Cross-channel fraud and the benefits of tokenization

Last updated: 14 November 2019

In today’s increasingly connected, mobile world, consumers readily jump from device to device. Whereas previously our online habits might differ depending on how we were accessing the web, the lines have blurred and most online activity can be done consistently across a multitude of platforms and operating systems.

However, when it comes to payments and transactions, there are some differences between the traditional web browser and the increasingly ubiquitous smartphone. Security concerns have always been on the agenda, thanks to factors such as the ease with which a phone can be lost or stolen,  risks from connecting to the web via unprotected Wi-Fi hotspots and, in particular, malicious smartphone apps or mobile malware. A recent paper from Javelin Strategy & Research found that although mobile transactions account for only 14 percent of total online transaction volume, 21 percent of all fraudulent transactions were made via mobile.

In that context, moves to secure mobile payments are crucial for the future growth of the mobile platform. And that is where tokenization comes in.

Put simply, tokenization replaces the usual card credentials such as the Primary Account Number (PAN) with a substitute token value. Only the token is stored on the mobile device, protecting the original credentials from misuse.

The next challenge, however, is how to protect payment credentials when they’re stored outside of the secure element, for example in a software host that could be vulnerable to interception by fraudsters. Again, tokens can help here by setting limitations on their use. A token PAN can be defined to only be valid for a specific merchant, a specific type of purchase (e.g. mobile purchase), a specific country or region, a specific time period or simply one specific purchase.

As a result, even if the token is intercepted, its reuse would be very limited , meaning that incidences of ‘cross-channel’ fraud can be significantly reduced. Transaction keys needed for EMV payments can also be replenished on a regular basis, further limiting the validity period of the transaction.

This approach to tokenization is a critical next step in securing mobile payments, particularly for Android HCE-based payments which rely on software hosts. As the year progresses and further developments are made, it will be very interesting to see how the mobile payments landscape evolves.

In the meantime, you can read more about how the Gemalto Trusted Service Hub (TSH) addresses Tokenization in several different forms here.