Tokenization as an Approach to Information Protection for Mobile Payments

Apple Pay and major credit card companies are backing projects to help improve digital payment security with tokenization.

Corey Wilburn
Corey Wilburn

Mobile payments processors are increasingly relying upon tokenization to improve security. Apple Pay is reliant upon this technology, as are major credit card companies like Mastercard, American Express and Visa. The herd is backing projects to help improve digital security with tokenization in droves.

Insecure payment processing schemes leave merchants, card holders and card companies vulnerable. This kind of crime results in the loss of money and reputations.

For instance, in 2014, online and mobile credit card fraud resulted in losses of $16 billion. That same year, digital criminals targeted almost 13 million Americans; and well over a quarter of consumers won't deal with a merchant again after they suffer from credit card fraud.

We’re all familiar with 16-digit credit card numbers. These numbers are called the primary account number (PAN). The PAN and the card expiration date make up typical payment credentials. This information is clearly visible on major credit cards. Consumers can use these credentials to make purchases almost anywhere.

Of course, digital criminals can also use those same credentials to steal money or make illegal purchases. They might take the information by compromising payment processors, phones and even ATM machines. Most people have read about several high-profile hacks that resulted in bad press and financial losses. Some consumers have grown reluctant to make online or mobile payments because they fear becoming the victim of fraud.

Some tokenization platforms roll up into a system as one of the many flavors of encryption that it can support. The concept is relatively straightforward. Instead of storing sensitive information, which would be credit card numbers, Social Security numbers or basically any field in a database, the tokenization platform replaces that entry with seemingly junk data. This token is then referenced to a secure vault that exists separate from the database that supports your web-based operations (usually where a company receives this information from their customers). The actual card information and Social Security numbers are stored in a separate system only accessible by the platform. A token manager acts as an intermediary service that helps manage tokenized fields in your production database, while ensuring that only the right resources access the protected information when it is necessary. 

A great attack scenario to evaluate is the exploitation of a flaw in your web or database design that would allow a bad actor to dump out data fields from your systems. If they were to exfiltrate fields that were originally intended to contain your customer credit card numbers, they would only receive the tokenized data, or essentially junk data, which has no value to them. As this is not a hash-based generation, or traditional encryption process, there is no way that any brute force efforts would be able to unmask the original data used to generate the token.

The great thing about this is that your customers don't experience any difference when they use their stored card information for payment. The end-user experience is completely transparent—enhanced security with little impact to those that benefit the most from the tokenization process.

The Future of Tokenization

Most likely, the use of tokenization will continue to grow. At the same time, it's only one method of securing payments and sensitive information, and may not be the best option for every payment processor or card issuer. Individual companies will need to evaluate if tokenization is right for them, their customers and the data they are entrusted with.