American Express has announced that it will implement payment tokenization for card transactions, which allows shoppers to use their smartphones as payment mechanisms, providing a granular defense to reduce the exposure of live credit and debit card data in vulnerable systems.
The service will replace traditional 16-digit credit card numbers with a digital token. After a consumer’s card and mobile wallet are registered for payment tokens from the service, instead of live data being presented at the checkout, the smartphone acts like a virtual credit card by emitting a payment token instead of physical card data to the card reader. The merchant point-of-sale (PoS) and IT systems never see live data during this type of transaction.
In addition, tokens can be assigned for use with a specific merchant, transaction type or payment device to provide further protection against fraud.
“By introducing this service, American Express confirms that contemporary data-centric security approaches are necessary to stem the onslaught of system-wide attacks that traditional payment card data defenses cannot sustain on their own,” said Mark Bower, vice president of product management at Voltage Security, in an email.
With payment tokenization approaches, innovative mobile wallet-based payments can enable new ways for consumers to pay with the benefit of reduced breach risk.
“While the US is finally shifting away from vulnerable magnetic stripe cards to EMV cards and secure mobile payments like this, all three payment methods will be around a long time,” Bower added. “Data security strategies must therefore cover risks across all of them. Contemporary tokenization and point-to-point encryption provide a formidable combination to neutralize malicious attacks to payment streams across the spectrum of mobile, EMV, traditional brick and mortar and e-commerce payment flows.”
The service is based on the EMV Payment Tokenization Specification, and will be available in the US and internationally starting next year.