They want to swap payment card numbers with tokens that consumers enter during checkout.
Mobile commerce is undoubtedly growing at a rapid clip. In 2013, mobile retail sales for the 358 U.S. merchants ranked in the 2014 Internet Retailer Mobile 500 combined with U.S. mobile commerce sales for eBay Inc. will grow about 64% to $34.2 billion from $20.9 billion in 2012, according to the Mobile 500.
Still, there’s a significant portion of consumers who do not shop from smartphones because they are concerned about security and privacy. In a recent survey of 500 online consumers about their shopping plans for the upcoming holiday season, 28% of respondents said they will not use their phones to shop for holiday gifts because of security and privacy concerns.
A group of card companies, which make their money on card transaction fees and therefore have a vested interest in making consumers feel comfortable using their payment cards as much as possible, have released a standard designed to make web and mobile web purchases more secure. The standard, put forth by MasterCard, Visa and American Express, would enable shoppers’ payment card numbers to be replaced with digital payment tokens. Consumers would enter the tokens in lieu of their payment card numbers at checkout on both mobile devices and PCs. This, the card companies say, adds an additional layer of security and eliminates the need for merchants, digital wallet operators or others to store account numbers. Tokens are randomized substitutes for payment cards; tokens are valueless if compromised.
“This continued transition from plastic cards to digital is all about providing consumers with the ability to easily and safely make a purchase,” says Ed McLaughlin, chief emerging payments officer for MasterCard. “They would no longer need to store their actual card account number when shopping online or with a smart device. The token would serve as that stand-in.”
If implemented, card issuers, merchants and digital wallet providers would use the token, not the traditional card account number, to process, authorize, clear and settle transactions in the same way traditional card payments are processed today.
The card companies say the idea is backed by many card issuers and merchants, and that those parties also provided input on creating the tokenization standard. In the coming weeks the card companies will present the concept to several key organizations, including the PCI Security Standards Council. The PCI Security Standards Council develops and maintains Payment Card Industry Data Security Standards—a set of rules created by payment card networks to protect cardholder data.
Transforming card numbers into tokens is not a new payment security practice. Retailers frequently change payment card data and numbers into randomized codes in an effort to comply with PCI rules. Retailers who do not comply with those rules can be fined heavily by card companies, especially if they experience a security breach and are found to be non-compliant.
TV and Internet retailer ShopNBC.com last year added tokenization to more easily meet those standards. Before using tokens ShopNBC had kept access to encrypted credit card data in-house. And that required a large number of servers that had to be maintained and PCI-compliant, says Joan Radtke, senior director of credit at ShopNBC. The retailer wanted to use tokenization to add another layer of payment security, but it knew that doing so would be a large project that would require a lot of manpower. So the retailer outsourced the job to payment processor Litle & Co.
Today ShopNBC’s servers never receive credit card numbers. Instead, when a customer enters his card data, Litle & Co. receives the payment information, stores and processes the payment card information, and creates a token assigned to that card that it then sends to ShopNBC. The token effectively substitutes payment card information with a code that is valueless if ShopNBC’s systems are compromised. The retailer says the move reduced the number of ShopNBC servers that had to be PCI-compliant and has helped cut its PCI-compliance costs in half.
Other recent advancements in mobile technology could lead to more secure mobile transactions, and potentially encourage more consumers to purchase via their smartphones. For example, the just-released iPhone 5s now comes equipped with a fingerprint reader. Experts say this biometric technology could drive payments if Apple Inc. enables app developers, such as retailers or operators of mobile payments apps such as eBay’s PayPal Here, to access the fingerprint image for authentication and payment.
Research from the Federal Reserve finds that 49% of consumers who do not use their smartphones for banking cite security concerns as the main reason. A survey on mobile and biometrics from Javelin Strategy and Research finds fingerprint recognition as the preferred mobile identification method by consumers (61%) followed by iris scan (27%) and voice recognition (24%).