DEEP DIVESExclusive to Strategy Plans
January 30, 2019
The Internet of Things (IoT) is no longer a new buzzword in the industry as it is successfully making its way into our daily lives through smartwatches, cars, refrigerators, thermostats, and smart bulbs. In the next few years, IoT products are slated to get even more embedded in our existing systems. Over the last 10 years, IoT has made the leap from a concept to full-blown reality. Cisco predicts that by 2020, the IoT network will include more than 50 billion connected devices.
Many of these devices have paved the way for mobile transactions through non-traditional channels like using a smartwatch to pay for dinner. As technology continues to progress, it will only be a matter of time until nearly every device has a payment capability. This creates more convenient forms of transactions for consumers but simultaneously opens up many opportunities for cybercrime and security breaches.
We live in a world where security breaches are increasing at an alarming rate. For instance, a recent security breach at Marriott’s Starwood-branded hotels exposed the personal information of up to 500 million people on its Starwood guest reservation database.
These tourists, business travelers, and others had entrusted the Starwood hotel guest reservation database with details about their payment cards; contact numbers and email addresses; passport numbers and images; reward accounts, and travel itineraries. Meanwhile, in the e-commerce world, malicious attacks are on the rise as online shopping experiences have become part of our everyday life. Companies need to focus on security, data privacy, and consumer control to avoid being victims of malicious attacks. According to a report, British Airways had to apologize after the credit card details of thousands of its customers were stolen in an attack that took place over a two-week period on its website and app. Around 380,000 card payments were compromised, the airline stated, with hackers gaining access to names, street & email addresses, credit card numbers, expiry dates, and security codes – enough information to steal from accounts.
The increased frequency of data breaches is raising questions as to what measures companies are taking when it comes to safeguarding customer data. Another shocking incident that took place recently was the Caribou Coffee breach. The company revealed that a data breach involving at least 265 of its branches exposed some of its customers’ personal data. The personal information of affected customers could include names and credit card information like card numbers, expiration dates as well as card security codes. The recent string of data breaches bears testimony to the fact that financial institutions need to put consumer experience at the forefront of all new initiatives. Consumers deserve to get the best possible checkout experience without sacrificing security regardless of where they shop.
Breaches like these act as a challenge to the adoption of IoT as it may further the risk if appropriate measures are not taken. This is where initiatives like tokenization come to the rescue. Tokenization is the process of taking card credentials out of a transaction and replacing them with a unique token. This is an essential method for protecting financial institutions and their customers from various security threats.
To address the increasing security vulnerabilities for merchants, consumers and financial institutions, it is imperative that every connected device is secure, with no easily compromised card, account or personal information attached to it. Hence, the concept of tokenization plays a crucial role in the future of connected devices.
Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the critical information about the data without compromising its security. The vital part of this process is its ability to make any important or static information unreachable by replacing the card number with a unique token. Tokenization creates an encoded dynamic transaction number while maintaining the account data undisclosed from the merchant or anyone who tries to steal the tokenized data.
The Process: A merchant makes a transaction that looks similar to an EMV transaction to the network, after which the payment processor matches it to its token vault. The token is then matched to a real card number and a message of approval is sent to the issuer for validation. This creates an additional piece of dynamic data and an extra level of security.
The most significant feature of tokenization is eliminating vital data such as the card number, CVV, and expiration date from the transaction. The temporary token data is useless to a criminal and as the transaction goes through multiple routes, the risk of compromise is minimal.
With an increasing number of payment-enabled devices, it is imperative to ensure each device and the networks with which they are correlated remain secure for consumers and merchants. Moreover, by using tokenization, online retailers can offer the same level of protection that an EMV card provides for in-store transactions.
In addition, the communication between e-commerce sites and mobile wallets creates a single-click checkout process for customers using mobile and other IoT devices. Tokenization will drive the commercialization of IoT in the future. With transactions linked to digital wallets and secured by tokens, every device has the potential to become a mode of payment. Cars, in particular, will soon become an ideal payment mechanism for gas, tollbooths, parking, and even fast food. Through NFC, customers can complete transactions in a secure manner without the need of a wallet.
In order for connected devices to become a mode of payment and to reduce card-not-present fraud, smart devices manufacturers and financial institutions alike must incorporate tokenization into their systems. This can be accomplished through core platforms and payment processors that have seamlessly integrated the concept of tokenization into their technology.
It is clear, then, that the industry must move to a tokenized environment fairly quickly. But how? Financial institutions, merchants and device OEMs must find a universal protocol or language that they all understand, across international borders.
When building security protocols, the question of interoperability comes up. The devices and IoT space is a hotbed of innovation these days, and there are dozens, if not hundreds, of manufacturers competing for market share. Consumers park their money with many different financial institutions, and shop at millions of merchants all over the world. How would the devices interact with each other, and with merchant ecosystems? This is where an industry-standard, robust and trusted tokenization scheme that can be adopted by all players becomes critical. – Rama Sridhar, Executive Vice President, Digital and Emerging Partnerships, Mastercard.
Payments giants like Mastercard are already making the transition to tokenization in a seamless and nearly cost-free manner. These companies have set the standard that gives every financial institution and merchant the capability to utilize tokenization without astronomical costs.
Since tokenization takes the stagnant data out of the transaction, it is nearly impossible to compromise. Tokenization not only saves time but also protects merchants, institutions, and customers from unnecessary stress. As more connected devices become payment instruments, it is crucial that the technology behind each transaction keeps both the institution and the consumer secure via tokenization.
The tokenization market size is expected to grow from USD 983 million in 2018 to USD 2,670 million by 2023, at a compound annual growth rate (CAGR) of 22.1% during the forecast period.
Mastercard’s digital strategy is rooted in delivering a seamless shopping experience that utilizes tokenization and advanced authentication through a standard checkout experience that leverages the EMVCo Secure Remote Commerce (SRC) framework, which was introduced last year.
The Mastercard acceptance network supports this rollout, delivering a more consistent checkout experience for consumers and reducing the multiple steps they face at different sites today. SRC will also make it much easier for merchants to implement and securely store tokens on file and improve their approval rates. This supports a move toward a token-only world by building on tokenization standards.
Together with banks, merchants, and payment service providers, Mastercard is bringing EMV-like security to digital environments. The company is working with Adyen, BlueSnap, Digital River, Stripe, Square, Worldpay, and Mastercard Payment Gateway Services to extend tokens to thousands of retailers. It is also working directly with issuers such as Citi and Fifth Third Bank to convert cards on file into tokens.
Tokenization offers added security, higher approval rates, and better transaction management – all of which translate to better consumer experiences. Various digital commerce solutions will be introduced to make online commerce more secure. While the physical card will probably remain within arm’s reach as an essential payments tool, its level of importance will diminish in the future as more consumers become familiar with tokenization.
Financial institutions are harnessing artificial intelligence to enhance verification efforts and enable secure transactions. With token services, consumers can store their card credentials with a merchant or retailer without the risk of exposing actual card account details, which adds another layer of security to online transactions without removing the convenience. It also prevents service disruptions with a consumer’s favorite merchants by automatically updating card credentials should a card expire or need replacement. The effective rollout of initiatives like tokenization will not only aid transaction approval rates but also reduce false positives at the same time.