The further development of token security, what’s next?
Recently, the payments industry received news that Visa and Mastercard are teaming up to share tokenised credentials across their digital wallets (Masterpass and Visa Checkout). With the objective of making their wallets thrive, both schemes have committed to making them open and interoperable and to support multiple modes of use for consumers, e.g. in-app, online and in-store.
The move into a more collaborative and integrated payments industry is no doubt a good example for others members of the ecosystem. Championing new ideas and best practice to help mobile commerce grow, develop and become more secure in the industry should be celebrated.
With the increasing amount of technology developed to create a fast, convenient payment experience and the rising number of high-profile data breaches every year, merchants, issuers, payment schemes and consumers are more than ever prioritizing payment and data security.
The use of tokens – the process of substituting a sensitive data element with a non-sensitive equivalent – has proven to be an integral strategy to banks and FinTech companies in the fight against online fraud.
Tokenisation has been used as an encryption method for cardholder information post-authorization for many years. In their most basic form, payment tokens are surrogate values that replace primary account numbers (PANs) and can be used for mobile POS transactions, in-app purchases or online purchases to limit the impact of data breaches or sporadic card theft. Token credentials can be limited to use on a specific device, at a specific merchant or for specific types of goods and services.
Tokenisation has a critical role to play in security, but only as part of a multi-layered solution that also incorporates other protective methods such as end-to-end encryption, biometrics and strong user authentication, the latter of which can be implemented as a “step-up” security method by merchants, under predefined circumstance to maintain good customer experience.
Tokenisation, by itself, should not be the only protection in place to ensure that sensitive information, like payment card data, personally identifiable data, or financial account data, remains safe. Security itself needs to find new, multi-layered ways to help the payments ecosystem with compliance, risk and fraud reduction.