How to make Pay by Mobile Secure with Tokenization at existing POS, Expert explains

If you’re new to tokenization, it’s important to gain some understanding in order to appreciate how Loop will be utilizing this technology to bring mobile pay to the masses. They recently shared a whitepaper with us.

What Is Tokenization?

In his white paper, George Wallner, head of technology innovation at Loop, explains that, Tokenization is an alternative security technology that converts the traditional card data, including the Primary Account Number (PAN), into a token. The token is just a number, whose only function is to point to the original card data, which is stored in a secure host called the 'Token Vault.' Once the transaction is complete, the token is then cancelled.

The concept makes sense. Instead of vulnerably handing all that sensitive information to merchants, each transaction is issued a unique, one-time token that is created, used, and cancelled once the transaction is complete.

With any alternative solution, there are immediate questions – Is it secure? What are the infrastructure requirements? Will it change the way merchants handle transactions? Will it change the way merchants handle other purchase-related functions, such as customer loyalty programs, refunds and disputes?

Mobile pay has traditionally presented the problem of relying on either a chip, or the phone itself to handle transactions. Such a system creates obvious security vulnerabilities. By converting all sensitive information to a single-use token that is generated from a third party, and only when a purchase is to be made, hackers are unable to use the transaction information to access any useful data, or make any future purchases.

One concern among merchants is that a PAN is used for more than just transactions. Merchants uses can include customer loyalty tracking, returns and dispute claims. By obscuring the PAN, merchants might lose important data. To address this issue, recent token updates only obscure a portion of the PAN, leaving the first 6 digits in tact.

While these concerns are satisfied, merchants will still be hesitant to adopt a new technology that forces costly updates to their POS infrastructure, which has been the very reason so many great technologies are so slow to make their way to the general public. Does Google Wallet come to mind? Despite a strong technology backed by a company as innovative as Google, the decision seems to rest, in large part, with retailers. Loop appears to understand this crucial point, and is making things simpler than ever for retailers by using Magnetic Secure Transmission.

At Let’s Talk Payments, we discussed tokenization at great length in 2013, and how it can help secure transactions and reduce fraud. LoopPay, also known as Loop, could be on the cusp of finally bringing mobile pay to the masses via token-based transactions using Magnetic Secure Transmission (MST). And the best part—while infrastructure cost has been a barrier to mobile pay adoption among retailers, Loop is giving retailers a free pass by not requiring them to change their POS (Point of Sale) infrastructure to receive mobile payments.

Loop’s magnetic induction technology uses existing magnetic stripe readers as the contactless data receiver. Wallner explains in his white paper that MST (magnetic secure transmission) formats the card data into simulated magnetic stripe tracks and transmits them via magnetic pulses, which can be read by existing terminals' magstripe reader. You might ask yourself what would stop the transaction from being intercepted once transmitted? Loop has addressed this concern by creating a contactless transfer distance of 1-3 in. Any reader outside of 3 inches is incapable of intercepting the token.

Loop very soon would also eliminate the risk associated with Smart Cards by securely moving the token generation from the device to a central host. Going forward, when a Loop Fob transmits data to the POS to initiate a payment, the fob will be sending a token that was generated in a secure host called the Token Vault, as opposed to being generated on the device itself. The security implications of this approach can be better understood by this analogy from Wallner:

A smart card is like a gun that can make its own bullets. It can sign transactions on demand through its entire lifecycle (or until cancelled). This is awesome power that requires serious security. Hard to achieve in a mobile phone. In a tokenized environment bullets are made in a secure central host (this is called Host Card Emulation). Bullets (tokenized cards) are distributed to mobile phones on an as-needed basis. As the mobile phones do not know how to make bullets, the security burden on them is greatly reduced and the system-wide exposure of the card issuers becomes much smaller.

To make this possible, Loop uses external MST transmitter devices in the form of either a fob, or a phone case.

Retailers play a crucial role in the rise of mobile pay. While the mobile pay trend is gaining steady ground, there remain two concerns that must be addressed to gain retailers approval on a large scale, namely security and the cost of infrastructure upgrades. Whoever addresses these concerns will have a leg up on even the largest players. Loop is taking both of these concerns head on with tokenization.

If Loop's founder and head of technology needed any more validation, they are getting it. George Wallner was recently honored with induction to the Payments Hall Of Fame at the Innovation Projects 2014 Conference held at Harvard University. Among his accomplishments, Wallner was recognized for his recent innovations in Loop Magnetic Transmission, his POS inventions, his creation of Hypercom, and his investment with ROAM Data.

We wrote a lot about tokenization in 2013 highlighting its importance.