Originally published on CUInsight.com
Update 7/12/16: An earlier version of this article claimed Samsung Pay did not use tokenization. They do, my mistake! Corrected. (CUInsight version not updated)
A family friend was in town this past week. She is part of the Boomer generation, so, a user of new tech, but semi-begrudgingly. At one point, we discussed how her Android phone supported mobile payment. “It’s easier and more secure for you!” I explained to her. “You’ll never need to go through the hassle of getting a new card number again!” Her response? “Yeah, still wouldn’t bother. I’d prefer to just swipe.”
This is the type of apathy you’re facing. She didn’t grow up in a world of data security breaches, and considers a reissued credit card “par for the course”. It’s not that she doesn’t believe me when I tell her that mobile payment is vastly better. She just doesn’t care.
Maybe I framed it wrong. As we all have, using terms like tokenization instead of just calling it what it is: A security update for your credit card. So what is tokenization (To-Ken-I-Zeh-Shun)? Besides a big, scary word, of course. It’s always thrown around when mobile payments are discussed, but a recent survey shows understanding is lacking. Nearly a third of people admit to not knowing what it means and almost half say that it wouldn’t encourage them to use mobile payments. My interpretation: That latter group doesn’t grasp what it is either, but are afraid to admit it. So, what is it and why should you care? Tokenization represents how your card number is handled during the transaction. Still fuzzy? That’s ok.
Here’s how a normal purchase works (greatly simplified and leaving out payment processor):
1. Swipe at terminal (or type number on computer).
2. The number on the front of your card goes to the merchant.
3. Merchant asks credit card issuer (your credit union or bank) if the number is good.
4. Bank or credit union looks at number and gives a “yay or nay”.
5. Merchant keeps your name and card number so they know who you are when you buy again.
As you can see, the number on your card passes through multiple hands, and even stays with some. While your financial institution guards the number, others along the line may not. This is how major breaches occur. Bad actors break into these non-bank systems and steal the list of names and numbers, then sell them on the black market. Sometimes they lie in wait, gathering new numbers for months before anyone even notices. Then, the numbers are sold or posted online, and that’s when your frustrations begin.
Here’s how a tokenized mobile payment works:
1. When you add a card to your phone’s “wallet”, it asks your bank or credit union to verify your identity.
2. Your issuer then creates a new number just for mobile payments (which you never see).
3. Upon paying with your phone, a fingerprint is required to show it’s really you.
4. The phone then uses your “mobile payment” number to make another one-time-use number and sends that to the merchant.
5. The merchant asks your bank or credit union if this number is good, but learns nothing from it, since it will never be used again.
The number on your card never leaves your possession. Best part of this? If every one of those systems was hacked, your card number would still be safe. The issuer just makes a new “mobile payment” number for you, and that’s it. No canceling accounts, changing numbers, or mailing cards. In fact, it might happen without you ever knowing. Think of it like a security update for your credit card.
Tokenization isn’t scary. Swiping your card the old way is. Your credit union put a lot of work into supporting the mobile payment systems…growth will remain stagnant if only 1/4 see the value. Help your members live a safer financial life and spread the knowledge!