The Art of Tokenization for Secure Digital Payments

Lance Homer
The Art of Tokenization for Secure Digital Payments

The 2018 Money 20/20 USA conference provides annual proof of the transformations taking place in the financial industry, with payments and platforms being one of the key themes. Technology provides us with daily benefits. Our connected, cashless economy relies upon secure transmission of card payment information for near-instantaneous transactions worldwide. Credit and debit cards are the handiest and most valuable tools you have in your pocket. To successfully contend with the increasing volumes of digital payments and remain competitive, merchants, card providers and third-party services are moving en masse to the cloud. The cloud offers scalability and flexibility to support the cyclic nature of demand, and does so with proven benefits in the areas of capital expenditures (CapEx) and operating expenses (OpEx).

Credit card security is continually improving with the help of technology. EMV cards, also known as chip cards, make it difficult to counterfeit credit cards. Having thus been thwarted, fraudsters have changed their focus and now pursue online fraud with greater intensity. Volumes of poorly-protected customer and card data widely distributed across thousands of cloud environments give them a multitude of global targets. A recent Business Insider article about high-profile data breaches testifies to cyber attack success in 2018.

Adopt tokenization for improved security

To remedy this embarrassment and bring a greater degree of security, the payment card industry as well as real-time payment platforms are moving to tokenization-a process by which a surrogate value in the form of a series of randomly-generated numbers, known as a “token,” replaces the primary account number. Tokenization is primarily intended to defend against online fraud and digital breaches. With tokenization, credit card and checking account details are never exposed, while a token has no value to a cyberthief. Tokens can then be securely transmitted via the internet or wireless networks to process digital payments.

Tokenization has benefits beyond securely transacting digital payments. In the context of cloud payment environments, tokenization:

  • Allows merchants to securely keep credit cards on file to simplify future transactions.
  • Enables new payment solutions such as online single-click checkout and mobile wallets that use near-field communications (NFC).
  • Reduces the scope of PCI DSS compliance by minimizing the number of systems accessing credit card information.
  • When centrally managed, as explained below, it offers a more cost-effective means of securing payment information.

Tokenization challenges in hyper-connected multicloud environments

Although tokenization may appear to be a panacea for securing card and automated clearinghouse (ACH) payments, actual implementation can be challenging, particularly in multicloud environments. For years, many organizations depended upon hardware security modules (HSM) to manage encryption keys and handle tokenization. That worked well for point-of-sale to on-premise data center connections. But as interconnection of commerce networks becomes increasingly complex, the logistics and management of HSM-based tokenization in support of secure digital payments in the cloud become cumbersome for the following reasons:

  • Purchase, installation and provisioning of HSMs in multiple, widespread geographic data centers become untenable, especially when complying with data sovereignty laws. When so many cloud services are available on-demand, why be delayed by hardware installation?
  • Cloud based HSM selection is typically done by your cloud provider. If you operate in a multicloud environment, your cybersecurity staff must learn several different HSM management tools. Given the shortage of cybersecurity skills, your team needs simplicity, not greater complexity.
  • The HSM selected by your cloud provider may not support PIN encryption, which is critical for digital payment transactions. You need an easily-deployable cloud service that handles all aspects of tokenization.

HSM as a Service is easily deployed in multicloud environments

The ideal solution to these logistic and management challenges is a centralized approach that provides HSM as a Service. Delivered as a cloud service and not dependent upon physical HSMs, it provides a single method-and a single set of management tools-for encryption keys and tokenization, regardless of where they are used. HSM as a Service delivers benefits to every party involved in payment transactions: customers, merchants, service providers and acquirers. The unique capabilities of HSM as a Service enable participants in the payment network to:

  • Support leading cloud environments, including AWS, Azure, Google, IBM and Oracle.
  • Manage the encryption keys separate from tokens or any other encrypted data, providing an added level of security against cyberattacks.
  • Employ modern, cloud-friendly RESTful APIs and an SDK for integration and development of new secure services, such as those promoted by Payment Services Directive (PSD2), to make data available to third parties.
  • Provide PIN-based encryption for credit and debit card transactions.
  • Eliminate the need for third-party tokenization services that can increase transaction costs.
  • Guarantee a secure tokenization process using Intel SGX that executes cryptographic and key management operations within the trust boundary of an Intel SGX enclave. Key material used in tokenization is never available in plaintext to any software component.
  • Handle transactions per second (TPS) of the largest payment firms via on-demand cloud scalability.

HSM as a Service is especially appealing for new entrants into the digital payment market, as well as for established firms that want to quickly expand into new geographic areas or markets. Unlike the traditional HSM approach to tokenization, HSM as a Service lowers the barriers to entry by eliminating the CapEx of purchasing and provisioning physical HSMs.

Tokenization at the digital edge

The ease of implementing HSM as a Service is further enhanced by the ability to provide tokenization at the digital edge, close to cloud providers, services and financial technology (fintech) partners that participate in payment networks. Rich interconnectivity is provided by a global platform of data centers and business ecosystems that allow you to securely deploy, directly connect and effectively scale your digital infrastructure. Ease of interconnectivity, reduced latency for optimum performance and the ability to comply with data sovereignty laws, such as those specified by GDPR are key benefits derived from a global interconnectivity platform.

HSM as a Service and global interconnectivity via SmartKey and Platform Equinix

HSM as a Service is available as Equinix SmartKey, a global, cloud-based, secure key management and cryptography service. It provides key storage, encryption and tokenization and easily scales to meet the most demanding digital payment transaction volumes.

SmartKey is offered on cloud-neutral Platform Equinix, which connects digital businesses physically and virtually around the world. Platform Equinix provides an advanced portfolio of digital services and ecosystems, including private network backbones, to prevent downtime and securely scale your digital infrastructure to support secure digital payments.

If you’re questioning the security of your digital payment transactions and your data security team is already stretched by demands to protect against cyber threats, learn more about Equinix SmartKey to see if SmartKey can provide centrally-managed secure tokenization across your payment network.

Are you attending Money 20/20? Visit Equinix in Booth 1772. We’d welcome the opportunity to talk digital payments and show how a single, centralized approach to tokenization can improve security without taking on greater operational complexity.