The Real Security with Tokenization

July 2, 2014

Comments Off on The Real Security with Tokenization

By: Robin Moser, GEOBRIDGE Corporation

There are a variety of drivers pushing PAN tokenization to the top of payment industry initiatives. The latest, EMVCo’s tokenization technical framework published in March of this year, has the major payments players taking a serious look at PAN tokenization as a mechanism for protecting sensitive cardholder data. On the surface, it is totally understandable that replacing PANs with a token provides an opportunity to prevent the unauthorized access and use of legitimate PANs, especially for online and mobile wallet transactions.

The real question, however, is at what point does the token become equivalent to the PAN in terms of its value as a payment mechanism? If the true PAN is replaced with a token value that may be re-used, does the token really bring added security or is there really just a whole new value that needs to be protected? The answer is yes and yes!

What seems to be missing in the PAN tokenization discussions I have been hearing is the critical security underpinning that the EMVCo framework provides – token assurance data. So while the token provides an alternate value that reduces the exposure of the true PAN in higher risk payment channels, it is the inclusion of the token assurance data that provides the real security.

Well crafted assurance data can provide the necessary uniqueness and authenticity at a transaction level to allow a token to be re-used. Generating cryptographically derived and unique assurance data each time a token is used is the only real way to make a re-usable PAN token beneficial. It takes the pressure off of the protection of the token (or a PAN for that matter) because each time the token is presented it is accompanied by assurance data that will be cryptographically verified by the token service provider to ensure the authorized and legitimate use of the token.

EMVCo is not prescriptive in defining assurance data, but in some ways that makes the endeavor even more exciting. Assurance data can be as complicated or simple as the tokenization solution defines it. It will be interesting to see how this shapes up and what the market presents as solutions roll out.