Open Standards Opportunities: Tokenization and Ecommerce Security

Posted on July 1st, 2015

Tokenization may be the answer to some of the pain points in ecommerce today, including improved payment security but in order to ensure widespread adoption, open standards are needed.
Shutterstock, Rawpixel

The Web Payments Group of the W3C, an affirming partner in the OpenStand Principles, has been making progress on payment integration as part of the Open Web Platform and is doing a series of interviews on web payments. W3C’s Ian Jacobs interviewed Drew Jacobs and Tom Poole of Capital One, and Siva Narendra, CEO of Tyfone, probing into the vast potential of ecommerce and the open web, and the implications of tokenization to improve transaction security. The full transcript of this interview can be found here.

Drew Jacobs highlighted a number of  “gaps and pain points across the value chain, from consumer, to merchant, to financial institution,” which include:

  1. Convoluted purchase processes
  2. Lengthy checkout
  3. Masses of data being submitted, without the guarantee of security
  4. Online credit card transactions that leverage less-secure static data.

While he acknowledged efforts to solve current dilemmas, citing such as vendors like Amazon implementing one-click payments, he says they are seeing a trend toward tokenization.

Tokenization is a process flow similar to a checking system in banking, where the user is provided a token or placeholder (in digital terms, a meaningless sequence of numbers) by their financial institution. When a purchase is made, the user supplies that to the merchant, who then redeems it with the bank or credit-holder. This process is appealing for the same reasons as checking accounts; both the user and the merchant carry reduced liability with a tokenization system.

The problem is, as Jacobs points out, that tokenization is not a cohesive cross-channel solution. Without open standards tokenization is simply one of many other payment execution methods. Jacobs asserts, “Tokenization should not be a separate process from other forms of payments, we need a cohesive solution across channels.” He emphasized the needs for collaborative development in order to ensure widespread voluntary adoption of a standard tokenization system.

Narendra agrees that in order to be effective, there much improvement is required. One of the key areas that must be focused on is security. He states that,

“…there is a fraud rate of about .9% for ecommerce while it is .09% for other forms of transactions. So the fraud rate for ecommerce is 10 times what it is for non-ecommerce. There are a number of reasons for this, including the fact that passwords are not very effective. Tokenization, as Drew mentioned, is an important path for the future. But securely authenticating the right user is being provisioned the right token is necessary, otherwise criminals can steal tokens, too.”

Introducing more payment options will not solve the security and privacy problems involved in data sharing and online payments. Jacobs and Narendra agree that security and authentication for both the user and the transaction has to be first priority in order for tokenization to become the tenable, cohesive market solution.

In response to this need, W3C is working on a Web Crypto API, which Narendra explains, “gives developers access to cryptographic operations from JavaScript.” He continues,

“I think there’s an assumption in the browser community today that the only token that browsers will support is FIDO Alliance-based. But I think we need greater interoperability. We do need to be looking at secure elements, but chips in phones are not the only way to achieve that. There is a large existing infrastructure for security and we need to extend those capabilities to the Web to achieve scale and success.”

Tom Poole of Capital One identified a few key targets for more specific security improvement opportunities:

“There are three different levels where payments could be improved. The first involves adding support for secure storage of information, such as via a browser plug-in. An open standard would enable multiple providers of such plugins (and of course, browsers might provide their own solutions). The next level up is the “white label container” like Softcard that could provide consistency for payment scheme providers, but still allow for innovation. The third layer would be to build on something like Apple Pay, but that would mean very little differentiation and a single vendor would drive the normalization of payments. But I don’t think many people want to invest in that sort of centralized solution. “

There are opportunities at all three layers mentioned by Poole, but according to Jacobs, the most important reason for forming the working group is focusing on “the unique opportunity [for WC3] to provide underlying infrastructure standards that leverage existing work around tokenization. That is the biggest pain point for us today: tokenization doesn’t exist easily online, and we need greater security online. We think browsers can play a role in bringing this together. We also see opportunities around improved authentication and identification of the real user.”

The interview sheds light on yet another reason why open standards are critical to solving problems that impact each one of us. By working together and embracing essential principles for Open Standards development, we can unlock hidden potential and benefit global society. If you believe in the necessity of open standards, please Sign Your Name to voice your public support of the OpenStand Principles.

Posted in News