As we work with customers to help advance their anti-fraud efforts in their online channels, we’ve increasingly been asked about the impact of tokenization – will it simplify security efforts, or even make some of our existing technologies obsolete as a result of the protection it provides?
To answer these questions, we need to first clarify some implementation and use case details about tokenization. First, we should acknowledge that tokenization technology has been around for some time, and many organizations have deployed it to successfully protect payment card information, account data, personally identifiable information, and other sensitive data types. In successful implementations, tokens serve as seamless stand-ins for sensitive data they replace, reducing the potential points of exposure and rendering data useless to those who may gain unauthorized access to the tokenized data. So, broader use of tokenization should have the overall effect of reducing systemic risk associated with handing, processing, and storing sensitive data.
The more interesting new use case is the use of tokenized data to initiate transactions. In an implementation based on the EMVCo EMV Payment Tokenisation Specification, (such as ApplePay), a Token Service Provider enrolls a particular user and provisions a token corresponding to their payment card to an e-wallet. This token can subsequently be used to initiate transactions from that wallet.
One argument has been offered that as more transactions (both card-not-present and card-present) are initiated using tokens or similar instruments, the need for many controls that protect transaction data goes away. This argument ultimately depends on a significant degree of trust in the Token Service Providers. They must be able to reliably protect the underlying sensitive data, and ensure it is only disclosed to those parties who have a legitimate need for it and not the tokenized substitute.
Another argument that has been put forth is the need for technologies such as 3-D Secure to be reduced or eliminated. This is certainly not true, in fact, cardholder authentication is even more essential in a token-driven world. First, authentication of the cardholder for provisioning of the token (i.e., ensuring that the user is the cardholder and has the right to provision a card to a wallet) is perhaps the most important step in building a chain of trust in a transaction. The EMV Specification refers to this process as Identification and Verification (ID&V). It was widely reported that fraudsters exploited weak provisioning controls during the early days of Apple Pay rollouts at some issuing banks. Second, authentication of the wallet holder as they initiate transactions with a token is also important – akin to the PIN component of a card-present EMV Chip and PIN transaction. ApplePay’s phone-based implementation relies on biometric authentication of the user, but the EMV Tokenization specification provides for data fields to pass additional ID&V information per transaction to verify the identity of the user initiating the transaction.
Finally, despite the architectural features that provide for enhanced security and authentication, we know from experience that implementations are often less than perfect and thus open to exploitation. The use of tokenization should not obviate the need for transaction monitoring for patterns of potential fraud or abuse.
Like many security technologies, tokenization can have significant benefits when implemented correctly. However, despite what some may believe, there are no silver bullets in security, and implementations will need to continue to be supported by additional layers of complementary security controls and anti-fraud solutions to ensure comprehensive protection of cardholder data and transactions.
The post Tokenization and E-commerce: The Silver Bullet We’ve Been Looking For? appeared first on Speaking of Security - The RSA Blog and Podcast.