the battle of tokens

Tokenization History, Application, and Significance

Tokenization has been successfully fighting data breach since 2001 and its unique methods are overshadowing other solutions for protecting payments. Tokens are to be admired because they have been fighting fierce battles against many innovative ways of stealing transaction data. 

Although there is not a lot of proof on who invented the tokenization method, Shift4 were the first to publicly introduce it in 2005. Some similar methods were present in the late 70s, which probably inspired Shift4.

Since they do not openly talk about the main source of inspiration, a good hint, or at least an analogy, could be their own statement comparing tokenization and arcade coins saying that the same thought is behind the process – tokenization masks data so that it becomes invaluable for the person who breaches it in the same way arcade coins are used for substitution for real money and cannot be utilized in any other manner. 2014 was the real deal when the two big players – Visa and Mastercard – announced they were using tokenization for more secure payments. 

Tokens – how do they work? 

Tokenization is the process of turning a meaningful piece of data, such as an account number, into a random string of characters called a token that has no meaningful value if breached.

Tokens serve as reference to the original data, but cannot be used to guess those values. That’s because, and this is very significant, unlike encryption, tokenization does not use a mathematical process to transform the sensitive information into the token which makes the “encryption” irreversible. There is no key, or algorithm, that can be used to derive the original data for a token.

Instead, tokenization uses a database, called a token vault, which stores the relationship between the sensitive value and the token. The ‘mapping’ between the real PAN and the payment tokens is safely stored in the token vault. So, when a customer makes a transaction, his Payment Card Number 3352 2222 2222 2222 passes through the network which issues a format preserving token - 3352 3854 1273 2222 - or non-format preserving token - 25c92e17-80f6-415f-9d65-7395a32u0223- to replace the real number which that network verifies with the bank. 

Who let the Tokens out?

A token service provider, or the more widely used abbreviated term TSP, can be an entity either independent from the payment network / processor /issuer or integrated within it.

There is a big list of TSP providers, the most represented ones being VISA and Mastercard, but there are many 3rd party token providers.

Challenges

Even though we will not be entering the depth of fraud this time, it is impossible to avoid it completely because of its unfortunate presence in the payment processing environment. The other big challenge for tokens involves real-time payment. Real-time is undisputedly terrific, but it changed the amount of time needed for securing payments and users.

Infografika_The battle of Tokens_PROVIDERI_FINAL-01.png

The short tale of three frauds

There are three most prominent types of fraud within the three types of payments that can happen online, via smart phones, or card. 

Tokenization is fighting the Card not present, the biggest slice of the pie. This is fraud committed by criminals online, by phone, or by mail using information obtained fraudulently without having the card physically there – thus the name. 

Infografika_The battle of tokens_FINAL-01.png

Real-time payment

We are all witnesses of the historic evolution in payments when, with the introduction of card payment, the notion of real-time payments became enormous, making money transfers in real time ubiquitous and thus leaving cash a thing of the past.

As this industry progressed in the past few years towards a faster payment system, the advancements in technology and the continuous improvement of smart devices saw a rise in real-time payments by using smartphones to pay for various goods or services. However, the technology is making both sides work faster which puts a lot of pressure on reducing fraud.

Even though there is no unique definition, Payments Innovation Alliance defines RTP as an instant account-to-account transfer that can be initiated through cards, smartphones, tablets, digital wallets, and the web which uses real-time communication between users, financial institutions and third parties in order to make the funds immediately available, and provides real-time confirmation for the transaction.

However, the swiftness of these transactions leaves only seconds for authorization which used to take hours or days. Fortunately, tokenization was introduced to this industry in 2001 and has been used to fight fraud through data masking and thus reduce the risk of data breach. 

Tokens have proved to work triumphantly in the card industry and this is why the same technology was chosen for RTP. This is one of the prime methods designated because tokenization is applicable and more importantly transferable to account-based transactions and can work functionally with other anti-fraud measures, which is good news. How can tokenization contribute to instant payments? Essentially, each time a certain customer uses his card/wallet, the same token number is given to the merchant’s system which makes the process faster and easier for future payments, making them only one click away.

The bad news is that fraud in RTP is a bigger financial risk than card fraud and is challenging to manage as the innovative payment methods become normative. That is why tokens will play the protagonists in the security and fraud dramas because they solve the problem of storing REAL DATA and allow SECURE PAYMENTS in REAL-TIME.

Tokens will go where no Token has gone before

If you are asking “What could possibly happen next?”, then we’re thinking alike. Currently, the industry is working on improving tokenization methods and also launching sensitive data into space – yes, that’s right. Tomorrow seems to go towards a vault-less and processor-agnostic (meaning a more generalized and interoperable) solutions that enable future growth.

More interestingly, TokenEx and Cloud Constellation announced they will begin jointly designing a space-based data security solution that layers tokenization and storage in space for securing their customers’ sensitive data. The combination of TokenEx’s Data Protection Platform and Cloud Constellation’s SpaceBelt service would enable organizations to secure sensitive data in space while storing only tokens in their terrestrial systems.