Tokenization in Russia: How the “safe” technology of contactless payments from Visa and Mastercard will work
By the end of 2016, Apple Pay, Samsung Pay and Android Pay mobile payment applications based on contactless technology must be made in Russia. This will be possible after Visa and Mastercard, together with the National Payment Card System, introduce a tokenization service in the country, told Vedomosti. We decided to sort out in more detail what kind of system it is, how it works and what kind of system it is, ultimately, good.
/ photo by Robert Scoble CC
Let's start with the terms. In the article on the link, the essence of the technology is not very clearly explained. Yes, there is some reference number (token), according to which the seller’s service identifies the customer and launches the money transfer. Basically, a token is something with a very low cost, replacing something with a high value. Just like a chip in a casino denotes cash, Kaushik Roy writes in The Sequent blog.
In the electronic payment system, tokenization has been used to reduce security risks in the collection and transmission of important data. For example, credit personal number PAN. In the mobile commerce system, she made contactless payments possible.
')
The end user is concerned, in essence, only with the convenience of settlements and the safety of funds in a bank account. But initially, tokenization was sharpened under the rapidly growing market for mobile commerce. In 2014, when payment services began to actively introduce new technology, analysts from eMarketer predicted the growth of this e-commerce segment by a third in 2015. Goldman Sachs predicted an increase in its volume to $ 626 billion by 2018.
The growth of the market was restrained only by the distrust of customers with mobile payment systems. In response to this request, the EMV association (Europay, Visa and Mastercard) developed its technical standard in early 2014.
Here's how tokenization is explained in the blog of API developer Jay Manciocchi at Mashery: “Tokenization involves the process of replacing“ sensitive ”financial data elements with their digital and“ non-sensitive ”equivalents (tokens), which by themselves have no value and no can be used by intruders. Tokens can be created through mathematical formulas or through alphanumeric random generators. They are designed to protect any personal information, any financial transactions, including trading on the exchange ".
Instead of transferring financial data directly, mobile payment platforms will use tokens to confirm payment. Since the process of generating tokens, like themselves, does not contain any relevant financial information, it is considered that this method of payment in m-commerce is currently the most reliable. Reverse engineering of a token, for example, in PAN is impossible, says the author of the blog Securosis.
How does all this really work? When you enter your bank card information on the merchant's website, it is sent to a secure network gateway and a special reader that creates a token to complete the transaction. If the seller’s site is hacked, this information will be useless for hackers: there is no real data on the card on it. All original information resides in a secure data repository. Roughly speaking, in the "cloud".
In addition to the payment systems themselves, actively promoting a new ideology and trying to expand the geography of its application, tokenization is beneficial to banks and sellers of goods or services. It is not only a matter of security considerations and of attracting clients sensitive to this topic on this basis. They have retained the customer tracking channel, which can be included in loyalty programs.
The latest EMV specification leaves them this opportunity. In this scheme, the last 4 digits of the PAN are not necessarily permanently tokenized. Therefore, banks and sellers can still monitor the actions of consumers of their goods and services.
Another advantage of tokenization for a commercial company is that they will spend less money to support the security of remittances. For small and medium-sized trading companies, this is a big relief. Payment system standards (PCI) prohibit storing credit card information on retailers' payment terminals or in their databases after a transaction. In order to become a participant in this system, the seller was obliged to install expensive operational encryption systems. Now it’s enough to outsource this process to an operator who provides tokenization services.
As far as all these advantages of the new technology and the assurances of its providers in full security correspond to reality, Russian users will be able to find out very soon.
/ photo by Robert Scoble CC
What it is
Let's start with the terms. In the article on the link, the essence of the technology is not very clearly explained. Yes, there is some reference number (token), according to which the seller’s service identifies the customer and launches the money transfer. Basically, a token is something with a very low cost, replacing something with a high value. Just like a chip in a casino denotes cash, Kaushik Roy writes in The Sequent blog.
In the electronic payment system, tokenization has been used to reduce security risks in the collection and transmission of important data. For example, credit personal number PAN. In the mobile commerce system, she made contactless payments possible.
')
The end user is concerned, in essence, only with the convenience of settlements and the safety of funds in a bank account. But initially, tokenization was sharpened under the rapidly growing market for mobile commerce. In 2014, when payment services began to actively introduce new technology, analysts from eMarketer predicted the growth of this e-commerce segment by a third in 2015. Goldman Sachs predicted an increase in its volume to $ 626 billion by 2018.
The growth of the market was restrained only by the distrust of customers with mobile payment systems. In response to this request, the EMV association (Europay, Visa and Mastercard) developed its technical standard in early 2014.
How it will work
Here's how tokenization is explained in the blog of API developer Jay Manciocchi at Mashery: “Tokenization involves the process of replacing“ sensitive ”financial data elements with their digital and“ non-sensitive ”equivalents (tokens), which by themselves have no value and no can be used by intruders. Tokens can be created through mathematical formulas or through alphanumeric random generators. They are designed to protect any personal information, any financial transactions, including trading on the exchange ".
Instead of transferring financial data directly, mobile payment platforms will use tokens to confirm payment. Since the process of generating tokens, like themselves, does not contain any relevant financial information, it is considered that this method of payment in m-commerce is currently the most reliable. Reverse engineering of a token, for example, in PAN is impossible, says the author of the blog Securosis.
How does all this really work? When you enter your bank card information on the merchant's website, it is sent to a secure network gateway and a special reader that creates a token to complete the transaction. If the seller’s site is hacked, this information will be useless for hackers: there is no real data on the card on it. All original information resides in a secure data repository. Roughly speaking, in the "cloud".
In addition to the payment systems themselves, actively promoting a new ideology and trying to expand the geography of its application, tokenization is beneficial to banks and sellers of goods or services. It is not only a matter of security considerations and of attracting clients sensitive to this topic on this basis. They have retained the customer tracking channel, which can be included in loyalty programs.
The latest EMV specification leaves them this opportunity. In this scheme, the last 4 digits of the PAN are not necessarily permanently tokenized. Therefore, banks and sellers can still monitor the actions of consumers of their goods and services.
Another advantage of tokenization for a commercial company is that they will spend less money to support the security of remittances. For small and medium-sized trading companies, this is a big relief. Payment system standards (PCI) prohibit storing credit card information on retailers' payment terminals or in their databases after a transaction. In order to become a participant in this system, the seller was obliged to install expensive operational encryption systems. Now it’s enough to outsource this process to an operator who provides tokenization services.
As far as all these advantages of the new technology and the assurances of its providers in full security correspond to reality, Russian users will be able to find out very soon.
Articles and links from ITinvest on the topic:
- Analytical materials from ITinvest experts (for a gradual immersion in the topic of finance, you can start with weekly reviews of financial markets )
- Online Trading: How to become a developer of systems for trading on the exchange
- What a programmer should be able to get a job in finance
- How to recognize a person's emotions in his face: A test for employees of financial companies
- The conditions under which the financiers work: A tour of the offices of Goldman Sachs and Bloomberg
Source: https://habr.com/ru/post/307642/
All Articles