Are 'tokens' the future of payment security?


Are you concerned about the security of your debit and credit card information when you make purchases? As retailer data breaches dominate headlines, many consumers are.

But high-tech help could be on the way in the form of a new payment system industry that insiders say will keep your credit and debit card numbers safer. It's called "tokenization," and experts predict it's the next big thing in payment security.

It all started with a text college student Chandler Nason got from her parents asking if she had spent hundreds of dollars on video games.

"And of course I was like 'No, I didn't,'" Nason said.

It turns out Nason was a victim of credit card fraud. Even though she wasn't liable for the tab, she said it was a headache to dispute the charges and replace the card.

"I was pretty frustrated when I found out that my information had been stolen," Nason said.

Fraud frustrations could soon be minimized, experts say, by implementing tokenization. It's designed to work when you pay with plastic in person, online or through your phone.

The credit or debit card processor substitutes your account number with a "token" and sends that token to the retailer instead.

"A token is a piece of information, an algorithm if you will, numbers and symbols, that represent a card account number," said Jason Oxman with the Electronic Transactions Association.

He explained that a token is a secret code, valid for a limited time. And when they're used, only banks and payment processors know your real account info. That means retailers will no longer have access to card account numbers

"It means that even if somebody is able to breach a retailer and get access to those systems, all they'd be able to see are these single use tokens that don't allow them to produce counterfeit cards or do anything else to steal account information," Oxman said.

Eight million merchants in the U.S. accept credit and debit cards but not all are using tokenization. That's because right now, banks, major credit card issuers, payment processors and merchants are working together to create a standardized system.

"We anticipate that tokenization technology will be very widespread around the world in the coming months," Oxman said. "It requires a partnership among payments companies and retailers."

But some payment companies are already using tokenization. With the mobile system, you enter your credit card info into an app and when you pay at a merchant that accepts the app, you just enter the bill amount into your phone. The app then sends you a token. It's a series of numbers and a bar code for the merchant to scan, and your payment is made.  

As for your credit card information?

 "It's never present in the merchant system," said Doug Dwyre of Mocapay. "It's never present over the air, or on the mobile handset."

When you pay with a debit or credit card, most of the time tokenization will just be working behind the scenes; you won't see the secret code.

Nason said whether she can see the secret code or not, she hopes it will mean a more secure future for her credit card.

"I feel like I should be able to use it online, in the store, wherever, and not really have to worry about my information being taken," Nason said.

Dwyre said there is no way to decode the tokens, and there's no mathematical formula that can be reversed to figure out the credit card number. He also pointed out banks and credit card processors, who will have access to credit card account numbers, make tremendous efforts to keep that information secure.