Tokenisation in Mobile Payment
The number of people making payment with their mobile device continues to rise and as such, greater protection against counterfeiting, fraud and identity theft is fundamental.
Enhanced security in mobile payment
One recent development in mobile payment security has been the introduction of tokenisation. Tokenisation replaces the 16-digit primary account number (PAN) on a credit or debit card with a substitute value, referred to as a token. This token is used in purchases, meaning the card holder’s sensitive information is not exposed. If a token is captured, it has limited value, greatly reducing the risk of fraud.
Tokenisation provides greater security by using domain restrictions. For example – if a token is issued to be used in an NFC mobile device, it can only be used in that particular channel and only from that particular device. Tokens can also be deactivated remotely, so if a mobile device is lost or stolen, the token stored within the device can be deactivated by the user with no impact of the original credit or debit card.
There are two main technology approaches to tokenisation when it comes to mobile contactless payments: Host Card Emulation (HCE) and SIM Secure Element (SE) based tokenisation. The key difference between the two approaches is where the tokens are stored.
- Host Card Emulation (HCE)
HCE payment applications handling the tokens reside in the handset host or cloud and features single or limited-use tokens, device fingerprinting and transaction risk analysis. The security of an HCE solution is dependent on managed risk at the device and the payment system being ‘always online’ as the download of limited-use data ahead of a transaction requires connectivity.
- SIM Secure Element (SE)
The SIM Secure Element is a tamper-resistant hardware component that stores the payment application and tokenised payment data. It offers the same bank-grade security as integrated-chip payment cards. The tokens stored in a SIM Secure Element are multi-use tokens that are provisioned upon registering for the service and used for transactions throughout the lifetime of the payment product.
For further information, GSMA members can download the GSMA SIM – Based Tokenisation Deployment Guidelines from InfoCentre2. Alternatively, you can download the GSMA SIM – Based Tokenisation Service Solution Brief.
A Technical Case Study: Tokenisation in France and Poland
This case study gives an account of the business and technical requirements that informed Orange and T-Mobile Poland’s decisions around the design and that interested parties could consult as a reference if they chose to implement a SIM-based tokenisation service.
The paper also demonstrates a technical infrastructure that can be used to deploy a SIM-based tokenisation service in the French and Polish markets and the use cases driving the design of that infrastructure. The document also provides low-level technical details such as use case messaging flows and Application Programming Interface (API) implementation examples.
The aim is to provide practical insight and a point of reference for operators and other ecosystem players involved in planning and implementing SIM-based tokenisation services.