Payments security vastly improved by ‘tokenisation’ according to report

Out-Law News | 26 Sep 2014 | 3:18 pm | 1 min. read

Developments around ‘tokenisation’ should help to “instil confidence in a payments environment challenged by more frequent data breaches” and fraud, according to a report released by the Federal Reserve Bank of Boston.

The June 2014 report from the US Federal Reserve's Mobile Payments Industry Workgroup (MPIW), which was released on 24 September (16-page / 320 KB PDF), defined tokenisation as the process of “randomly generating substitute value to replace sensitive information”.

The report said: “When used for financial transactions, tokens replace payment credentials, such as bank account and credit/debit card numbers. The ability to remove actual payment credentials from the transaction flow can improve the security of the payment and is a key benefit of tokenisation.”

However, the report said some “hurdles” remain before tokenisation receives broad adoption by industry, “particularly around standards and coordination of the different solutions”.

According to the report, “the key goal of tokenisation” is to protect the 13 to 19-digit primary account number (PAN) embossed on a plastic bank or credit card and encoded on the card’s magnetic strip. “The PAN identifies the card issuer in the first six digits, known as the bank identification number (BIN), as well as the individual cardholder account (generally the final four digits), and includes a check digit for authentication.”

Tokenisation “eliminates the need for merchants to store the full PAN on their network systems for exception processing or to resolve disputes”, the report said. “Replacing PANs with tokens can reduce the financial impact resulting from data compromise, theft, or unintended disclosure during disposal. While data breach prevention is the key to reducing the risk of compromise, tokenisation has the benefit of making the compromised data less valuable.”

The report said that while tokenisation is not a new concept, “emerging proximity and remote payment types... have accelerated demand for payment-related token usage”.

EMVCo, which was formed in 1999 by Europay International, MasterCard International and Visa International to manage, maintain and enhance the EMV specifications for payment systems, has proposed including ‘card-on-file merchant’, ‘digital wallet’ and other payment types as representative use cases for tokenisation deployment, the report said.

According to the report: “What is new about tokenisation is the need for interoperable, open standards, and the increasing desire to replace payment card or bank account numbers with tokens for point-of-sale, online, or mobile payments.”

“However, it is important to note that tokenisation alone is not a panacea to the security challenges faced by the payments industry,” the report said. “Any approach to security must be layered in order to prevent future compromises.”

The MPIW said a new ‘tokenisation sub-group’ had been formed to further investigate issues involved and to “conduct a multi-stakeholder assessment that will include mobile payments industry perspectives on the challenges and opportunities surrounding payment tokenisation initiatives”.