Tokenization: Critical Security Technology for Apple Pay and Other Mobile Payments

There’s a lot of excitement about the latest generation of mobile wallets such as Apple Pay, Android Pay and Samsung Pay. Expectations are high that these new wallets will gain broad acceptance where their predecessors did not. Why? Well, for one thing, there’s a very strong set of security technologies underpinning these solutions. Consumers can feel confident that their accounts are secure as they make payments on the go.

“Staying protected while on the go” happens to be this week’s theme as part of National Cyber Security Month. We thought we’d take this opportunity to talk about the state-of-the-art of mobile wallet technologies now on the market.

Starting in October 2014, Apple was the first to launch their solution, Apple Pay, based on the most robust set of security technologies to date in the mobile payments space. Not to be outdone by Apple, Google and Samsung have both recently launched their new mobile wallets, Google Pay and Samsung Pay, respectively. The three wallets are quite similar, especially where transaction security is concerned.

Security technologies behind Apple Pay, et al

The versions of the Apple iPhones (and the Apple Watch as well) that support Apple Pay contain a chip called a secure element. It is a tamper-resistant microchip that is capable of securely hosting payment applications and their confidential and cryptographic data. The secure element is where a consumer stores his preferred credit and debit cards. This chip is also capable of generating a one-time-use cryptogram for each payment transaction.

There’s a setup process to put the account information on the phone or wearable device. When a consumer inputs his card account information onto the secure element — Apple does it via scanning — the card network (Visa, MasterCard, etc.) sends a token and a cryptogram to the device’s secure element over the air. The token is essentially a non-sensitive replacement for a card’s primary account number. Once the token and the cryptogram are installed, the iOS device is known as a token requestor.

Here’s what happens when a consumer wants to pay with a card stored on his phone:

• He holds the phone next to a point-of-sale terminal that is enabled with near field communications.
• The Apple Pay application authenticates the user via a fingerprint scan.
• The phone’s secure element sends the card token and cryptogram to the merchant
• The merchant passes the token and cryptogram to the card network.
• The network authenticates the token and cryptogram and forwards them to the bank that issued the payment card.
• The bank decrypts the token, determines its authenticity, associates it with the real primary account number and then authorizes the transaction.
• The merchant is credited with the amount of the sale and the consumer’s account is debited for that amount.

Within this process, some information is tokenized, some is encrypted, and information is stored securely on a tamper-resistant chip. The combination of these security technologies, and the authentication processes in every step of the transaction, are the strongest yet in the mobile payments space.

The same, but different

Android Pay and Samsung Pay operate much the same as Apple Pay, but with some differences. Instead of using a secure element chip, Android Pay uses what they call Host Card Emulation. With this model, the card data is stored securely in the cloud instead of on the phone. When the phone communicates with the point-of-sale reader through near-field communication, the operating system on the phone directs the POS reader to go to the cloud to get the card information rather than looking for it on a secure element chip. Tokenization still plays a vital role in protecting the real PAN even as it is stored in the cloud rather than on the phone’s chip. Once the card token is retrieved, the transaction authorization process is much like the process with Apple Pay.

With Samsung Pay, the Samsung devices do use an on-board secure element to store the card PAN. The difference with this solution is that, in addition to supporting NFC, Samsung also utilizes technology called magnetic secure transmission that it acquired via LoopPay. This enables communication between the Samsung device and the magstripe card reader. This means the mobile pay system is compatible with many more POS devices than those that only support NFC — millions more. But beyond the use of magnetic secure transmission, Samsung Pay functions quite similarly to Apple Pay as described above.

Tokenization vital to making it work

In all card-based POS payment transactions — whether it involves a mobile device or not — a critical part of the process involves passing information about the customer account from the customer, to the merchant, to the card brand, to the issuing bank. Sending data in the clear would be far too risky. Instead, a token that’s representative of the data transmits enough information about the account without putting the real data at risk. With tens of thousands of merchants, hundreds of card issuers and the major card brands getting behind this process, these new mobile payment systems are more likely to gain critical mass where previous generations of mobile payments did not.

Transaction-based token versus durable tokens

We should point out that the tokens used in these new mobile payment solutions are transaction-based or in other words, single-use tokens. That is, a new token is issued for each transaction, even if multiple transactions occur involving the same customer, same card and same merchant. Each transaction is self-contained and is not tied back to the specific consumer by use of a token. If the merchant wants to create a relationship with the customer, it’s typically done through a loyalty program and not through an association with the card and token. This makes sense because consumers often use different payment methods — cash, debit, credit, check — with retail merchants.

Some companies use durable tokens rather than card-based tokens. A durable token is generated once for a specific customer and his specific card for a life-long association. Every time the cardholder wants to make a payment to a certain merchant using that card, the exact same token is invoked time after time. Merchants that have online retail or wholesale stores appreciate this durable relationship between the card number and the token because they can offer their customers the ability to save cards to their account. This makes the checkout process a breeze, reduces the likelihood of the customer abandoning the shopping cart and increases the chances that a customer will come back to make a future purchase. Merchants that accept credit cards for invoice payments or phone orders appreciate that they can quickly process a transaction using the “card-on-file” upon customer instruction. This facilitates faster payment with minimal customer action, such as mailing a check or calling in with the correct credit card number each time that they make a purchase.  Durable tokens enable long term storage as well as various back-end business processes without exposing sensitive data.

Read more 2015 National Cyber Security Awareness Month posts:

• Pumpkin Lattes, Fall Festivals and National Cyber Security Awareness Month.
• Every Organization Needs a Culture of Cybersecurity to Help Prevent Attacks.
• A Cautionary Tale for Your Evolving Digital Life.
• Critical IT Projects vs. the Security Worker Shortage.