Protecting customer payment data is integral to the security and success of the payments ecosystem. In an increasingly interconnected world, with a growing number of payment options, the need for strong security solutions is clear, with fraud being an ever-present danger. Payments currently fall under four main categories: card present transactions, ecommerce, mobile payments, and IoT payments. With so many different payment methods now in use, the need to ensure that consumer data is protected across all channels is only growing and will continue to do so, as more markets further digitise payments.
The process of tokenization is not a new concept and is where something with high value (e.g., debit or credit card account numbers) is replaced by something with low or no intrinsic value. Therefore, payment tokenization enhances transaction security by removing the most valuable data from malicious actors from the transaction. In the context of mobile payments, EMVCo defined the first standards for tokenization back in March 2014.
Under the first version (v1.0) of EMV’s tokenization framework, payment tokens are used to replace the PAN (Personal Account Number) in payment transactions, whereas non-payment tokens may be used for ancillary processes, including loyalty and tracking. Occasionally, the last four digits of the PAN may not be encrypted for these processes, including customer service, loyalty tracking, digital wallet display, and receipt creation.
Based upon the EMV specification, a static token is combined with a dynamic component, specifically a uniquely generated cryptogram, for greater security. EMVCo further expanded upon these capabilities in v2.0 to include both mobile payments and ecommerce, while adding the ability to share tokens between merchants. Since then, EMVCo has further updated the framework, with v2.3 being released in October 2021. This latest update offered further information on the technical aspects of token creation to provide greater clarity over when and how payment tokens are generated.
Tokenization is frequently adopted to reduce the scope of the PCI DSS (Payment Card Industry Data Security Standard) as set out by the PCI SSC (Payment Card Industry Security Standards Council). This is because payment tokens are inherently not payment information, and, as such, they do not fall under the umbrella of PCI DSS requirements outlining the secure transmission of payment data. However, it is important to note that even with tokenization in place, merchants must still meet the rest of the compliance requirements.
The rise of tokenization comes at a time when online payment fraud is increasing, with Juniper Research forecasts showing the total cost of ecommerce fraud to merchants will exceed USD 48 billion globally in 2023, from just over USD 41 billion in 2022. With the rise of alternative payment methods creating new and varied risks for payment fraud, doing the best to prevent payment fraud and increase the security of transactions has never been as important.
This is where tokenization comes in: a major source of fraud is where payment details are exposed in data breaches, then these stolen details are used to make fraudulent purchases. However, under a tokenized model, the data breach cannot expose what it does not have, namely, the full payment details. Reducing the data being transmitted to a token means that this, if exposed, is useless to fraudsters.
By taking this simple step, payments can offer greater security and reduce one of the biggest risks of data breaches. While this will not eliminate fraud entirely, it will have a significant impact, securing the overall customer journey.
Given the strong benefits of tokenization, its future trajectory is upwards. Our most recent study found that the total number of tokenized payment transactions will exceed 1 trillion globally by 2026, rising from 680 billion in 2022.
Figure 1: Global Tokenised Transactions (m) 2022 & 2026
Source: Juniper Research
Much of this growth will be related to the rise of ‘one-click’ solutions, such as click-to-pay, that use card-on-file tokenization to store a customer’s payment credentials, enabling them to auto-fill their checkout details and complete transactions via a single click.
However, tokenization is not limited to just existing use cases. IoT payments, for example, are a great area where tokenization can have a major impact. We forecast that tokenized IoT transactions will reach 19 billion by 2027, growing 400% from just 3.8 billion in 2022. At a basic level, tokenization is fundamental to facilitating IoT payments; enabling transactions to be made via new use cases and form factors, unlocking new revenue opportunities for payment providers.
However, tokenization is highly competitive, with lots of card payment networks and third-party providers offering capabilities in this market. Tokenization is also not restricted to just one type, with different types including network and PCI tokenization, meaning that there are options for tokenization vendors to compete on going forward, as well as exploring the area of the IoT.
This editorial is part of The Paypers' Fraud Prevention in Ecommerce Report 2022-2023, the ultimate source of knowledge that delves into the world of fraud prevention, revealing the most effective security methods for companies to stay one step away from bad actors and secure their businesses.
Nick Maynard is Head of Research at Juniper Research. His key area of focus is the fintech and payments area, including embedded finance, Open Banking, and digital wallets, among others.
Juniper Research specialises in providing best-in-class market research across mobile, online, and disruptive technologies. We offer in-depth reports, forecasts, annual subscriptions, and consultancy. Our global clients include banks, payment providers, and many others. To find out how we can help you, contact info@juniperresearch.com or visit www.juniperresearch.com.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now