In February this year, a White House Summit on Cyber Security devoted a whole day entirely to payments.
Subsequently, the Wall Street Journal published an article highlighting actions that companies like Visa and MasterCard are taking to address cybersecurity where Visa CEO Charlie Scharf said “Removing card account numbers from the processing and storage of payments represents one of the most innovative and promising technologies we’ve seen in decades,” Soon after, the NRF (National Retail Federation) issued an “Open letter to President Obama” on defending against cyberattacks, endorsing Tokenization and Point-to- Point Encryption.
All of this coverage of tokenization demonstrates how the subject has become of mainstream interest. But what is it all about?
The diagram below shows the key market trends, opportunities and threats that have led to companies actively seeking to deploy tokenization.
In short, tokenization is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, which has minimal extrinsic value or exploitable meaning.
E.g. a 16 digit credit/debit card number 1234-5555-3456-7666 transformed into ar6g-7hra-h8ab-9bgd
The translation from card data to tokens is done via a ‘Vault’ in a typical vault-based solution. In an ideal implementation only the ‘Vault’ and a minimal set of payments processing applications would handle clear payment data where stringent security controls apply, the rest of the environment would use tokens. Without access to the Vault, tokens cannot be exchanged for the actual data (e.g. credit card numbers, name). There are a number of different solutions and vendors with different factors for consideration:
- Vault vs. Vault-less
- On-premise vs. Cloud
- Format preserving vs. non-format preserving
- PII tokenization capability
In Europe, a number of payment service providers (PSPs) and other specialized vendors have been providing these solutions for merchants over the last decade. In the USA, along with EMV compliance set for Oct 2015, the focus for tokenization from the payments networks will be on contactless and mobile payments.
- VISA and MasterCard both have launched a tokenization offering
- A number of major PSPs are providing tokenization-as-a-service
What’s the value?
Tokenization delivers business value by reducing risk through reducing the sensitivity of data in the system. This typically means that investment for protecting sensitive payment data can be focused on one vault and a minimal set of critical payment processing solution, thereby reducing the risk surface and leading to greater business efficiency.
Tokenization also brings operational benefits, especially in the analytics and data mining space. A token can be used as a unique identifier for the customer on any system across an enterprise. This is a powerful feature that can support complicated analytics processes while minimizing challenges associated with stringent local data privacy and payments security compliance.
How Accenture can help
Accenture started working on tokenization in our Security practice about five years ago when the technology was first used to reduce the scope of PCI DSS compliance for card payments, primarily in retailers by turning credit/debit card data into tokens and using tokens as substitute for real card data in their systems. With the roll-out of EMV in Europe and PCI standards, merchants were assigned greater accountability and responsibility in managing risks in the payment ecosystem. The key business driver then was PCI compliance and reduction in compliance management costs.
We have delivered numerous tokenization projects, including biometrics ones (from behavioral biometrics to multi-modal biometrics in banking) similar to those mentioned in the White House briefing article.
Some of our innovative solutions include:
- Tokenization in the cloud
- Tokenization & Point-to-Point Encryption for contactless payment
- Biometrics in banking and payments
- Multi-Tokenization engine & Payment gateway transition
Like other risk reduction technologies, tokenization is not a silver bullet and it comes with its own set of challenges. One of the major challenges that we have experienced is ensuring that the solution is appropriate and future proof i.e. the solution fits well from PED (pin entry device) to merchant acquirer and integrates easily with new partners and third parties as the business changes. Other issues include high value tokens and collisions (tokens are generated with random values but occasionally duplicates occur).
As the world moves away from just PCI compliance and focuses on wider risk management, tokenization is seen as one of the key enablers and is fast becoming one of the major payment trends in 2015.