Gemato says even if a token is intercepted, its reuse would be very limited, meaning that incidences of ‘cross-channel’ fraud can be significantly reduced. Transaction keys needed for EMV payments can also be replenished on a regular basis, further limiting the validity period of the transaction.
Gemalto says in today’s increasingly connected, mobile world, consumers readily jump from device to device. Whereas previously our online habits might differ depending on how we were accessing the web, the lines have blurred and most online activity can be done consistently across a multitude of platforms and operating systems.
However, when it comes to payments and transactions, there are some differences between the traditional web browser and the increasingly ubiquitous smartphone. Security concerns have always been on the agenda, thanks to factors such as the ease with which a phone can be lost or stolen, risks from connecting to the web via unprotected Wi-Fi hotspots and, in particular, malicious smartphone apps or mobile malware.
A recent paper from Javelin Strategy & Research found that although mobile transactions account for only 14 percent of total online transaction volume, 21 percent of all fraudulent transactions were made via mobile. In that context, moves to secure mobile payments are crucial for the future growth of the mobile platform. And that is where tokenization comes in.
Put simply, tokenization replaces the usual card credentials such as the Primary Account Number (PAN) with a substitute token value. Only the token is stored on the mobile device, protecting the original credentials from misuse.
The next challenge, however, is how to protect payment credentials when they’re stored outside of the secure element, for example in a software host that could be vulnerable to interception by fraudsters. Again, tokens can help here by setting limitations on their use. A token PAN can be defined to only be valid for a specific merchant, a specific type of purchase (e.g. mobile purchase), a specific country or region, a specific time period or simply one specific purchase.
This approach to tokenization is a critical next step in securing mobile payments, particularly for Android HCE-based payments which rely on software hosts. As the year progresses and further developments are made, it will be very interesting to see how the mobile payments landscape evolves.
For data, background and forecasts on Gemalto: Search CardWeb.com’s CardFlash® Library of more than 58,000 archived articles; Access CardWeb.com’s CardData® for current and historical Performance, Portfolios, Profiles, etc. Visit RAM Research® (ramresearch.com) for quarterly and annual forecasts covering more than 150 metrics. [complimentary or deeply discounted access to CardWeb.com subscribers].
Additional database resources include CardWeb.com’s CardExecs® – comings & goings of payments movers & shakers; CardWeb.com’s CardWatch® – ears & eyes on marketing globally (57K items); and CardWeb.com’s CardPixes® – form & function of card design (7K items).