American Express has taken steps toward lifting the burden from retailers having to store payment-card data with the announcement of its American Express Token Service.
The service will replace traditional 16-digit credit card numbers with a digital token. Consumers carrying a card supporting the token will be able to make purchases online, with a mobile application, or in person via Near Field Communication (NFC) devices.
“By using tokens, merchants and digital wallet operators will no longer need to store consumers’ sensitive payment account information in their systems,” American Express said in a statement today. “In addition, tokens can be assigned for use with a specific merchant, transaction type or payment device to provide further protection against fraud.”
With retailers staring down an October 2015 deadline to support chip-and-pin credit payments while bearing the weight of crushing data breaches, the acceleration to strengthen credit card transactions comes just in time.
Based on the EMV Payment Tokenization Specification, American Express’ service includes provisions to manage the lifetime of a token. The service includes a vault that can be used not only to store tokens, but also map them to account numbers. Using the service, a token can be created, suspended, resumed or deleted. AmEx said it will also offer additional fraud and risk management services, including authorization and payment validation capabilities for banks issuing cards.
The service is available in the U.S. and internationally starting next year.
Tokenization has drawn comparisons to encryption, but tokenization doesn’t carry the same expense and complexity encryption does. With tokenization, for example, a credit card number is replaced with symbols that keep the same value as the payment card data but the real number is not stored on the payment terminal or device. Tokens, for instance, are applicable only to particular transactions and merchants and won’t be reused.
This dynamic lessens the chance for fraud and also helps smaller less-resourced merchants meet their compliance obligations with regard to the Payment Card Industry Data Security Standard. Such services will also facilitate the development of mobile payment applications; Apple Pay, available on the iPhone 6, has already put others on notice that mobile payment apps are close to mainstream.
To help support future such endeavors, American Express announced that it has developed network specifications for Host Card Emulation (HCE), which provides security options for NFC devices on Android, starting with KitKat.
“With HCE, card issuers use a secure cloud server to store their customers’ card account details, which can be transmitted from the cloud server to an NFC-enabled mobile device and then to a Point-of-Sale terminal in a fast, secure manner. American Express’ HCE specifications are available today globally,” American Express said.