EMV Tokenization

What Is EMV Tokenization?

EMV Tokenization is a freely available token framework that can reduce the risk of fraud in electronic transactions. It was developed and maintained by EMVCo – a global technical body that is a joint venture involving Europay, Mastercard and Visa. Its ability to span the entire payment process distinguishes it from other tokenization techniques.

EMV Tokenization facilitates the use of electronic tokens across the payment network in place of sensitive data. These tokens are sent instead of personal information, most specifically people’s primary account numbers (PANs), which include the 16-digit long numbers on credit and debit cards, and they also store card numbers and other unique identifiers.

PANs would enable anyone who obtains them to potentially pay with that card, so protecting them is key to all types of payments, both in person and remote. PANs are secure and worthy of consumers’ trust, as opposed to the previous system that fails to prevent card-not-present fraud.

The use of EMV tokens can be restricted to individual merchants, transactions or payment devices. Use cases include online wallets, ecommerce checkouts, in-app payments, and merchant-initiated transactions.

Why Is There a Need for Tokenization Technologies?

Tokenization technologies help to prevent fraud and reduce the amount of sensitive data sent via payment networks. Because it is tokens that are sent instead of primary account numbers (PANs) across payment networks, data intercepted by criminals is considerably less valuable and less likely to enable them to do harm.

Not only is the sensitive information replaced by non-sensitive dummy data, it’s also restricted in use. For example, an EMV token for a one-off guest checkout on an ecommerce site cannot be reused by the same person for an in-person transaction elsewhere.

How Does EMV Tokenization Work?

Here’s a basic example of how EMV tokenization works:

1. A consumer visits an online shop and makes a purchase by providing their card details.
2. The checkout platform or payment network generates the token that will be used to authorize and process the payment.
3. The token is sent across the payment network in place of the original payment details, which are stored in a token “vault”.
4. The token is then used – in place of the card details – to seek authorization from the issuing bank or card network.
5. The payment token is sent back to the merchant, following a successful authorization.

The EMV Tokenization framework allows for various different implementations. For example, contactless digital wallets such as Google Pay and Samsung Pay use EMV tokens to process payments without transmitting PANs, as part of their efforts to reduce digital wallet fraud. 

In these scenarios, Google and Samsung are the token requesters, requesting tokens from Token Service Providers (TSPs) registered with EMVCo.

How Does EMV Payment Tokenization Differ from Other Forms of Tokenization?

The key difference between EMV payment tokenization and other forms of tokenization is that EMV tokenization allows tokens to pass across the entire payment network.

By contrast, consider these other forms of tokenization used in payment networks:

Acquirer tokenization sends data between the merchant and the acquirer in token form, but sends the PAN over the payment network to the card issuer.

Merchant tokenization protects data with tokenization within the merchant’s systems, but requires PAN data to be sent to the acquirer, and onward to the issuer.

It’s worth noting that the EMV Tokenization standard is designed for flexibility and allows businesses and financial institutions to use it alongside other tokenization techniques.

Other types of tokens are also widely used as a data security measure for non-payment data.

Types of EMV Tokenization

The core use cases for EMV tokenization, as defined by EMVCo, are as follows:

• EMV tokens for proximity payments at the point of sale (e.g. Google Wallet or Apple Pay)
• tokens for online wallets
• in-app payments on personal devices
• ecommerce card-on-file payments
• ecommerce guest checkouts
• payments made via third-party service providers
• transactions initiated by merchants

The above is not an exhaustive list, as the EMV tokenization is a specification designed to facilitate continued innovation and new use cases.

Why Is EMV Tokenization Important?

The simple answer is that EMV tokens make it more difficult for a criminal to be able to steal and use credit and debit cards. As a result, consumers have more trust in electronic transactions, while merchants and the economy as a whole benefit.

EMV tokenization provides a framework to increase the security of payments and prevent fraud in an environment where such payments are becoming increasingly popular. 

As 62% of people now regularly use two or more forms of digital payment, such tokenization protocols are becoming increasingly important in protecting both consumers and organizations.

EMV tokenization uses a methodology that limits payment tokens to specific transactions, merchants or payment devices. It can replace or complement legacy security measures for both financial institutions and individual businesses.

How Does EMV Tokenization Fight Fraud?

EMV tokenization fights fraud by taking the place of data that criminals are keen to access. Even if they manage to intercept it, the data they acquire will be of little use to a fraudster who was hoping to commit credit card fraud or synthetic identity fraud, for example.

The primary account number (PAN) is arguably the most valuable piece of sensitive information that can fall into bad hands – and EMV tokenization is specifically designed to ensure that PANs are used as little as possible throughout the entire payment process.

In the event of data being intercepted, the content of an EMV token is much less useful than the primary account number would have been. The token does not give far reaching access to an account and it is not as helpful to a fraudster as a PAN.

Furthermore, the use of EMV tokenization can reduce the impact of large-scale data breaches. A data dump of randomized EMV tokens has far less value than a plaintext list of credit card numbers.

Related Terms

Related Articles

Sources