There’s a new token in town

By André Stoorvogel

The way we pay is changing. Consumers are now using their PCs, smartphones, wearables, cars and even refrigerators to buy goods and services.

The size and value of the Canadian card-not-present (CNP) market is therefore increasing as payment use cases across digital commerce (e-commerce, m-commerce, Internet of Things) emerge and mature.

The cost of convenience

This growth in adoption driven by convenience, however, has come with a marked rise in fraud.

CNP fraud continues to surge worldwide and is set to hit USD $7.2 billion by 2020¹. Recent research from Visa has found that CNP fraud accounted for 78 per cent of all fraud perpetrated on Canadian accounts. The report also highlighted that 74 per cent of fraud losses at Canadian merchants are perpetrated in the CNP channel².

Merchants must therefore contend with a growing threat of compromised card-on-file databases and fraudulently-used credentials.

More security = more false transaction declines

To combat this rise in CNP fraud, merchants and payment service providers (PSPs) can deploy various technologies and techniques such as 3-D Secure, validation services, historical data, real-time monitoring and analytics and manual screening.

While all of these are valuable, and fraud prevention methods and advances are undoubtedly being made to make these security techniques more intelligent and improve risk decisioning, it is apparent that there is work still to be done. Unnecessary false transaction declines are outstripping the amount of actual fraud 13 times over in the U.S.³, meaning retailers are losing a total of $8.6 billion per year due to false declines compared to the $6.5 billion of fraud they are actually preventing⁴.

Merchants, which are in a constant battle against cart abandonment, must find an optimal balance between fraud prevention and their abilities to effectively serve and sell to customers to ensure that additional security measures do not lead to less revenue.

Introducing card-on-file network tokenization

The answer comes in the form of EMV network tokenization. It describes the process whereby card networks such as Mastercard or Visa replace a primary account number (PAN) with a unique payment token that is restricted in its usage, for example, to a specific device, merchant, transaction type or channel. It decreases the sensitivity of the underlying payment credential.

With card-on-file network tokenization, the merchant only stores payment tokens in their database rather than the actual card numbers. This technique delivers various security benefits to the digital commerce ecosystem by reducing the risks and mitigating the impacts of malware, phishing attacks and data breaches. Better fraud prevention will have a tangible impact on both consumers and merchants. At the same time, it permits faster transactions with fewer security-related “hiccups” when cards are accidentally declined.

Different tokenization types

Employing tokenization to reduce fraud is not a new concept in e-commerce. Until now, however, it has been mostly limited to PCI tokenization, which only tokenizes card data in the databases. In contrast, network tokenization deploys tokenized data throughout the transaction, meaning that the exposure of the original PAN is reduced to a minimum, making fraud much less likely.

Network tokenization has the potential to lower false transaction declines, as the merchant or PSP can rely on fraud scoring data from the card network that are associated with the issued tokens. This can potentially provide greater accuracy on the validity of transactions than internal fraud management tools.

A further unique benefit of network tokenization is that it enables consumer payment details to be instantly refreshed when a card is lost, stolen or expires. This removes the need for a consumer to login to an online shopping account to update their details or to miss out on a subscription due to redundant card credentials. It also means higher transaction approvals and increased revenues.

Finally, network tokenization is an opportunity for PSPs to differentiate and generate new revenues in Canada’s extremely competitive payments landscape by bringing forward new services to support e-commerce and m-commerce tokenization.

Value for all

Crucially, network tokenization offers much more than simply enhancing security. It can significantly increase convenience for consumers and create efficiencies for merchants.

In Canada, where cash use is relatively low and card and mobile use are very high, this brings huge value to the digital payments space, so we can expect to see growing momentum for the technology in the coming months and years.

André Stoorvogel is director, product marketing, payments at Rambus (www.rambus.com). Rambus’ Token Gateway for E-Commerce solution is one of the first to be qualified under the “Visa Ready” programme. This enables token requestors like online merchants, payment service providers and acquirers globally to quickly and securely connect to multiple network tokenization services such as the Visa Token Service to tokenize card-on-file e-commerce transactions.

1 RSA, “3-D Secure: The Force for CNP Fraud Prevention Awakens”, report, January 2016.

2 Visa, “The Future of Payment Security in Canada”, report, October 14, 2017.

3 Al Pascual, Kyle Marchini and Aleia Van Dyke, “Overcoming False Positives: Saving the Sale and the Customer Relationship”, white paper, Javelin Research, September 21, 2015.

4 Evan Bakker, “THE FALSE DECLINES REPORT: The $8.6 billion problem undermining e-commerce merchants’ fraud prevention strategies,” Business Insider UK, July 29, 2016.