Visa Europe to Launch Tokenization ServiceFraud-Fighting Move Lays Foundation for Apple Pay
Visa Europe is set to debut in April a new mobile payments service that will tokenize payment card data. The move is designed to enable consumers to use their smart phones and wearable devices to securely pay retailers, and it could pave the way for the European rollout of Apple Pay.
See Also: 2021: A Cybersecurity Odyssey
"We've designed this flexible and scalable service, enabling issuers, merchants and acquirers to provide consumers with the next generation of innovative payment methods - all with the high level of security they expect," says Sandra Alzetta, Visa Europe's executive director of core products.
Tokenization refers to the practice of transmitting a unique, one-time token in place of card data whenever a transaction gets made. And unlike physical cards, Visa Europe notes that the use of a particular token can be restricted to certain types of scenarios. For example, banks might prohibit a token created for contactless payments from being used for online purposes.
Experts say that making tokenization mainstream, as well as implementing end-to-end encryption to secure data during transit, will be crucial for improving payment card security and combatting fraud (see Beyond EMV: Technology for Fighting Fraud).
Visa Europe is also expanding its peer-to-peer payments service, Visa Direct - formerly known as Visa Personal Payments - and says that by this summer, it will be available in 20 languages, support multiple currencies, and enable individuals to transfer money using only a recipient's mobile phone number. The service will also allow payments to be made via multiple social networks and messaging applications, including Facebook, Twitter, WhatsApp and LinkedIn.
Singapore-based Fastacash, which is partnering with Visa Europe to provide the social network payment feature, says it will be available to more than 500 million people across Europe. "We see this partnership with Visa Europe as the next step in bringing banks and end users closer in the often complicated process of money transfers," says Fastacash CEO and Chairman Vince Tallet.
Visa Europe notes that the peer-to-peer payments service will not be available in the United States or Japan. "Visa blocks incoming cross-border transfers due to local regulations for their respective countries," Visa Europe spokeswoman Rica Squires tells Information Security Media Group. The service will also not be available for any countries that are currently on the U.S. Department of the Treasury's Office of Foreign Assets Control - or OFAC - sanctions list, which lists countries to which payments are prohibited, for example because those countries promote terrorism or narcotics trafficking. All U.S. businesses and their foreign subsidiaries must abide by that list.
Tokenization Hits Europe
Experts have been predicting that many more merchants and banking institutions would soon begin using end-to-end encryption and tokenization, especially in the wake of EMVCo - which manages the EMV standard - releasing its specification for tokenized payments in March 2014, upon which Apple Pay is now based. "Tokenizing at the point of capture - that will be key going forward," payments expert Nathalie Reinelt, an analyst at consultancy Aite (see Why Merchants Embrace Tokenization), said in December.
The October 2014 launch of Apple Pay in the United States - and only there - was tied to U.S. card brands MasterCard, American Express and Visa Inc. - the former parent of Visa Europe - having introduced tokenized payment systems there, experts say.
In the run-up to the launch of Apple Pay, however, Apple CEO Tim Cook said the company was eying a rapid expansion of the service to the 66 countries that now offer NFC-compatible point-of-sale terminals. At the time, officials at Visa Europe and rival MasterCard also announced that they were eager to advance Apple Pay adoption in Europe (see Apple Pay: Global Expansion Planned).
To date, however, no new announcements have yet been made about Apple Pay's expansion in Europe. Steve Perry, Visa Europe's chief digital officer, tells Reuters that the card brand's approach parallels the one being taken by Visa in the United States - that led to the Apple Pay rollout there - although he declined to comment on any potential rollout plans in Europe, referring such questions to Apple. In response to a related query from Information Security Media Group, Apple declined to comment.
While Visa Europe's Squires declined to comment on any questions related to Apple Pay, she notes that Visa Europe will now be able to support a range of new services. "The tokenization program we announced today will support a variety of mobile payment solutions - as well as has the potential to support a variety of other digital payment solutions in the future," she says.
As the launch of Apple Pay highlights, tokenization is also taking off in the United States. It also was mentioned at this month's White House cybersecurity summit at Stanford University, which highlighted a number of payments-related private-sector initiatives, as well as enhanced security for federally issued debit and credit cards (see Payment Security Initiatives Unveiled).
Security experts say the increased use of tokenization and encryption is essential for increasing card security and may one day help mitigate the seemingly nonstop pace of data breaches that involve the theft of payment card data.
The White House has announced a Buy Secure initiative requiring that all government-issued cards be compatible with the EMV standard. While EMV-compatible cards have long been in widespread use in Europe, their use in the United States remains relatively scant. But critics say the summit failed to address some ongoing industry concerns, including how tokenization might be best standardized to meet the needs of all industries (see Did Obama's Cyber Summit Miss the Mark?).
In particular, Liz Garner, vice president of the U.S.-based trade association Merchant Advisory Group, says that merchants have continuing concerns about the EMVCo standard, which they note has been designed by card brands, and which isn't interoperable with other standards. To date, furthermore, Visa and MasterCard have only committed to offering tokenization for mobile and contactless payments, despite the fact that the vast majority of breaches involve contact-card data.