Today, digital payments exist for every aspect of life. COVID may have accelerated the process of cash and checks being used less, but as nearly 80 percent of Americans used at least one form of digital payment in 2020, the shift to e-commerce seems permanent. In fact, it is estimated that by 2024, 80 percent of all payment transactions will be electronic.
With the continued rise in digital payments comes fraud. Between 2020 and 2021, payment fraud attacks rose dramatically on digital wallets (200%), payment service providers (169%) and crypto exchanges (140%).
The expense of credit card fraud adds up and for the last 13 years, every dollar lost in fraudulent transactions cost U.S. merchants $3.75, according to a recent LexisNexis Risk Solutions study. The study also found that 35 percent of e-commerce transactions were malicious, the highest of any segment.
To keep up with customer expectations, merchants need to continue offering the digital payment methods consumers want to use. But as cybercriminals increasingly target these offerings, organizations have a responsibility to keep sensitive data safe. So, how can businesses avoid payment fraud? Payment security experts believe it is tokenization.
The Origins of Tokenization
The world has long-used tokenization to protect forms of payment. In earlier days, it was more physical, replacing actual money with banknotes, coins, casinos chips or bus tokens. Fast forward to the early 2000s, where credit card payment transactions pass card numbers, expiration dates and CVV from one party to another – from card holder, to merchant, processor, card networks and banks – creating several potential points of data exposure and the perfect breeding ground for cyber criminals to steal sensitive data.
Enter payment card tokenization. First created by TrustCommerce in
2001 for their client Classmates.com, this concept allowed Classmates.com customers to reference a token in place of their valuable card data for payment, rendering the data useless to hackers if the data was stolen.
Since then, card issuers and merchants have adopted the technology, and tokenization has continued to bring unprecedented convenience and security to digital payments.
Tokenization has evolved throughout the years, but in the beginning, PCI tokenization was introduced by the PCI Security Standards Council as a method to reduce exposure of card information for e-commerce merchants.
PCI tokenization creates a mapping between credit card data and the token created to represent that data. Payment card tokenization removes sensitive information from the merchant’s internal system and replaces it with a one-of-a-kind token that is unreadable, even if hackers manage to breach the system. The token is usually a random sequence of numbers or letters that the organization’s internal systems use, while the original data can be retrieved securely by a merchant’s payment processor/gateway.
How PCI Tokenization Works
Below are the steps for an effective tokenization process:
- Merchant registers a card number with payment service (aka processor) tokenization system
- Processor returns the token to the merchant
- When the merchant wants to issue a transaction against the card, they pass the token to the processor
- The processor swaps the token for the card number and sends it to the card network, where it is then passed to issuing bank to complete the authorization.
While tokenization allows the merchant to safely store the token, assisting in PCI scope reduction, the process still transmits cardholder data at payment gateways and processors. Since the card number is tokenized at one endpoint and not the entire payment ecosystem, the card number, expiration data and CVV are still being passed along to the various parties involved in the payment transaction, creating points within the transaction flow that the card number could be exposed.
Network Tokenization – Differences and Benefits
Left with a small window of opportunity for fraud, cybercriminals are quick to capitalize on the vulnerabilities of PCI tokenization. With the boom in e-commerce, we have seen card networks close this “fraud window” with an updated and more secure payment card tokenization – network tokenization.
Network tokenization refers to payment credit card tokenization that is offered by payment brands like Visa, Mastercard, American Express and Discover, that replaces the primary account number (PAN) and other card details with a token provided by the card brand.
Network tokenization differs from PCI tokenization in that it replaces the PAN across the entire payment ecosystem instead of at just one specific endpoint. The result brings fewer declines, reduced costs for card-present and card-not-present transactions, and increased data security.
With network tokenization, there is an additional layer of security added, as a cryptogram is generated by the card network for each Consumer Initiated card authorization. The cryptogram is unique to the token, merchant, and individual transaction, which helps to validate the transaction for the bank while proving the authenticity of the card.
Network tokenization shields the actual card information from all parties involved in the transaction flow, which increases the security of the end-to-end payment ecosystem.
Network Tokenization Transaction Flow
Additional benefits of network tokenization include:
- Token is always current – one token exists for each card and updates automatically if card expires or is replaced
- Improved customer checkout experience – no card updating
- Cost savings for merchants – less declines and reduced interchange rates due to decrease in fraud
- Shift in liability – merchants do not bear the responsibility for fraud charges
Bluefin, the leader in secure payment technology for encryption and tokenization technologies, understands that as digital payments evolve, technology to protect sensitive data needs to evolve as well.
As the first company to earn PCI-validation for their point-to-point (P2PE) solution in 2014, Bluefin added their ShieldConex® tokenization platform in 2020 to their integrated payment and data security offerings. ShieldConex secures PII (Personal Identifiable Information), PHI (Protected Health Information) card payment information entered online.
In 2023, Bluefin will be adopting Visa’s network tokenization, Token ID, through the ShieldConex platform and their PayConex™ payment gateway, providing flexibility for their customers by tokenizing any type of data, while serving as a gateway for network.
Learn more about Bluefin’s ShieldConex to get started.