Mobile payments can be a finicky business. Consumers are presented with a broad range of payment options and channels – from Apple Pay to Google Wallet to Visa Checkout – all vying for majority adoption. The industry’s brightest minds and deepest pockets are at work to create better commerce experiences, including Samsung, Wal-mart, Google, PayPal and scores of startups in the fintech space.
In fact, during the first three quarters of 2014, global payments and transaction startups raised a combined $1.18 billion through 75 funding deals. Plus, more and more banks have launched plans to build mobile payments directly into their mobile banking apps. By and large, these mobile payment initiatives are building solutions based on NFC (near field communication) technology, designed to create a fast and convenient payment experience.
You’re familiar with NFC technology if you’ve used the aforementioned Apple Pay on your iPhone 6 or Google Wallet on your Android device. With a couple of quick steps on your phone screen and a tap on a terminal near a cash register, the mobile device communicates a payment from your virtual wallet to the retailer.
NFC also lets our mobile devices do a broad range of other things, from unlocking car doors to sharing photos with others in close proximity. Since the launch of Apple Pay, though, NFC for payments has finally found its moment in the spotlight.
PayPal has adopted NFC with its Here point of sale reader, NFC upstarts like Mobeewave have raked in new funding rounds, rumors are swirling about the potential for Microsoft to jump on the NFC payments bandwagon, and VCs from SBT Venture Capital to Sequoia Capital have remained active investors in the NFC and broader payments space.
With all the innovation and momentum around mobile wallets, NFC or otherwise, payment security is a huge concern to merchants, issuers, payment networks and any new wallet provider. Demonstrated by the number of high profile data breaches that have plagued the U.S. within the last year, payment data security is absolutely essential as consumer adoption grows.
Unfortunately, NFC is only a functional technology, not a thorough security safeguard. It needs another complementary layer of security on top of it to complete the payments software package. All of this sets up rather nicely for tokenization to emerge as a new defense against mobile payment fraud.
In its most basic form, tokenization aims to lower the value of sensitive data stored on mobile devices and transmitted over networks during payment. It consists of replacing a payment card’s static credentials (like the 16-digit card number and expiration date on a plastic card) with virtually substituted credentials that limit the impact of a data breach or sporadic card theft.
Token credentials are limited to use on a specific device, at a specific merchant or for specific types of goods and services.
While my company, Gemalto, recently announced broadened tokenization capabilities, we certainly aren’t the only ones concentrating on the technology. SimplyTapp, Sequent and Visa are all examples of companies (some being competitors) investing in the development and implementation of tokenization. This widespread attention is driven by a few main reasons why embracing tokenization just makes good sense.
1: Flexible Security
Whether payment card credentials are being provisioned onto an embedded secure element, a SIM card or a mobile application, tokenization strengthens security. The token cannot be used beyond its pre-defined purpose, and hence is useless for hackers trying to commit fraud via online purchases or by cloning magstripe cards.
Thanks to tokenization, emerging alternatives to secure element-based NFC, like host card emulation (HCE), have been endorsed as secure by payment brands, finally opening the door to independent, bank-owned mobile payment apps.
Banks and payment providers can use HCE and tokenization to create their own payment apps without necessitating access to complex mobile storage and chips. Combining tokenization with techniques to encrypt and hide security keys and sensitive data in the code of mobile apps helps secure HCE-based wallets on Android devices.
2: Instant Use
Before the introduction of tokenization, digitizing payment cards for mobile wallets often involved a review and approval process by the bank, which could take anywhere from minutes to days. Banks and wallet providers have understandably been asking for a way to complete enrollment instantly and minimize registration abandonment.
eCommerce, as a comparative example, can have an average abandonment rate of 75 percent, strongly linked to additional registration steps at checkout. These extra steps in the eCommerce checkout experience are comparable to a hamstrung user sign-up process in mobile payments. Both create friction and reduce the number of users that stick it out until the end of the road.
Tokenization has made it so that customers can sign up and be ready to pay within seconds – a huge factor in mobile payments convenience and adoption.
3: Minimal Pushback
The road to including tokenization technology is fast and straightforward for all involved parties. Tokenization has no impact on physical retail NFC terminals, on the processing side of payments or on the perceived consumer purchase experience. There’s no need for merchants to invest in new hardware or software and, for issuers, implementing tokenization has little impact on their existing back-end technology.
Frankly, there are few reasons mobile payments innovators shouldn’t embrace tokenization to improve their security. It will even work in concert with the upcoming migration to EMV cards, so the time is especially ripe to make a move. Securing payments with tokenization, whether card-based, contactless or mobile, increases protection of face-to-face transactions and already holds great promise for remote or online transactions as well.
So far this dynamic ecosystem is brewing healthy competition and innovation, giving wallet providers and issuers plenty of security options. While tokenization solves many security challenges, it is worth pausing to remember that securing payments doesn’t stop here. Security is always a moving target as fraud techniques evolve.
Even after tokenization becomes ubiquitous, the entire industry, from established giants to burgeoning startups, should continue challenging itself and asking: “Beyond tokenization, what’s the next technology that can make mobile payments that much easier and more secure for consumers and providers alike?”