By Andre Stoorvogel, Director of Product Marketing, Rambus Payments.
It is hard not to become desensitized to the almost daily news of data breaches. Back in September, WIRED assessed 16 of the most high-profile hacks of 2018 and payment data was a common theme in many of them. Sure, identity theft is appealing to fraudsters, but the end game is nearly always financial gain so lifting payments data is a far more direct path to a payoff.
This trend is borne out in the data. According to PYMNTS’ Global Fraud Report, e-commerce fraud likely cost the industry $58 billion worldwide in 2017, with card-not-present (CNP) fraud up 106% year-on-year. Javelin Strategy also highlighted that CNP fraud is now “81% more likely than point-of-sale fraud.” So, what can be done?
Criminals’ eyes on a (boring) prize
If we take it as a truism that hackers will find a way behind firewalls, onto servers and into databases, we need to make the potential prize less appealing.
When the payment brands replace a primary account number (PAN) with a unique payment token that is restricted in its usage, for example, to a specific device, merchant, transaction type or channel. Merchants can strike an effective balance between high security and a frictionless buying experience.
While network tokenization is now being used in different ways, it is not a new technology. It has been hugely successful in protecting in-store mobile payments and it is now being touted as another layer of security for e- and m-commerce fraud. What many people don’t realize, though, is that card-on-file network tokenization does not only apply to newly enrolled cards. Existing card-on-file databases can be fully migrated to network tokenization and processed to ensure that the benefits extend to merchants’ full operations.
Network tokenization means merchants only store payment tokens in their database rather than actual card numbers. This delivers various security benefits to the digital commerce ecosystem by reducing the risk and mitigating the impact of malware, phishing attacks and data breaches. Essentially, merchants can make their entire card-on-file database unappealing to fraudsters overnight. Of course, hackers may still try to get in, but by tokenizing cardholder and card data, the information taken is largely useless. So, hackers will simply need to go elsewhere for their ill-gotten gains.
Combatting CNP fraud
It is important to note that tokenization is not intended to replace existing fraud measures, but to complement them. EMV 3-D Secure, real-time monitoring, historical data and manual screening are valid fraud prevention methods which work alongside tokenization.
Moving beyond PCI tokenization
It is worth quickly clarifying that network tokenization is different to PCI tokenization, which most merchants will already be familiar with. Where PCI tokenization only tokenizes card data in the database, network tokens travel through the whole transaction, meaning that the exposure of the original PAN is reduced to a minimum, making fraud much less likely.
Get ahead of the curve
Hacking, malware, phishing…online retailers must accept these as a reality of doing business in our digital world. They should not lose heart, though. Tokenization fits seamlessly into their current infrastructure and payment processing flows without impacting (and even enhancing!) the buying experience, it just makes the data they store infinitely less interesting to hackers. And that’s all of the payment data, not just newly enrolled cards. One important thing to note, tokenization is looking to become a requirement for e- and m-commerce merchants so getting ahead of the curve now will pay dividends in the future.
Overall, this is a technology that lets merchants focus more resource on what they do best, serving customers.
For more information on how tokenization can help you protect card-on-file data in the fight against CNP fraud, download the Rambus eBook.
1 EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.