Want less mobile or digital payments fraud? Boston Fed paper says merchants should try tokenization
As e-commerce expands, so does theft, but paper says tokenization can be big security solution
Online shopping has become the norm for millions of Americans, but its growth has been accompanied by a trend no merchant welcomes: increasing e-commerce fraud.
Criminals are taking advantage of a key benefit of online purchases – customers don’t have to be at a store to make them. The thieves are beating safeguards aimed at verifying customer identities, billions are being lost, and it’s clear that retailers need better authentication. Payment tokenization should be part of the solution, according to a recent Federal Reserve Bank of Boston paper.
With payment tokenization, a customer’s credit or debit account number is replaced with a randomly generated string of numbers called a “token” that’s unique to each user’s mobile device. It’s also indecipherable to fraudsters, even when they intercept it. These tokens are passed through the payment process without exposing a customer’s actual account details.
Payment tokenization is increasingly common, but implementation concerns and lack of understanding about the security benefits, particularly in the e-commerce space, are among the factors holding it back, said Boston Fed Vice President Marianne Crowe, who co-authored the paper with Boston Fed Director of Payment Strategies Susan Pandy. The reality is that payment tokenization works, Crowe said.
“If you are removing the real account number from the process all the way through, a fraudster obviously can’t get in the middle and steal it,” she said. “You don’t hear anything about fraud with tokenization.”
Payment tokenization gained attention when mobile wallets were introduced by Apple, Google and Samsung to make purchases with smartphones at physical retail stores. But it is now emerging as an important payment security option as e-commerce sales become more common. In the third quarter of 2018, they accounted for $130.9 billion and 9.8 percent of all sales, according to the Department of Commerce’s most recent numbers.
An unwelcome companion trend is a projected increase in fraudulent “card-not-present” transactions, a term for online sales, which by definition occur when the card isn’t physically present. Juniper Research projects retailers will lose about $130 billion in revenue due to fraudulent card-not-present transactions between 2018 and 2023.
With payment tokenization, a customer adds credit or debit account credentials to a mobile wallet or signs up for a digital wallet, typically through a financial institution. That institution securely authenticates the payment card account and then sends it to a token vault managed by a token service provider, like Visa or MasterCard. The token vault is extremely well protected – even banks aren’t allowed in, and there’s never been a breach. The token service provider then generates a payment token, linked to the customer’s payment account number (or PAN) and stores it in a secure location in the mobile phone/wallet.
When the customer uses his or her mobile or digital account to make a purchase, the merchant processes the token in lieu of the PAN. The token is then mapped back to the PAN stored in the token service provider’s vault, and the sale is authorized by the financial institution. The account number is never out in the open during the process, and the merchant never has it, Crowe noted. If a fraudster manages to intercept the token, he or she can’t interpret it.
Crowe is frank about the downsides of payment tokenization in card and customer data security.
“There really aren’t any,” she said. “It’s very effective.”
That doesn’t mean there aren’t real financial costs and complications. For instance, tokenizing account numbers for merchants who have thousands of customer cards on file is time-consuming and potentially onerous for token service providers. Plus, Crowe said, many retailers aren’t fully aware of the fraud risks of online retail, which security tools can be most effective, and whether tokenization is worth the effort.
But according to Crowe, the benefits far outweigh the costs, especially in a growing retail arena where thieves have been ruthless and successful.
For more analysis and data, check out, “Industry Perspectives on the Evolution of EMV Payment Tokenization.”