (which in turn can have a lasting, negative effect on the bottom line).
Among the most easiest ways for cybercriminals to profit from data breaches is through the theft of identity information and payment card data – and as a result, retailers are among the most profitable and vulnerable targets for hackers. Threats can even come from within an organization, if payment card data is stored without safeguards in place to prevent a firm’s workers from using the payment card details in an illegal manner.
Against this backdrop, tokenization is becoming more popular in the fight by retailers against payment card fraud. A survey by ACI Worldwide and Forrester shows that 34 percent of retailers have deployed technology, and another 36 percent are in the midst of conducting pilot programs.
A bit about tokenization in terms of technology and process: Tokenization replaces a primary account number (PAN) with a unique set of numbers in a defined sequence — and the transaction data, notes ACI, becomes useless to would-be payment information thieves because they are unable to reverse the process of the number set to uncover the data as it had been originally transmitted. The end result is that sensitive information is protected, data breaches short circuited before they even start, and corporate reputations remain protected.
One retailer practice that has been spurring continued use of tokenization, according to ACI: The “card on file” model, which has meant that key retailers relying on mobile payments and eWallets have adopted tokens as part of their secure payments efforts. In one example, merchants can store unique tokens within an eWallet, which the customer can use to make transactions, and the retailer never needs to receive PAN. There’s a dual benefit here, wherein the safety of customer data is assured, while the transaction itself is simplified through the mobile experience.
Tokenization can also work in cross-channel transactions, according to ACI, which show a combination of “card present” and “card not present” elements. By way of example, a customer can order goods online but then travel to a physical store to pick them up – but can use a token to complete the transaction even while the payments system fills in the original details.
For retailers themselves, there is an added benefit to tokenization, which comes as the need to store sensitive data is greatly reduced or even eliminated, and helps reduce both the scope and cost of PCI DSS compliance at the back-end operations. Tokens can also be used with both existing and future payments technologies, reducing technology support costs.
The adoption of a tokenization strategy does have its challenges, finds ACI.
First there are implementation challenges. Chargebacks take between 30 to 60 days of processing time, and in the midst of this retailers must find the best way for their organizations to handle card information and reconciliation with cards on file while they implement a tokenization system. Tokens can be run alongside card numbers to smooth out the process, says ACI. Similar issues can arise during order reconciliation, in terms of returns and credits, so the same user ID must be in place from authorization of a transaction to settlement.
In another consideration, velocity rules that are specific to card numbers may also be impacted during the transition to tokenization, and that may leave open some vulnerabilities to fraud. That means it is necessary to test the token process to ensure low false positives. Even “black and white” lists, or negative and/or positive customer lists tied to card numbers should be tokenized, recommends ACI. For retailers, multi-use tokens are optimal to track the effectiveness of fraud defenses. A multi-use token is one that is assigned to a specific card, and is used repeatedly across any number of transactions.
For retailers it is important to retain some key bits of information, including the bank identification number, which offers a definition of the issuer, the card type and the country of issuance, recommends the research firm. This helps with fraud tracking and pattern identification.
For the customers themselves, if, for example, goods are being returned, it can help to retain the last four digits of a card within a token in order to make sure the experience is an easy one from the consumers’ point of view.
Finally, ACI recommends that if a merchant is signed up with a fraud intelligence service, that the solutions provider be given the original card information; otherwise tracking effectiveness would be diluted as different merchants use different tokens across the transaction.