When it comes to personally identifiable information (PII), the words of Gandalf are a good rule for individuals to live by: “Keep it secret. Keep it safe.” But caution will only do consumers so much good, unless the organizations to whom the PII is entrusted also keep it secret and safe.
Chakib Bouda, CTO of Rambus, says that’s what tokenization can do. Since the early 2000s, tokens have been available as a means of obscuring sensitive data by replacing it with a surrogate value. Now, said Bouda, network tokens have also been developed to leverage the EMV standards that were introduced by card networks when contactless mobile wallets made their debut in 2014.
The problems of security, data breaches, identity verification and user authentication just keep getting bigger. In eCommerce, for example, card-not-present fraud has climbed 250 percent since 2012. That growth in fraud isn’t just increasing costs; it’s also blunting growth in digital retail channels.
On the consumer side, Bouda noted that the biggest threat is not to financial data — that is, consumers’ credit card numbers or credit scores — but to their very identities, including details like the number of children they have, what kind of car they drive, the places they frequently go and the names of their pets.
With those types of details, fraudsters can steal something much more valuable than money: They can steal an entire person. Many industry players are trying to solve, or at least mitigate, these threats. Bouda would argue that the solution is already right in front of us in the form of tokenization.
“We’ve built the plumbing,” Bouda said. “Let’s take advantage of that. We can use tokenization as it is; the framework could be applied anywhere.”
In a recent webinar with Karen Webster titled “Tokenization’s Next Frontier,” Bouda outlined how tokenization works, the ways in which it could begin to answer some of today’s most pressing issues and why it’s worth the growing pains that merchants and others will experience during the transition.
What’s in a Token?
More important than what’s in a token is what’s not in it: a single digit of personal or sensitive data.
When a customer uses Apple Pay at a physical point of sale, their 16-digit credit card number is never transmitted or exposed. Instead, the terminal requests a token from the shopper’s mobile device. Once the device has sent one, the terminal must validate the token to ensure that it’s genuine.
The token is used in conjunction with a cryptogram — that is, a value that is generated anew with each transaction, like a dynamic CVV code.
Bouda noted that a similar workflow exists when tokenization is used in identity rather than in payments — indeed, there is a lot of common ground between the two.
When a consumer signs up for a service, they must enter their name, email address, phone number, Social Security number and more. As Bouda said, with tokenization, the same customer could go through the system with a key that ties back to their particular phone. Anytime they use that identity, it circles back to the authentication server to verify that the card token is genuine and that the cryptogram aligns.
Bouda says the greatest benefit of network tokens is that they can reduce fraud and add functionality at the same time, thus improving the customer lifecycle.
Imagine that a customer uses Uber and loses their credit card or phone. If Uber doesn’t use network tokens that can immediately reissue and provision the card, then the customer would have to call their bank, get the card re-issued and go into the Uber app to update their payment credentials.
The key to successfully deploying network tokens, said Bouda, is that there would need to be a token for each merchant-consumer relationship. If Uber has a token, then it must only work with Uber. Otherwise, if consumers had just one fully portable token to be used everywhere, it would simply recreate the same problem that currently exists with 16-digit card numbers. Fraudsters would simply have to hack Uber to get the credentials for every customer using the app.
Instead, Bouda said, each consumer would have five or six different tokens that aren’t linked to each other. That way, if someone hacked one merchant or another, the damage would be limited to customers doing business with that merchant, and issuers could simply block the offending merchant rather than putting a hold on the entire card.
“We should’ve done that a long time ago,” Bouda said. “Relying on one card number that is stored across the whole industry is putting all your eggs in one basket.”
The Case for Merchants
Bouda said the industry is doing a lot to mitigate risk, implementing standards such as 3D Secure and 3D Secure 2.0, but there is still a heavy flow of card information that he believes network tokens could help stem if merchants would embrace it.
However, merchants aren’t always sure what would be involved in moving to a new, networked framework. That can hold them back from exploring the possibilities. That’s normal and fine, said Bouda; any new framework comes with growth pains, and transitions must always begin with baby steps away from the old legacy systems.
Especially as organizations migrate away from payment terminals and into the cloud, Bouda said tokenization must be part of the transition — as table stakes, not as a nice-to-have. A better understanding of the benefits could, therefore, be of use.
Today, said Bouda, merchants have payment services providers and gateways storing card information on their behalf. With a token of reference, merchants could talk directly to multiple payment services providers, giving them the opportunity to mitigate risk by load spreading rather than relying solely on a single payment gateway — and without ever having to store a card on file.
Yes, said Bouda, some migration is needed, but he believes it’s worth the effort. Merchants don’t have to begin with the onerous project of replacing point-of-sale terminals. Rather, these changes can occur in the cloud. Merchants that aren’t yet on the cloud will have a tougher migration, but Bouda said they can take small steps by migrating pieces of their portfolio at a time when they are about to expire.
“I do understand the pain — it’s not trivial,” Bouda said. “But it comes in handy to use this. Taking baby steps toward a full-blown EMV tokenization will take time, but that’s the way it is with any new technology that will emerge.”