Tokenization is here - are you ready?

Exposure to cyber-attacks and data breaches is a concern for everyone. With some high profile merchants having suffered breaches in recent years, it is more important than ever for merchants to find ways to better secure customer data and reduce their risk of cyber attacks. One method for securing online and ecommerce transactions that is becoming increasingly common is credit card tokenization.

Tokenization – the process of replacing sensitive data with unique symbols that retain all the sensitive information about the data, without compromising its security is considered one of the most secure and fraud proof payment mechanisms available. For merchants, it removes a huge storage burden and can reduce their Payment Card Industry (PCI) audit scope because the raw credit card information never enters their POS system or online payment portal.

Compliance and IT Security teams often take the lead on implementing tokenization to render card data unusable in case of a cyber attack or data breach. As fraud managers, it is vital you understand the potential changes the different methods could have on the fraud review and prevention process. The consumer validation, transaction review and chargeback management processes could be impacted if they rely on the availability of the bank identification number (BIN), last 4 digits of the primary account number (PAN) or even the full card number. Getting involved at the beginning of the tokenization conversation and having the time to work with your fraud solution vendors or in-house software team to determine and prepare for how these changes will affect the organization’s ability to fight fraud, will make all the difference.

Credit card numbers can be tokenized in a variety of ways, such as single-use, multi-use and issuer-based (for example Apple Pay or Google Checkout). Some tokenization providers can also create a 6.4 format preserving token configuration, where the first six digits of the BIN and the last four digits of the PAN are preserved and the remaining digits are then randomized. This format reduces the risk of exposure to the original card data and can allow companies some flexibility for other processes.

Single-use tokens are generally considered the most secure style of token because the token is never re-used. For every transaction, the credit card number will be generated into a different randomized sequence regardless of whether or not that same card is used to make additional transactions. This method has the biggest impact on fraud teams as, when tracking both fraudulent and genuine behavior, it can decrease your ability to quickly recognize whether or not a returning customer is using a known good credit card for their purchase. A merchant’s ability to react to a customer’s credit card number negatively is also affected.

Multi-use and issuer based tokens alleviate many of the negative impacts to fraud teams that originate with single-use tokens because these methods generate the same randomized sequence when the same credit card number is used for multiple transactions. Unlike the single-use method, the multi-use token allows for velocity tracking against the token, and can be added to positive or negative lists.

Data Validation Services (DVS), which can help validate a consumer’s identity during the transaction review, also need to be considered. Some DVSs require the full PAN – if this is the case, fraud and customer service teams need to be prepared as the introduction of tokenization would impact the process.

A successful tokenization solution can provide the ability to still use credit card based DVSs, have minimal impact for fraud team processes and provide enhanced credit card data security for the merchant. As fraud managers you need to be early participants in these tokenization discussions so you can determine the impact it could have on your fraud management programs and processes and start to take action. Tokenization is here - make sure you are ready.

About Accertify

Accertify, a wholly owned subsidiary of American Express, is a leading provider of fraud prevention, chargeback management, and payment gateway solutions to merchant customers spanning diverse industries worldwide. Accertify’s suite of products and services help ecommerce companies grow their business by driving down the total cost of fraud, simplifying business processes, and ultimately increasing revenue.