Payment tokenization is a straightforward concept that aims not to confuse, but further protect both customers and merchants alike without making any additional demands on either party.
Picture yourself purchasing tickets for a theater performance with your new Apple Watch. While making the purchase, your Primary Account Number (PAN) or banking information is not used to initiate the transaction. Even the Apple Watch itself doesn’t store these details. This heightened level of security is made possible by payment tokenization.
Let’s take a deeper look.
EMV (Chip) Technology
Using an embedded microchip instead of a magnetic stripe on a credit card is considered more secure against cloning credit cards for counterfeit use. EMV accomplishes this using advanced cryptography and cardholder verification methods.
If a traditional magnetic stripe card is swiped at a magnetic stripe terminal, and the purchase is a counterfeit transaction, the merchant is generally not liable. However, if a chip card is used at a magnetic stripe terminal, and the purchase is a counterfeit transaction, the merchant is liable. This is because the issuing bank has made the investment in the chip technology to make the transaction more secure while the merchant did not invest in upgrading to handle chip card transaction.
And while merchants upgrade their payment terminals to accept chip card transactions, merchants should ensure they are also capable of handling contactless transactions.
If a customer wants to use their Apple Watch or iPhone to pay for their purchase, they are in fact using EMV contactless as a payment method. Apple Pay increases the security of EMV contactless by using payment tokens. When Apple Pay is used as a payment method, merchants are not held liable if there is a counterfeit transaction as cardholders are verified using the Touch ID (scanning of the fingerprint) or entering their passcode.
EMVCo, an entity represented by several of the major credit card brands, developed the EMV Payment Tokenization standard for securing credit and debit card payments made via mobile handsets, tablet computers and online channels. Apple Pay is one instance which leverages this standard.
What Is a Token?
To many people, tokens are a type of coin used to play games at an arcade, or operate washers and dryers at the Laundromat. In these examples, a token is used instead of the bank issued coin.
A similar concept is used by payment tokenization, except the tokens here are virtual. Payment tokens are generated by the Token Service and is used for payment processing. The primary objective of token is to protect the cardholder PAN (or credit card number), by replacing it with a randomly generated number which looks like a PAN. Reverse engineering the actual PAN from the token is impossible as the tokens are not generated mathematically. Tokens are issued to the customer device through the Token Issuance process. This process will tokenize the actual PAN into a token and will store it in the device for future transactions.
Tokens can be seen in the context of three different types of payments: tap & go payments, purchases of physical goods within the apps, and in-app purchases of virtual services.
Tap & go payments involve using a traditional payment terminal via a contactless reader, otherwise known as near field communications (NFC). The tap & go payment terminal leverages payment tokenization to confirm the sale, without transmitting any of the buyer’s actual card or account information.
Purchases of goods within apps occur when a buyer leverages a shopping app to purchase something tangible. Many retailers offer downloadable apps as a more streamlined means for making purchases without needing a browser. Payment data can be transmitted without the buyer entering account numbers and are verified by the user confirming identity via the mobile device.
In-app purchases of virtual services typically let you make in-app purchases to buy extra content (like bonus game levels or map experience points) and subscriptions. These also benefit from the protection of payment tokenization.
In all of these examples, payment tokenization is used in lieu of the buyer actually using the credit card numbers.
For merchants with physical stores, the tap & go payment method will be the most relevant application of payment tokenization. As long as these merchants are equipped with an EMV Contactless reader and activated to process EMV transactions, they are ready to process transactions from contactless cards and select Apple devices. Tokenization does not require merchants to make major changes to their current payment acceptance systems. All the work is done behind the scenes without demand on the cardholder or merchant.
Tokenization - What's Next?
So why should we care about payment tokenization with all the other options and security means already in existence?
The biggest benefit to all involved is that payment card numbers are no longer used or saved where unauthorized access can occur. For customers this means added security and convenience. For merchants this means being able to accept new payment methods the way their customers want. And with the shift of financial responsibility, U.S. merchants need to be poised to protect both customers and themselves. Requiring hardware updates to support EMV payments, merchants should strongly consider also adopting EMV capable contactless terminals to take advantage of the additional, modern payment protection of tokenization.
Payment processing providers like Moneris are supporting merchants with this adoption by offering seamless addition of the protective tools and technologies necessary for enabling payment tokenization.
The information in this article is provided solely for informational purposes and is not intended to be legal, business or other professional advice or an endorsement of any of the websites or services listed.