The push towards tokenization removes the need for online retailers to store customer card details

Credit card firms in Australia are shifting towards a tokenization model, with both Visa and American Express making announcements in the last few days.

Visa has persuaded payment firms CyberSource, Adyen, Rambus, G+D Mobile Security, SecureCo, Ezidebit, eWay, and Bambora to sign up to its credential-on-file (COF) tokenization technology, acting as gateways to connect to the Visa Token Service.

The switch – which will remove the need for online merchants to store their customers’ payment details in their own systems – will come into effect over the next few months, and will also be rolled out worldwide.

“Tokens are a powerful new front in the ongoing fight against payment fraud because they effectively remove sensitive personal account details from the payment process, protecting consumer data, and enabling secure payments across all new digital payment experiences,” Mike Lemberger, senior vice president of product solutions for Visa Europe, tells The Daily Swig.

Meanwhile, American Express Australia has announced a similar deal with Rambus. “Fraud continues to rise for e-commerce transactions, and we need to give consumers more secure payment methods without compromising usability,” says the company’s Jerome Nadel.

And Mastercard has said it plans to start rolling out new tokenization and authentication services through its EMVCo Secure Remote Commerce (SRC) framework in the second half of next year, with the company aiming to enable token services on all cards by 2020.

The initiatives follow calls from the Reserve Bank of Australia to reduce the amount of online credit card fraud in the country, believed to total as much as A$425 million (US$301 million) last year.

“The existing SWIFT infrastructure has been shown to have many risks, and a move towards tokenization will reduce these risks, as there are enhanced security and auditing methods applied to each transaction,” Bill Buchanan, a professor in the School of Computing at Edinburgh Napier University, tells The Daily Swig.

Breach damage reduction

Using tokenization, customers’ card details such as account numbers and expiry dates are replaced with tokens – unique digital identifiers that aren’t stored each time a consumer makes a purchase.

The idea is that by removing this sensitive information from merchants’ systems, the damage caused by data breaches is greatly reduced.

The move is being welcomed by security experts – some of whom see it as long overdue.

“As a general comment, I’d like to point out that the technology has long been available,” Martijn Grooten, security expert and editor of Virus Bulletin, tells The Daily Swig.

“I can log in to many services using Facebook, without having to share my Facebook credentials, or anything else that give access to anything else, with the service.

“The same is now applied to credit cards: you can essentially authorize a website or other service to charge your credit card, without it having to store the card details. That makes the damage of a potential breach, which is hard to 100% avoid, much smaller.”

The news comes as payment processors around the world continue to introduce new methods to help consumers protect their cash.

Mastercard is currently trialing cardless ATMs in the US, allowing customers to withdraw cash using only a cell phone.

RELATED Australia pushes ahead with anti-encryption bill