While by no means a new concept, tokenization has become a salient topic as of late due to the potential role it may play. As technologies like host card emulation become more prominent, tokenization is viewed by many as the solution to helping cloud-based mobile payments become more secure, and thus more viable for mass adoption.
What is Tokenization?
But what is tokenization? In simple terms, it is a form of data security.
As the name suggests, tokenization is the process of creating a “token” – in this context, it is sensitive data that is tokenized. The token produced is a non-sensitive, unique piece of data that retains essential information about the sensitive data it represents, without compromising its security. The concept is similar to how a voucher, coupon, or casino chip represent money.
In the context of electronic payments, the ultimate purpose of tokenization is to act as a security measure that works to lessen the threat to sensitive information.
What Role Does Tokenization Play in Mobile Payments?
In order for mobile transactions to be completed, a Personal Account Number (PAN) is required. However, there is an inherent security risk in storing PAN data on the mobile device itself. If somebody were to hack the device and gain access to the PAN, they could theoretically carry out multiple transactions as they have the fixed account number needed to do so.
Tokenization helps to mitigate this risk. It obscures the 16-digit PAN data by masking it as a token so that the information is not sent as plain text. Furthermore, because the token is not the PAN itself, it cannot be used outside of a specific, unique transaction. Even if there were a data breach, the account information would still be inaccessible, unless the secure servers which held the information were breached.
Rather than transferring track 2 data, tokenization sends a token to the NFC terminal, which is then relayed to the cloud. The cloud decrypts the token, associates it with the right PAN, and sends the PAN data back to the NFC terminal.
Tokenization and Host Card Emulation
Due to the nature of tokenization, it is being considered as one of the best solutions for securing HCE mobile transactions.
HCE moves the account information into the cloud, which eliminates the need to store it in the mobile device’s secure element. But, to enable mobile transactions to take place securely, there needs to be a way to ensure the security of the sensitive information. Along with measures like secure account reload and limited use keys, tokenization is at the top of the list as a potential solution.
Barriers to Market Adoption of Tokenization
Though we have yet to see the storage, creation, and validation of tokens enter the market on any significant scale, there is massive potential for tokenization to play an integral role in the way that mobile payments develop and evolve. It may very well be the key to transforming the mobile wallet from closed to open loop. As it stands, there are a number of significant barriers preventing the adoption of tokenization, including:
- developing the technological infrastructure
- developing the institutional infrastructure
- having a token generation/validation body with common standards
- consumer adoption
But, as Jay Weber of FIS points out, the benefits of tokenization far outweigh the barriers to adoption. For one, it lowers the likelihood of sensitive account information being compromised in the event of a data breach. Given the succession of data breaches that have plagued some larger corporations, this is a major advantage. It can also potentially reduce the compliance burden if correctly implemented, among myriad other benefits.
Ultimately, a number of factors will influence the role of tokenization in regard to mobile payments. The payments industry will need to find some common ground on how tokenization manifests, for both security and practicality reasons. As it stands, tokenization is becoming a battleground for competing proposals. The lack of consensus on this level consequently affects merchant adoption. To see true market adoption, there needs to be a consistent framework to introduce a solution that works for issuers, processors and merchants alike.