Protecting women’s identities through mobile tokenisation

Mobile technology is being used to change lives and bring new solutions and services to underserved communities. According to the GSMA’s Mobile Gender Gap Report 2021, 143 million fewer women than men own a mobile across low- and middle-income countries (LMICs), and women are 15% less likely than men to use mobile internet.

Access to mobile phones and services can have a positive impact on women’s lives, contributing to the UN Sustainable Development Goal 5 focusing on gender equality and women’s empowerment, and can also provide economic benefits to the mobile industry and the wider economy. However, women are being left behind as various barriers as well as social norms keep them from accessing and using mobile technology at the same rate as men. Research has consistently shown that safety and security concerns related to mobile are key barriers which women tend to experience more acutely than men.

Issues are wide ranging and include mobile-related harassment, theft, fraud and security, which inhibit women from benefitting from or even wanting to use a mobile. A key concern is unsolicited phone calls and text messages, which some women receive as a result of their mobile numbers being misused by agents or at points of sale. In LMICs, customers’ phone numbers are commonly shared with the agent or merchant when they purchase airtime or use mobile money, as their mobile phone number is typically also their mobile money account number.

Mobile-related security issues can be improved through tokenisation, a process of replacing sensitive data with a unique string of numbers, which has been successfully implemented in other industries.

As well as benefitting customers, solutions such as these can also improve customer acquisition, ARPU and retention for mobile operators.

The basics of tokenisation technology

The technology behind tokenisation has been an essential aspect of most payment and commerce processes by enabling simpler and secure payments on various devices. The tokens may represent card numbers, account details and phone numbers, among other confidential data, and can be used for a range of functions from traditional eCommerce to in-app payments.

There are two options for tokenising information to choose from: vault and vaultless tokenisation. The vaultless option utilises secure cryptographic devices, which use standards-based algorithms to convert sensitive data into non-sensitive data or to generate tokens.

Meanwhile, vault tokenisation involves storing the tokens and original data in a secure vault. Tokens serve as a reference to the original data but cannot be used to derive that data. The token vault, which stores the relationship between the sensitive value and the token, can be queried as a secure service. The token value can be used in various applications as a substitute for the original data.

Tokenisation became common practice within the acquiring industry following the Payment Card Industry Data Security Standard (PCI DSS) whereby companies including merchants, that process, store or transmit credit card information are required to maintain a secure environment. In addition to security, tokenisation enables merchants to keep tokenised card records to facilitate repeat transactions. This solution has been successfully used by card issuers such as Visa and MasterCard. However, it is not limited to cards. Increasingly, tokens are being used to secure other types of sensitive or personally identifiable information.

Taking tokenisation beyond the common use case of payments

In the context of mobile money, the phone number represents the user’s contact details and mobile money account. When discussing mobile money accounts, the technology can be leveraged to allow a mobile device to use a service token that replaces a user’s mobile account information such as their contact details. The mobile money user may generate a token via USSD menu or integrating with apps to generate tokens. Generated tokens can be single- or -multi use, whereby the former can only be used for a single transaction. For instance, the user would be required to generate a new token each time they visited the agent or the merchant. Alternatively, there is an option to use the same token for various transactions, which is the case for multi-use tokens and are beneficial for recurring transactions. The user will present the same token in various environments. Single use tokens will benefit from added security as a new token is issued for each new transaction, while a multi-use token will offer greater convenience as there is no need to request a new token for each transaction.

Tokenisation has been commonly applied to mobile payments; however, the utility of this technology is moving to offering security in other services. To address safety concerns, some mobile operators including Vodafone Sakhi’s initiative are offering various recharge services that allow users to purchase airtime anonymously without disclosing their mobile number. These initiatives are, however, found only in a few countries and mostly within the Asian region. Women’s security issues are however experienced more widely and there is a benefit to both women and the mobile industry from ensuring access to such services is increased.

Making mobile use more secure: our project with MTN Ghana

In collaboration with GSMA Connected Women, MTN Ghana and other partners, the GSMA Inclusive Tech Lab is working on addressing women’s mobile-related security concerns by using tokenisation. The best part of a correctly implemented tokenisation system is that agents or merchants never see customer’s contact details. In addition, the power of tokenisation is that although the token is usable within its native application environment, it is completely useless elsewhere. For example, a token can be used to top up a woman’s mobile account; however, that token cannot be used to contact them.

1. Mobile Money account holder preparing to initiate a transaction.
2. Request token via Mobile device.
3. Token generated.
4. Token ID present to agent or merchant/tokenised payment.
5. Agent or merchant makes payment request sending token in lieu of MSISDN.

The Inclusive Tech Lab is designing a system to tokenise the mobile number which will result in protection of the contact details and identity of customers. The tokens are issued in real-time and used in various environments including for cash in, cash out and person-to-person transfer uses cases, and for merchant payments.

This system will be designed alongside a Mobile Network Operator as the generated tokens will be linked to the user’s phone number. The generated token can be designed if required to use the same format as the phone number sequence in the chosen market so it can seamlessly replace MSISDNs in requests to mobile money platforms. The mobile account number is never compromised when tokenised, so there is little possibility that the token can be used for fraudulent activity.

The issue of security when accessing mobile technology remains an important barrier, especially for women, and this innovation has the potential to improve their lives by helping to reduce the fear associated with using mobile technology and allow them to take advantage of all the technology has to offer including access to financial services. The Lab will be releasing the code in the coming months so stay tuned to learn more as we pilot this solution with mobile network operators.