Google and Samsung are two of the big name mobile wallet providers to join MasterCard’s new programme designed to speed up tokenization. The Digital Enablement Express scheme was launched in early September, with Capital One, Fifth Third Bank and KeyBank among the first issuers on board. It makes it easier for wallets like Android Pay or Samsung Pay to request payment tokens via the MasterCard Digital Enablement Service.
According to MasterCard, the service lets financial institutions access new digital payments services, while partners like Google or Samsung benefit from a simple onboarding process with participating banks.
“Working with MasterCard’s Express platform will give us a highly scalable way to enable issuing banks to participate in Android Pay, while at the same time, launch a service that has broad consumer access,” said Ariel Bardin, Google’s vice president of payments.
What is tokenization?
Tokenization is an important step for securing payments, particularly for contactless transactions. In tokenization, the card’s primary account number (PAN) is replaced with an alternate card number called a token. These tokens can be single- or multi-use; and they may be stored and managed in the cloud, in a token vault, or at a merchant location. Replacing the PAN with a token reduces losses from any merchant data breach, such as those suffered in the US last year. While no system is ever going to be 100 per cent secure, tokenization makes the compromised data less valuable to the fraudster.
Tim Sloane, vice president at Mercator Advisory Group for Payments Innovation, believes tokens will transform payments.
“Tokenization will change the payments industry in interesting ways,” he says. “The networks have clearly carved out a new business model for themselves, and the implementation of tokens will enable payment providers to enter adjacent markets, such as identity management and loyalty management, if they wish.”
MasterCard says the scale and reach of its Express scheme will prove important. By having one set of standards, the tokenization process becomes far quicker and easier. We’ve seen before in payments that when a single standard is followed, rather than multiple, competing versions, it speeds up adoption and creates savings. Tokenisation is a case in point. EMVCo, PCI SSC and The Clearing House are all investigating its potential and working on standards.
And because of different approaches, there is scope for confusion.
Avivah Litan, the Gartner analyst, points out that “EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenization systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations”. Merchants can be left with two tokens for one card or, worse, no way to get back to the original card number for things like chargeback or disputes.
Dave Meadon, EMVCo executive committee chair, says: “It is vital that we have a consistent approach to identify and verify a payment token request, which is supported by industry-agreed channel controls to manage where and when the payment token can be used.”
“This level of consistency eliminates data vulnerabilities at key points in the transaction, which ultimately enhances security.”
Tokenization is proving a key part of improving payment security, but there are few issues to iron out first.