How tokenization protects your cards from fraud
By Tina Orem
September 18, 2014
Reporters and pundits waited breathlessly for the iPhone 6 and Apple Watch unveiling on Sept. 9, but for many, the real news from the event was Apple Pay and the underlying technology that is poised to revolutionize the credit card industry.
Scheduled for launch in October, Apple Pay allows users to pay for things with their iPhones or new Apple smartwatches by storing credit card data in a “passbook,” holding the device near a merchant's contactless reader and tapping the device.
The products behind Apple Pay are slick for sure, but what makes the whole concept new and exciting is that it uses tokenization — a technology rolling out from Visa and MasterCard in September 2014. Tokenization converts credit card information such as account numbers and expiration dates into unique strings of numbers that validate customer identities and protect against card hacking at the merchant level.
Here's how it works: Customers register a credit card with a mobile wallet. When the customer makes a transaction with the mobile card, the card number data is electronically swapped out with a random, unique number that is sent to the merchant, called a token. Each credit card transaction gets its own token.
The tokens cannot be monetized by anyone but the merchant that owns the token, payments processor First Data says.
Tokens can be limited to specific merchants, mobile devices or types of purchases — providing another layer of innovation and security. For example, Visa operates a Token Vault that instantly issues and manages tokens on behalf of issuers. Visa's Token Service can work with card issuers to restrict tokens to, say, the university bookstore and cafeteria so that the card can't be used at bars or the mall.
The actual credit card data never enters a retailer's server, where most data breaches occur. With tokenization, hackers get nothing of value if they break into a merchant's server. And tokens linked to lost or stolen mobile devices can be instantly reissued without changing account numbers or reissuing plastic cards. That could save card issuers a bundle.
You might argue that tokenization duplicates the protection from chip-and-PIN cards, sometimes called EMV cards. After all, if the cardholder can't enter the correct PIN number at the time of the transaction, the card won't work. But EMV has much less power than tokenization to protect online transactions where the card isn't physically present, according to a white paper by the Smart Card Alliance.
In any case, the objective of tokenization is to make transactions more secure. After all, credit card theft costs consumers money and time, and banks also spend a lot of money reissuing cards. (One American Banker study found that it costs between $2.70 and $12.75 to reissue a card.) And after a wave of data breaches at major U.S. retailers eroded confidence in electronic payment systems, tokenization's time may just be here.