Thursday , March 28, 2024

The Value of a Token

As fraud grows more sophisticated, tokenization and encryption have become the foundational components of payment security at the point of sale and online.

Without tokenization and encryption technology, it’s a safe bet that today’s ever-increasing volume of digital payments, at the point of sale and online, would not be what it is. What these technologies have helped enable is the vast and growing presence of digital payments, even as new acceptance methods beyond the venerable POS terminal abound.

Tokenization and encryption have eased merchant pain points involved in storing sensitive payment data. They have made it easier for consumers to make a payment merely by tapping a smart card or mobile phone. Technologies like tokenization and encryption have reached such a level of usage that they have become nearly ubiquitous. Indeed, they warrant notice when coupled with payment services like the automated clearing house and burgeoning real-time payments programs.

Still, as valuable and beneficial as they are, tokenization and encryption are not the only tools that make online and face-to-face transactions safer for merchants, consumers, and acquirers.

“Both encryption and tokenization are important security steps forward for thwarting criminal access to payment,” says Jamie Moles, senior technology executive at ExtraHop, a Seattle-based network detection and response services provider. “However, neither are the panacea for point-of-sale security.”

Tokenization’s role in helping merchants secure their payments systems has been immense. Thanks to this technology, no longer are merchants subject to storing valuable payment data without some sort of protection. Tokens replace actual payments data, and are meaningless to thieves.

“Now, [merchants] store tokens,” says Maanas Godugunur, director of fraud and identity at Alpharetta, Ga.-based LexisNexis Risk Solutions. Meanwhile, tokens have “also helped create new business models, like mobile wallets,” he adds. Merchants gain comfort and a sense of security from tokenization because it helps prevent exposure of sensitive consumer data, he says.

The value of tokenization and encryption is immense, not only for preventing bad transactions, but monetarily. The tokenization market alone is forecast to reach $12.7 billion in value by 2030, says P&S Intelligence in its “Tokenization Market Size, Share, Growth and Demand Forecast Report 2030,” released in July.

“Tokenization and encryption can be effective tools for mitigating potential damage of large data breaches, a few of which have been devastating in recent years,”
Isaac Gurary, chief executive of New York City-based NoFraud, a fraud-mitigation provider, tells Digital Transactions.

‘One Big Hammer’

But the news is not all good. Gurary adds, “While these technologies are standard in most POS software and are great measures at helping keep payments information secure, they are not foolproof. Sophisticated fraudsters can hack the application that stores token keys, attach listeners, or create viruses targeting specific devices. Increased security at [the point of sale] also encourages fraudsters to turn more of their attention to online fraud, which doesn’t bode well for [e-commerce] merchants.”

That has required online merchants to enlist countermeasures that strive to authenticate the customer. “It’s very important to not only create infrastructure and educate merchants, but to create tools like digital-identity tools,” Godugunur says.

While the payments industry has tried to keep up with fraudsters, he thinks more can be done. Adopting behavioral-identification technologies may be one component of a broader approach. Such technologies may provide details about how a consumer interacts with an online site.

“The big shift is around centralized digital identities that will likely come into play in several areas of life,” says Gergo Varga, product evangelist at SEON Technologies Ltd., a London-based fraud-prevention provider. “It’s a big bet in the sense that it tries to solve a lot of security problems with one big hammer, but we can already see that in societies that have effectively gone cashless, fraud doesn’t disappear. It just changes.”

Education is vital to the successful use of tokenization and encryption, suggests Ilyssa Papa, risk manager at Waltham, Mass.-based BlueSnap Inc., an e-commerce payments specialist. “Technology is ever-evolving, leading some consumers and merchants to become more aware of new advances than others,” Papa says. “Education, communication, and collaboration are all vital efforts for the payments industry, which often works collusively to target a common goal or problem, as it attempts to keep up with the evolution of fraud and combat shifting attack schemes.”

But some say consumers are more educated than merchants on new point-of-sale technologies. “Security is easier from the consumer’s side as there is less access for fraud,” says Bob Vergidis, founder and chief visionary officer at Point of Sale Cloud LLC.

“It is more profitable for a bad guy to go after a merchant than a consumer because the amount of credit card data they will get will always be more,” he adds. “Also, merchants have more points of access to their systems, and it’s harder to protect them all. When it comes down to it, security is a cost center for businesses, and being that it’s quite a specialized field a lot of time organizations fail to assign a value to it until something bad has happened.”

Breach Headlines

It’s these shifting attack schemes that keep merchants awake at night, especially as more consumers make their transactions online and their expectations for the availability of online payments increase.

“Accelerating omnichannel expansion, spinning up new interactive and personalized purchasing experiences, and migrating to public clouds are just a few ways retail is realizing digital transformation,” says ExtraHop’s Moles. “As these new initiatives roll out, an expanded attack surface increases the risk of compromise and impacts service levels, making it a challenge for the payment industry to keep up.”

Consumers may not understand the technical elements of tokenization and encryption, but they have seen the headlines on data breaches. There were 817 publicly reported breaches in the first half of 2022, according to the Identity Theft Resource Center.

“They are aware that technologies to secure their data exist,” says Jessica Rosa, senior director of merchant security at Brookfield, Wis.-based Fiserv Inc. “Merchants realize encryption and tokenization are critical to securing their customers’ payment data. They also understand these solutions are best deployed in a transparent manner to help preserve trust among their customers.”

Securing payment data is essential to trust along the transaction pipeline and is especially vital as criminals adjust their attacks to take advantage of new payments models or changing consumer behavior. That can mean new or enhanced methods of protecting payment data must be employed.

“Interestingly, what’s leading to the advancement of those technologies is tech companies realizing that there is money to be made by facilitating credit card information because it helps keep users on their platform,” says Point of Sale Cloud’s Vergidis.

“The other thing is the merchant’s desire to offer frictionless payments. Data has shown that consumers buy faster and they feel better about the cost of their purchases by how quick their checkout process is,” Vergidis continues. “In the quest for a better experience, technology companies and merchants are coming up with more innovative ways that offer better protection.”

‘A Delicate Balance’

Innovation has been the operative word for payments security for a long time. Often, it comes about from addressing “vulnerabilities that fraudsters are exploiting” or from “responding to consumer-behavior shifts,” says Rosa.

In many instances, it’s a combination of factors that are the catalyst. “For instance, if consumers are adopting a new digital-payment option at a high rate, this option can often be a target for fraud as attackers try to uncover new vulnerabilities,” Rosa adds.

Even with innovation, there sometimes are non-technology methods that can supplement tokenization and encryption.

As Vergidis says, “The biggest non-technology thing that an organization can do is increased awareness. Every company should have a security policy that is shared frequently with their employees, and everyone signs off on. It’s one of the requirements for compliance and it’s actually one of the most important things an organization can do to help reduce POS fraud. As they say, knowledge is power!”

It’s this human element that’s critical, says NoFraud’s Gurary. “Software that causes too much friction during the customer journey may prevent more
than just fraud,” he adds. “It will prevent conversions as well. The development of security technologies needs to account for consumer tolerance. It’s a delicate balance between protecting merchants and consumers and mitigating risk without negatively impacting customer experiences.”

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions