Tokenisation leads the way for more secure mobile payments

Despite early resistance from retailers and consumers, momentum is building toward making ‘tap-and-pay’ mobile payment systems the preferred choice among customers.

Google CEO Larry Page recently said, “I’ve been paying for a while with my phone. First time you pay with a phone, and you don’t have to pull out your card, mess with entering codes and signing things and so on, it’s a pretty great experience.”

Due to increasing demand by early adopters to use smartphones and wearable tech devices for payments, experts believe that 2015 is set to be the year of tokenisation.

What is tokenisation?

Tokenisation works by replacing sensitive information with a non-sensitive equivalent that is tied to a specific moment or scenario. In practical terms, it’s having your phone generate a code to validate a transaction without revealing your bank information.

By using tokenisation, a customer’s data can’t be stolen because the tokens either expire or are specific to a point-in-time transaction. Tokenisation is a critical security feature that helps to protect against card data fraud at point-of-sale devices, because it replaces credit card account numbers with a randomly generated sequence.

MasterCard said it will offer tokenisation services to merchants with apps, e-commerce and recurring billing programmes, and is providing tokenisation support for store-branded (private label) credit cards for use in digital wallets. Visa said it would provide access to tokenisation solutions for any card issuer, and is not charging issuers per-token fees.

American Express is also moving ahead with tokenisation plans to replace traditional 16-digit credit card numbers with digital tokens. Consumers carrying a card supporting the token will be able to make purchases online, with a mobile application, or in person via near field communication (NFC) devices, it said in November 2014.

2015 set to be the year of mobile payments across Europe

Earlier this year, VISA Europe announced “We believe that 2015 will be the year that mobile payments will be in the hands of consumers across Europe. Tokenisation is one of the most important technologies to emerge in digital payments and has the potential to start a whole new chapter in the kinds of products that are developed.”

Chip-and-PIN deadline approaches in the USA

Retailers in the USA are facing an October 2015 deadline to support chip-and-PIN card payments, and moves to strengthen credit card transactions come just in time.

Tokenisation was recently adopted by Apple when it revealed its Apple Pay wallet in September 2014. Companies such as Macy’s, Staples, Walgreens and McDonald’s were among the first to accept Apple Pay.

Tokenisation of payment card data is often used to meet the requirements of the PCI DSS. The PCI Council supports tokenisation in reducing risk in data breaches, when combined with other technologies such as point-to-point encryption and monitoring compliance to PCI DSS guidelines. Implementing tokenisation can simplify the requirements of the PCI DSS, because the systems no longer store or process sensitive data, which can reduce the scope of compliance and associated controls required by the PCI DSS.

Whether your organisation is a merchant or a service provider, our QSAs and PCI DSS experts can help you to improve your cyber security and comply with the contractual requirements of the PCI DSS in the shortest timeframe and for the minimum cost. Contact IT Governance for an expert opinion or to conduct a PCI DSS gap analysis on 0845 070 1750.

Read how IT Governance helped Appletree Communications achieve PCI DSS compliance through tokenisation.

PCI DSS