The term “tokenization” refers to the process of replacing sensitive data, such as data related to payment cards and e-commerce transactions, with randomly generated symbols for each separate transaction — so-called tokens — that replace the data so that it can’t be compromised.
This ensures that transactions can be completed in a secure manner, as it’s much harder for hackers to gain access to data that’s been tokenized than data that’s stored and transmitted in the clear. In addition, once a token is used, it can’t be used again, rendering it useless to hackers.
Securing Mobile Payments
One area in which the use of tokenized data holds much promise is mobile payments. Samsung Pay is one such service that utilizes tokenized data. Once a mobile device is registered with the payment system, its primary account number is replaced with a unique token that’s maintained by the card network, never stored on the device, and kept in a secure token vault (with the card issuer).
With the Samsung Pay system, the card network returns card data that’s been tokenized using a secure channel to the device, and hardware-based keys within the device encrypt and authenticate its data. Only encrypted data is returned to the Samsung Pay app to avoid security and privacy risks. The security and integrity of the tokenized data is protected because it can only be accessed in the Trusted Execution Environment (TEE) of the device. When the tokenized card details are sent to the TEE, an authentication code is generated for that particular transaction. With Samsung Pay, tokenization is available for securing both near field communication and magnetic stripe payments.
To protect a user’s card data and payment information, a secure communication channel is created between user devices and card network servers using public key cryptography. Once a transaction is initiated, a cryptogram (a unique authentication code) is sent to the payment terminal. This authentication code verifies that the mobile device with which it’s associated is the one being used to make the transaction. Both the token and the authentication code must be verified by the card network for the transaction to proceed. This verifies that the user is the correct person to make a transaction.
Protecting You (and Your Wallet)
Payment tokenization holds great promise in the fight against payment fraud. In 2016, Statista estimates that $7.7 billion will be lost to payment card fraud in the U.S. alone, up more than a third over 2012. One area in which fraud is increasing is mobile payments. According to LexisNexis, mobile commerce transactions accounted for 14 percent of all transactions in 2014, but for 21 percent of all fraudulent transactions.
Tokenization has the potential to vastly improve the security of sensitive data in a wide range of scenarios. The example of mobile payments shows how it can be used to add security to a rapidly growing area, which will expand further as mobile adoption continues to proliferate. There are many other scenarios in which tokenization can vastly improve security by protecting the privacy of sensitive data; including online banking, medical records, criminal records and the online provisioning of government services.
