News
Deciphering one of the key topics of the CARTES SECURE CONNEXIONS show
June 2015 by Marc Jacob
CARTES SECURE CONNEXIONS 2015, the show dedicated to
secure solutions for payment, identification and mobility, is organising three conference
sessions on tokenization.
E-payment systems are rapidly evolving, which shows that the industry is ready to meet the
demands of portable device users. The emergence of new types of service providers, such
as Token Service Providers, would suggest that the scope of tokenization goes much
further than payment.
During three conference sessions on "Navigating the mobile contactless payments
landscape" – to take place between 17 and 19 November– we will look at this ever-growing
security procedure and the relevant strategic issues; how it is making its way into the scope
of payment and its potential future in other sectors. A large number of exhibitors will be
presenting their innovations in terms of tokenization during this 3-day event.
Tokenization: the natural evolution of secure payment
How has tokenization evolved to become a secure solution for electronic payments? For a long time,
it has only been possible to "physically" pay for something in a shop, by inserting your card into a
card terminal (for card present transactions).
However, the emergence of two phenomena has shaken this model:
• Firstly, contactless payments, which are made directly using a card or a mobile phone. The
objective is to facilitate payment and speed up transactions, while ensuring a high level of
security.
• Secondly, the arrival of the Internet and e-commerce, which have called for the
implementation of virtual payment systems (for card not present transactions). However, these
systems may represent serious risks, because, quite often, it is enough to have the primary
account number (PAN) and expiry date of the card to carry out a transaction online.
Given that the number of virtual transactions is increasing considerably, new technologies –for
example, NFC, Bluetooth LowEnergy, QR codes and HCE– have had to rise to a number of
challenges, particularly in terms of security.
Tokenization is a process which is part of this development in payment systems and it consists in
replacing sensitive data with substitute data to make electronic transactions more secure. The most
representative example is the use of a token instead of a bank card number (or PAN). By using a
token rather than a PAN, it is possible to limit the damage caused if the security system is breached
and details of payment are revealed.
In the future, users may not even be able to differentiate between card present and card not present
transactions and user identification used will vary, depending on the type of terminal and network
used and their preferences (consumer or retailer).
The token: fail-safe protection against hackers
Tokens are used to substitute sensitive data. They are not related in any way to the data they
replace and hackers cannot read any of the data substituted. Tokenization can reduce the risk of
using sensitive data online, for example in the event of data theft or misappropriation.
It is in this context that tokenization comes into its own.
The developers and users of payment systems seek the following security benefits:
" Sensitive data associated with the card used for payment and the holder should lie in the
hands of the bank and retailer only. Under no circumstances may these data be made
available to third-party systems.
" Tokens created are based on random numbers and characters and should not be associated
with the data that they replace;
" Tokens created should have the same format, size and characteristics as the original data.
EMV has shown how effective it is in fighting against fraud in card present transactions: apart
from "chip and pin" transactions, the PAN may only be used if the card is physically presented.
The situation is, however, completely different for card not present transactions and the level
of fraud is increasing in this use. Despite an array of measures designed to secure these types of
transactions, the best way to fight against fraud is to have a secret PAN.
In the case of cross-channel transactions, which may be in a store or online, the card data obtained
fraudulently, via a faulty payment terminal, may be used for card not present transactions on the
Internet. This is where the token plays a key role, as even if the security system is breached and
the payment details are unveiled, the damage is limited since the token value is revealed rather than
the PAN that it replaces.
For card not present transactions in particular, tokenization offers the best features in terms of
security. However, other security measures such as readers or terminals must also be implemented
since tokenization alone cannot totally guarantee security.
From payment to a new scope: the omnipresent token
The launch of Apple Pay in September 2014 has strongly affected the mobile payment ecosystem.
This offer has three main characteristics:
• NFC as a communications protocol with the payment terminal;
• Using the Secure Element as a security platform;
• Using tokens to protect the card number.
Apple’s announcement came at the same time as the announcement made by Visa and Mastercard
who gave their approval of tokenization as a security solution for transactions, particularly card not
present transactions. A few months earlier (March 2014), EMVCo issued a document entitled "EMV
Payment Tokenization Specification – Technical Framework" which inspired the Apple Pay solution.
The rapid innovation of payment systems is unprecedented. It shows that the industry is rapidly
evolving to meet the demands of portable device users - primarily the Smartphone - who believe that
this device is fully adapted for transactions carried out online or at home. New types of service
providers are emerging, such as Token Service Providers, which complement the already wide
range of suppliers of components and applications.
This is particularly important since the scope of tokenization goes beyond payment. The health
sector, like the payment industry, relies on security access devices to identify a lot of individuals. It
therefore represents a strong candidate for new generation tokens.
Tokenization at the heart of CARTES SECURE CONNEXIONS 2015
Payment is a complex and rapidly evolving area. The ever-growing mobile ecosystem is crossing
and integrating into more industry segments than ever before. Tokenization is an alternative to
hardware solutions used to date for secure transaction payments.
From 17 to 19 November, CARTES SECURE CONNEXIONS places mobile contactless payment
under the spotlight at three day-long sessions on: "Navigating the mobile contactless
payments landscape".
? HCE & Tokenization: What is the role of the Secure Element?
Presented by Francesco IARLORI, Managing Director - BizDev & Strategy Italy
? New business models: What is the impact on the banking, telecommunications and
retail industries?
Presented by Laurent NIZRI, CEO, Alteir Consulting & Vice-President, ACSEL
? Mobile payments: NFC, HCE, SE, Tokenization
Presented by Nathan HILT, Director – PriceWaterhouseCoopers
This is an opportunity for participants to look into the latest technologies on the payments market
(for example, NFC, HCE, SE and tokenization), to discuss how the mobile is creating new ways to
pay and to assess the new players and trends.
Several companies* which specialise in tokenization will be presented at CARTES
SECURE
CONNEXIONS:
INFINEON TECHNOLOGIES AG
DATACARD GROUP & ENTRUST
FEITIAN TECHNOLOGIES
FUTUREX
THALES
CRYPTERA
WORLDLINE
_CryptoExperts
_Cryptomathic
UNDERWRITERS LABORATORIES
* Non-exhaustive list of exhibitors working on this topic.
MOBILE CONTACTLESS PAYMENTS
For more information and a list of exhibitors by sector, please see:
http://www.cartes.com/2015-Exhibitor-List
