At its root, a token is something with low value representing something with high value; just as a casino chip represents cash. In electronic payments, tokenization is being used to reduce security risks inherent in the collection and transfer of highly sensitive data such as credit card Personal Account Numbers (PAN). In the mobile payments world, it is the EMVCo Payment Tokenization Specification that sets the framework for tokenizing contactless payments.
In the EMVCo specification, the PAN is replaced it with another PAN-like number by the tokenization system. In a typical scheme, the last four digits of the PAN are not tokenized for continuity so banks and merchants can identify customers for actions such as returns and loyalty programs. It is the tokenized pseudo-PAN that is sent from the POS to the issuer for transaction authorization. The issuer uses the tokenization system to de-tokenize the pseudo-PAN and match it to the real account data. The pseudo-PAN cannot be reversed or de-tokenized by any other entity other than the trusted tokenization system. Tokens can be used with all Cardholder Verification Methods (CVM) but are limited in scope, for example to a single merchant, and duration by an expiry value. Tokens are required to have their own BIN ranges that identify the pseudo-PAN as a token to the payment system and can help identify contactless cloud transactions. In a pseudo-PAN tokenization scheme, PCI-DSS risk on merchants is minimized because the tokens have limited use and the PAN data cannot be reverse engineered. Merchants can also use tokenization to secure their private label card data. For payment tokens, issuers will perform Identification and Verification (ID&V) steps to make sure the token is mapped to a valid and authorized PAN. Tokenization specifications are multi-part solutions that also include risk management measures based on endpoint “fingerprints,” account activity, and the depth of identification and verification processing on the issuer side.
What does tokenization have to do with Host Card Emulation (HCE)?
Host Card Emulation, placing card data in the cloud, is the hot topic now that Visa and MasterCard are putting working together on HCE specifications. To avoid all the technical and business complexities of card credentials stored on devices in secure elements, financial institutions are looking to move card credential data to the cloud. With Android’s support for Host Card Emulation in the KitKat OS, cards in the cloud are no longer pie in the sky. Moving sensitive card and personal data out of a phone’s secure element into the cloud solves business problems by reducing the number of actors and barriers to integration to existing systems. However, passing encrypted card data every time a user wants to transact is simply not feasible from both a security and user experience point of view. To enable secure cloud-based mobile payments, HCE uses multiple techniques to ensure the security of sensitive information without burdening the user experience. Tokenization has been one of the main security measures being considered to make HCE cloud-based mobile payment transactions secure. Others include limited use keys, account replenishment, and risk assessment scores. More on those in future blogs.