E-commerce losses from online payment fraud were estimated at $41 billion globally in 2022, growing to $48 billion in 2023. Network tokenization has emerged as an indispensable element for e-commerce, revolutionizing how merchants balance seamless transactions with heightened security.
Network tokens offer unparalleled fraud protection by concealing sensitive card details at every transaction stage, boosting authorization rates, and reducing the risk of data breaches. A shift towards network tokenization would ensure a safer and more convenient customer experience and hold significant implications for the financial market.
As e-commerce continues to grow, the adoption of network tokenization is becoming a strategic imperative, prompting a fundamental change in how financial transactions are secured, processed, and optimized.
Jeremy Smillie, Vice President of Development, Security, and Operations at Exact Payments, can provide valuable insight into the significance of network tokenization in shaping the future of secure and efficient digital commerce. With over 17 years of IT experience, Jeremy Smillie is an expert in managing strict industry standards such as SOC, PIPEDA, CCPA, NIST, SANS, CIS, and more.
Early in his payments career, Jeremy worked with the first company in Canada to roll out EMV payments at gas pumps and integrated payments for in-store sales. He also worked closely with merchants to help them become PCI-DSS certified shortly after the introduction of the standards. As a former entrepreneur of a successful software development company, Jeremy applies a proactive, ITIL-based approach to ensure IT always meets the needs of the business.
Here is an excerpt from our interview with Jeremy Smillie:
1. How does network tokenization enhance fraud protection in the eCommerce industry, and what specific advantages does it offer compared to traditional security measures?
Tokenization replaces sensitive cardholder data with algorithmically generated data, so no card information is stored or transmitted, only randomized characters.
Unlike encryption, which can be reversed with the correct key, tokenization does not allow reverse engineering to obtain the original data from the token. This makes it a more robust method for protecting data at rest.
A key difference between a tokenized transaction and a typical credit card transaction is the fraud prevention mechanism; a credit card uses a static, never-changing CVV, whereas a token uses a dynamic CVV that changes for every transaction.
As a result, these payment tokens cannot be used by fraudsters in the event of data loss or breach — making this technology a secure means of storing cards for future transactions, as is the case in many SaaS or subscription-based businesses that run recurring payments.
There are different types of tokenization, including gateway, processor, and network tokenization.
Network tokens are created and ‘issued’ by the bank’s system (via the Visa or Mastercard network) rather than an external party, as with gateway or processor tokens. This means that the bank establishes the relationship between the token and the underlying cardholder account and can track all activity across the lifecycle of that token.
The end-to-end security journey that network tokenization offers by being tied to the Visa or Mastercard systems greatly reduces the risk of losing valuable card data due to malware, phishing attacks, and data breaches.
Network tokens can be integrated with additional security measures such as biometrics, two-factor authentication, and behavioral analytics. This layered security approach adds more barriers for a fraudster to overcome.
Some network tokens are created for single use or have a limited lifespan. Once used or expired, these tokens are invalid for further transactions, limiting the opportunity for fraudulent use.
2. Can you elaborate on how network tokenization contributes to higher approval rates and increased sales for businesses engaged in digital commerce?
About 3% of card declines are due to expired card data. Since the bank’s system creates and issues network tokens, the card data behind those tokens is always up-to-date. So, the tokens the merchant stores never have to be updated with the correct information. This results in higher approval rates, which effectively increases sales.
False declines occur when a legitimate transaction is rejected due to suspected fraud. Network tokenization, by providing additional security layers and accurate authentication, helps correctly identify legitimate transactions, thereby reducing the rate of false declines. This means more genuine transactions are successfully processed, increasing overall sales.
3. In what ways does the adoption of network tokenization revolutionize the balance between seamless transactions and heightened security, and how does it address the growing concern of data breaches in online payment transactions?
In the past, reduced customer satisfaction and increased friction have been the cost of heightened security. For example, customers may experience card declines due to mismatched data stored with the merchant versus the bank’s data on file. This frustrating experience for the customer accounts for a large percentage of churn in subscription-based businesses.
With network tokenization, the bank manages tokens and their associated data. When sellers go to run a transaction, token associations are automatically updated with the most current data. Sellers and their finance and billing teams benefit from an increase in authorization approvals while saving time previously spent on contacting cardholders to request updated card information on declined transactions. Cardholders benefit from a seamless experience without the need to log into a portal or respond to emails or phone calls to update card information.
Additionally, consumers will shop with the e-commerce businesses that offer the most seamless experience, which means giving them the ability to pay by card without introducing additional friction to the process, like repeatedly entering credit card numbers. With network tokenization, businesses give customers what they want by enabling one-click payments or allowing them to authorize future payments.
4. Considering the estimated growth in eCommerce losses from online payment fraud, how does network tokenization serve as a fundamental and strategic imperative for businesses navigating the evolving landscape of digital transactions?
Growth is essential for survival in ecommerce. By preventing fraud and increasing sales, technologies like network tokenization give eCommerce businesses the edge they need. Network tokenization has been shown to reduce fraud by 26%, making it imperative for online businesses concerned about protecting customer data and their reputation. Additionally, data from Visa and others cites a 2-3% increase in authorization approval rates for eCommerce transactions when using network tokens, effectively boosting sales to propel ahead of competitors.
5. In an earlier report, Phil Levy, CEO of Exact Payments, mentioned that network tokenization renders an account holder’s information useless if stolen. Could you provide more insights into how this significant fail-safe mechanism works and its implications for ensuring a safer customer experience in online transactions?
Network tokenization replaces sensitive card data across the entire payment ecosystem and lifecycle, meaning that the token is only valuable and useful to the parties involved in the payment process who can detokenize the data.
In tokenization, the association between the token and sensitive card data is securely maintained within a type of database called a token vault, protected with encryption measures. When a customer initiates a payment, the token is transmitted instead of any vulnerable card details.
The tokenization and detokenization processes are conducted in highly secure environments, often within the secure infrastructure of a payment processor or token service provider. This limits the exposure of sensitive data during the tokenization process itself.
Additionally, network tokens are often bound to specific merchants or types of transactions. For instance, a token generated for a credit card transaction with a particular retailer may only be valid for transactions with that retailer. This limits the token’s usability if it falls into the wrong hands.
Since the real credit card number or sensitive information is not transmitted or stored in the merchant’s systems during transactions, there’s significantly less risk of this data being stolen through data breaches or hacking attempts on the merchant side.