Tokenization of payment card data has existed for almost 20 years, and the concept of replacing high-value information with low-value information has been in use for decades.1 However, if this is your first foray into the concept of tokenization, an easy way to visualize it is to think of a safe deposit box. Say you are worried about someone stealing your baseball card collection so, to protect it, you move it from your house to a safe deposit box at a bank. Now all a burglar will find in your house is the key to your safe deposit box, which is essentially useless to them unless they are able to locate and break into your bank. Tokenization works on the same concept, using a token to protect payment card data instead of a key to protect baseball cards.
In the usual approach for a basic tokenization scheme, a cardholder provides payment card data, which is then saved in a secure location. While this data is being saved, a token is created and associated with the data. You can now use the token as a low-value substitute for the payment card data. It is “low value” for the same reason that you did not need to protect the key used to protect your baseball cards—even if someone stole the token, they would still have to know how and where to use it to access to the payment card data the token is representing.
While tokenization can significantly help in protecting payment card data, it’s still possible to leverage an attack path against the data. Consider baseball cards and safe deposit boxes again. Say you decided you want to sell some of your cards. You go to your safe deposit box, remove them and try to take them to Baseball Card Emporium. However, someone grabs them from you as soon as you leave your bank. This can also happen with tokenization. In a basic tokenization scheme, the token can be used as a substitute for payment card data for portions of the payment process. Eventually, though, the actual payment information will be retrieved from the secure location and transferred to the payment brand network so that the payment can be processed. An attacker can potentially leverage this transfer to steal the payment information.
This is where network tokenization comes in. Let us go back to the baseball cards one last time. After you were mugged, you decided you wanted to sell your cards without worrying about being attacked. So, you moved all your cards to a safe deposit box within Baseball Card Emporium and instructed them to handle the details when a transaction occurs. Now when you want to sell cards, there is no opportunity for an attacker to mug you.
This is the goal of network tokenization. Rather than just storing the payment card data in a secure location, the data is stored in a secure location with direct connectivity to the payment brand network. For example, a digital wallet can submit a token to a merchant as payment, in lieu of your actual credit card number, and the token can be used for the entire payment process since the payment brand network will be able to determine the payment card data the token represents.
This direct connection to the payment brand network also provides other benefits beyond just reducing the avenues of attack. Specifically, network tokenization requires the tokens to be created according to a standard created by EMVco, the same organization that has previously helped to secure card-present transactions through the creation of a standard for cards with embedded chips.2 Tokens created according to this standard can have additional security such as limiting the scope of allowable transactions to a specific payment channel, device or merchant.
The payment brands themselves also have direct access to these tokens through the payment brand network. This allows the brands to update card details such as when a card is lost, stolen, or expires. With this feature, a cardholder will never have to manually update card details as they change (for example, with recurring billing for subscription services) since the payment brand will do so automatically, which further reduces the opportunities for payment card data to be stolen.
Network tokenization is the natural progression of tokenization, and it is finally providing the features and security enhancements that should be expected in modern commerce.
If you have any questions about network tokenization, please contact us!
Tokenization (data security) (https://en.wikipedia.org/wiki/Tokenization_(data_security)#Concepts_and_origins)
Secure Remote Commerce – EMVCo (https://www.emvco.com/emv-technologies/src/)