Tokenization is a technology that plays a key role in protecting financial transactions, especially in the context of preventing carding (fraud using stolen bank card data). For educational purposes, I will discuss in detail what tokenization is, how it works, why it is effective against carding, and how it is used in popular systems such as Apple Pay, Google Pay, and others. I will also consider technical aspects, examples of attacks that tokenization prevents, and its limitations.
Tokenization effectively counteracts carding through the following mechanisms:
What is tokenization?
Tokenization is the process of replacing sensitive data, such as a bank card number (Primary Account Number, PAN), with a unique digital identifier called a token. A token is a random string of characters (usually numbers or alphanumeric codes) that does not contain the actual card data but can be used to perform transactions under certain conditions. The token is created and managed in a secure environment, typically using standards developed by EMVCo (a consortium of payment systems such as Visa, Mastercard, Amex, etc.).Main characteristics of the token:
- Uniqueness: The token is unique to a specific context (device, merchant, application, or transaction).
- Limited Scope: The token only works under certain conditions (e.g. on a specific device or at a specific merchant).
- No Sensitive Data: The token does not contain any information that could be used to restore the original card number without access to the secure tokenization system.
- Reversibility (for authorized systems): Only authorized systems (e.g. bank or payment system) can match the token with the real card number through secure servers.
How does tokenization protect against carding?
Carding is a type of fraud in which criminals use stolen bank card data (card number, CVV, expiration date) for unauthorized transactions, purchases or withdrawals. Such data is often obtained through:- Phishing (fake websites or emails).
- Skimming (devices that read data from the magnetic strip of a card).
- Hacking of merchant databases (card data leaks).
- Interception of data (for example, via unsecured Wi-Fi networks).
Tokenization effectively counteracts carding through the following mechanisms:
- Replacing sensitive data:
- The actual card number (PAN) is not transmitted or stored by merchants, apps or devices. Instead, a token is used, which is useless to fraudsters without access to the tokenization system.
- Example: If a hacker breaks into an online store's database, he will only receive tokens that cannot be used for purchases elsewhere.
- Contextual binding:
- Tokens are typically tied to a specific device, app, or merchant. For example, a token created for Apple Pay on an iPhone won't work on another device or app.
- This prevents the stolen token from being used in other systems or for other transactions.
- Dynamic cryptograms:
- For each transaction, a one-time code (cryptogram) can be generated, which confirms the legitimacy of the operation. Even if the token is intercepted, without the cryptogram it is useless.
- Example: In Apple Pay, each transaction is accompanied by a unique cryptogram created by the Secure Element chip.
- Reduced risk of leaks:
- Because actual card data is not stored by merchants or mobile apps, even major data breaches (like the Target incident in 2013) do not result in cards being compromised.
- Example: If a merchant's database is hacked, the scammers only receive tokens that they cannot use without additional data and access to the tokenization system.
- Limited time validity:
- Tokens can be one-time use or have a limited validity period. This reduces the risk of their reuse for fraudulent purposes.
- Additional authentication:
- Tokenization is often combined with biometric authentication (Face ID, Touch ID) or a PIN code, which makes unauthorized use of the token virtually impossible, even if the device is stolen.
Technical principles of tokenization
- Token generation:
- The token is created by a tokenization provider (e.g. Visa Token Service, Mastercard Digital Enablement Service) or a bank when a card is added to a mobile wallet or merchant system.
- The process includes:
- Card verification by the issuing bank.
- Generating a token in a secure environment (usually using an HSM – Hardware Security Module).
- Linking a token to a device or a merchant.
- Token storage:
- Tokens are stored in secure environments such as Secure Element (on Apple devices), Trusted Execution Environment (on Android), or cloud systems with HSM (in Google Pay).
- The actual card number is stored only in the tokenization provider's secure database, which is not accessible to merchants or applications.
- Transaction processing:
- When paying, the token and, if necessary, the cryptogram are transmitted via NFC (for contactless payments) or online (for Internet payments).
- The merchant sends the token to the payment system, which matches it with the actual card number and confirms the transaction.
- The actual card number is never given to the merchant.
- Safety standards:
- Tokenization complies with EMVCo, PCI DSS (Payment Card Industry Data Security Standard) and other security requirements.
- Encryption algorithms such as AES or RSA are used to protect data.
Application of tokenization in popular systems
1. Apple Pay
- Mechanism:
- When you add a card to Apple Pay, the device generates a unique token (Device Primary Account Number, DPAN), which is stored in the Secure Element, an isolated chip on the device.
- The actual card number is not stored on the device or on Apple servers.
- For each transaction, a dynamic cryptogram is created that confirms the legitimacy of the operation.
- Authentication:
- Transactions are confirmed via Face ID, Touch ID or PIN, preventing unauthorized use.
- Carding protection:
- Even if a fraudster intercepts the token, he will not be able to use it without access to the Secure Element and biometric authentication.
- The token is tied to a specific device, making it useless on other devices or systems.
- Example of carding scenario:
- The fraudster gains access to the token by hacking the POS terminal. Without the cryptogram and the device, the token is useless and the transaction is rejected.
2. Google Pay
- Mechanism:
- Google Pay uses tokenization via the cloud or local storage (Trusted Execution Environment on Android).
- When you add a card, a virtual card number is created, which replaces the PAN.
- Tokens can be stored in Google Cloud using HSM for protection.
- Authentication:
- Transactions are confirmed via biometrics, PIN or device unlocking.
- Carding protection:
- Tokens are tied to a device or Google account, preventing them from being used in other systems.
- Dynamic cryptograms ensure one-time transactions.
- Example of carding scenario:
- The fraudster intercepts the token via a phishing site. Without access to the device and the cryptogram, the token cannot be used for payment.
3. Samsung Pay
- Mechanism:
- Similar to Apple Pay, tokens are stored in a secure Samsung Knox environment or on a Secure Element chip.
- Supports NFC and MST (in some regions), which allows tokenization to be used even on older terminals.
- Carding protection:
- Tokens are tied to a device and transactions are confirmed by biometrics or PIN.
- Even if the token is stolen, it does not work without authentication and cryptogram.
4. Visa Token Service (VTS) и Mastercard Digital Enablement Service (MDES)
- Mechanism:
- Visa and Mastercard provide their own tokenization services that integrate with mobile wallets, banks and merchants.
- Tokens are created for specific devices, applications or merchants.
- Carding protection:
- Tokens do not contain actual card data and are limited in scope.
- Dynamic cryptograms are used for each transaction.
- Example of carding scenario:
- The fraudster obtains the token through a leak of the seller's data. The token cannot be used in another store or system, as it is tied to a specific seller.
5. PayPal and other online wallets
- Mechanism:
- PayPal uses tokenization to replace the card number with a unique identifier associated with a specific merchant.
- Actual card data is stored only on PayPal servers in a secure environment.
- Carding protection:
- If the merchant's data is leaked, the token cannot be used for other transactions as it is tied to a specific merchant.
- PayPal uses additional checks, such as 3D-Secure, to protect transactions.
6. Banking apps
- Many banks are implementing tokenization in their mobile applications to secure online and offline payments.
- Example: Sberbank, Tinkoff and other banks in Russia use tokenization for payments via NFC or online, replacing the card number with a token.
Examples of attacks prevented by tokenization
- Seller data leak:
- In 2013, hackers broke into Target and stole data from 40 million cards. If tokenization had been used, the stolen tokens would have been useless because they are tied to specific merchants and do not contain real data.
- Skimming:
- Fraudsters install skimmers on POS terminals or ATMs to read magnetic stripe data. Tokenization makes such data useless, as modern systems use tokens and cryptograms instead of magnetic stripe.
- Phishing:
- Fraudsters create fake websites that imitate payment pages. When using tokenization (for example, via Google Pay), the real card number is not entered, and the token cannot be used on other websites.
- Data interception:
- If an attacker intercepts transaction data over unsecured Wi-Fi, they will only receive the token and cryptogram, which cannot be reused.
Tokenization Limitations
- Infrastructure dependency:
- Tokenization requires support from devices, terminals, and payment systems. It may not be available in some regions or on older terminals.
- Example: Not all POS terminals in developing countries support NFC.
- Device vulnerabilities:
- If the device is not protected by a password or biometrics, a stolen device could theoretically be used for transactions (although this requires additional effort, such as bypassing the biometrics).
- Solution: Modern systems require authentication for every transaction.
- Limited compatibility:
- Tokens created for one system (for example, Apple Pay) do not work in others (Google Pay, Samsung Pay), which can create inconvenience for users.
- Tokenization provider dependency:
- If a tokenization system (such as Visa or Mastercard servers) is hacked, this could create risks. However, such systems are highly protected and such attacks are extremely rare.
- Online transaction restrictions:
- In some cases, tokenization is not used for online payments if the merchant does not support the relevant standards (e.g. 3D-Secure or EMVCo tokens).
An example of tokenization (using Apple Pay as an example)
- Adding a map:
- The user enters card details into the Wallet app on the iPhone.
- The data is sent to the issuing bank, which checks the card.
- The bank or tokenization provider (Visa/Mastercard) generates a token (DPAN) and sends it to the Secure Element on the device.
- Payment:
- When paying via NFC (for example, in a store), the iPhone transmits a token and a one-time cryptogram to the POS terminal.
- The terminal sends data to the payment system (Visa/Mastercard).
- The payment system compares the token with the real card number and confirms the transaction with the bank.
- Carding protection:
- If a fraudster intercepts the token, he will not be able to use it without the cryptogram and access to the Secure Element.
- If a token is stolen from a merchant's database, it is useless for other transactions.
The Future of Tokenization
Tokenization continues to evolve, expanding into new areas:- Tokenization for the Internet of Things (IoT): Devices such as smartwatches or cars are starting to use tokens for automated payments.
- Expanding into Online Payments: Tokenization is becoming the standard for online stores, replacing card entry.
- Blockchain Integration: Some projects are exploring tokenization in combination with blockchain technologies to improve transparency and security.
