Tokenization's role in IoT security
By Matt Herren, product manager, payment analytics, CSI
Refrigerators, cars, watches, rings – what do all of these items have in common? They are all products that are capable of connecting to the internet and completing transactions or interacting with users via mobile interface. And the number of internet-enabled items is increasing at a rapid pace.
According to Gartner, there will be more than 20 billion devices connected to the web by 2020. Many of these Internet of Things devices also are opening the door for mobile transactions through non-traditional channels, such as ordering food through the refrigerator or using a smartwatch to pay for lunch.
And when it comes to making financial transactions with an object connected to the web, NFC technology means that transactions can be completed without physically pulling out a wallet or smartphone. As technology continues to advance, it will only be a matter of time until nearly every device has a payment capability.
While that means more convenient transaction methods for consumers, it also opens a window for cybercrime and security breaches. This makes tokenization, the process of taking card credentials out of a transaction and replacing them with a unique token, an even more vital method to protect not only financial institutions, but also their customers, from vicious attacks.
All of these devices are increasing security vulnerabilities for merchants, consumers and financial institutions, so it is important that every IoT device is secure, with no easily compromised card, account or personal information attached to it. That's where tokenization plays a key role in the future of connected devices and IoT.
Tokenization is the process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security. The valuable part of this process is its ability to make any important or static information unreachable by replacing the card number with a unique token. Tokenization creates an encrypted dynamic transaction number, keeping the account data undisclosed from the merchant—and anyone who manages to steal the tokenized data.
Here's how the process works: a merchant sends a transaction that looks similar to an EMV transaction to the network, and the payment processor matches it to its token vault. The token is then matched to a real card number and an approval is sent to the issuer for validation, which creates an additional piece of dynamic data and extra level of security.
The most important aspect of tokenization is eliminating vital data such as the card number, CVV and expiration date from the transaction. The temporary token data is useless to a criminal, and as the transaction passes through multiple routes, the risk of compromise remains low.
Tokenization and IoT
With billions of devices soon becoming payment solutions, it is vital to ensure each device — and the networks with which they’re correlated — remain secure for consumers and merchants. And by using tokenization, online retailers can offer the same level of protection that an EMV card provides for in-store transactions.
In addition, the interaction between e-commerce sites and mobile wallets establishes a single-button checkout process for customers using mobile and other IoT devices. This is important, because e-commerce dollars now comprise 10 percent of all retail revenue.
Indeed, tokenization will drive the future commercialization of IoT. With transactions linked to digital wallets and secured by a token, every device has the potential to become a payment method. Cars, in particular, will soon become an ideal payment mechanism for gas, toll booths, parking and even fast food. Through NFC, consumers will be able to complete transactions without the need of a wallet, and in a secure manner.
In order for IoT devices to become a method of payment that is, in fact, secure — reducing card-not-present fraud — institutions must incorporate tokenization into their systems. This can be achieved through core platforms and payment processors that have tokenization integrated into their technology.
Payments giants such as Visa and Mastercard already are making the transition to tokenization seamless and nearly cost-free. These companies have set the standard that gives every financial institution and merchant the capability to utilize tokenization, without astronomical costs.
And since tokenization takes the stagnant data out of the transaction, it is nearly impossible to compromise, which saves merchants, institutions and customers time and worry.
As more connected devices become payment instruments, it is crucial that the technology behind each transaction keep both institution and consumer secure via tokenization.