Tokenization. It’s not just for payments. In fact, the concept of protecting an underlying credential through substitution has been around for a while.
In an interview with PYMNTS, David Worthington, vice president of strategic business development for semiconductor and IP products provider Rambus, weighed in on the ways tokenization offers a tailored method to secure payments and sensitive data as they transverse devices, channels and cyberspace — particularly in instances in which consumers and enterprises never meet face-to-face.
From the consumer’s point of view, tokenization is something “that should be invisible … and most of the time, in terms of card payments, [consumers] don’t actually know that it is going on,” Worthington explained. In terms of protection, tokenization masks the underlying credential in payments, like an ID, and provides domain control if there is any breach or exposure.
According to Worthington, in the event a token has been compromised, the breach can be contained and there is no need to reissue the original credential (such as a credit card or debit card). The obvious benefit to the consumer is that if a merchant is breached, only the token associated with that particular merchant needs to be resubmitted. A merchant can request to have all its tokens refreshed to make sure it has a clean bill of eCommerce health and negate any impact of fraud that could come after that breach.
The static process takes into account that speed is important. A “traditional breach” would entail a merchant alerting an issuer to all the cards held on file.
“A number of days after that, in the background, a card issuer will reissue a card and try to warn the consumer that there may be some problems ahead and what the process might be with chargebacks,” Worthington explained.
The presentation of the tokens for reissue, on the other hand, is reliant only on the speed of the merchant to recognize the breach to digital systems. After that, the financial impact across the board — in addition to negative PR — can be short-circuited. This avoids “a few weeks of worry” watching for fraudulent transactions, he said.
“The window of opportunity for the fraudster” is much smaller, Worthington added, in that it only lasts until a token is refreshed and applies to the token’s domain.
Tokenization can also be used to protect data, where information itself is a form of currency, boosting confidence in confidentiality. Think of medical records, which can be safeguarded as they are sent between providers or even medical devices. No patient ID is exposed until the back end of the device or service provider undertakes detokenization, ensuring data is not offered up until it reaches its intended destination.
“Anything where there is a sensitivity to who the underlying endpoint may be” can benefit from tokenization and the masking of data, Worthington said. He offered up the example of protecting a user’s driver’s license or how many points in violations that driver has racked up. Even home security service gets a boost from tokenization, where a doorbell with a camera “probably wouldn’t want to send out … the customer’s name or address to every subsidiary service provider” or across data feeds.
Tokenization does not exist in a vacuum, though, and will evolve as so much of commerce does. The next step in terms of an ecosystem is to secure it by digitally signing each event that takes place. That is done in the payments space through cryptograms, including a transaction sequence number.
“I can tell — when I come to see that transaction — that not only is that transaction from [a specific] token, but it is [also] a unique transaction from that token so I can stop an attack,” Worthington said. “The cryptogram shows that keys are being used that are specific to the device being used in that transaction.”
Tokenization is starting to gain traction in other payments and non-card-related areas, too, he said. Mobile wallet growth shows consumers are looking for other ways to transact with third parties.
“Instead of rattling off an email address or a mobile number if somebody wants to pay me, it’s anything you want to … [use to] identify me, and we can make some transaction,” noted Worthington.
Tokenization holds special appeal in the age of mobile devices, he added. It relies on a uniform process and can be tailored in dynamic ways for a specific domain or supplier of Internet of Things (IoT)-enabled services.
Since tokens can be “constrained by domain” to be rendered useless in any other setting, their use is ideal for eCommerce. This is possibly a boon for omnichannel commerce, as the case can be made that tokens “can protect each of [a customer’s] channels.” A breach in one need not contaminate adjacent channels or hit different payment methods, Worthington explained.