Understanding Tech: Why Credit Card Tokens Matter

Includes: AAPL, GOOG, MA, V
by: J. M. Manness


Credit card fraud amounts to over $11 billion globally.

EMVCo has set up a system of "Tokenization" to protect against fraud.

The article explains tokenization and how it works with digital wallets.

Europay, MasterCard (NYSE:MA), and Visa (NYSE:V) formed EMVCo which

...exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It accomplishes this by managing and evolving the EMV®1 Specifications and related testing processes.

While its original role was to develop standards for the interoperability of its members' payments systems, it now covers security issues as well.

Among other things, EMVCo provides the standards specifications for Tokenization, a new technology designed to greatly limit fraud.

Credit card Tokenization is in the news these days as it is one of the security technologies used by the new Apple Pay system by Apple, Inc. (NASDAQ:AAPL) that was announced September 9, along with their new iPhone 6 models.


In statistics for 2012, General Purpose cards (credit, debit, prepaid) registered 82.3 billion transactions for a value of $4.13 Trillion in the U.S. The fraud rate for GP cards was 3.6 unauthorized transactions per 10,000, with a value rate of $8.27 per $10,000 spent. The report lists a value of approximately $5 billion in fraud for various GP cards. [statistics from The 2013 Federal Reserve Payments Study, Federal Reserve System]

Most of the cost of fraud is born by the Banks (63%), with a significant portion by the merchants (37%) according to the Nilson Report (Aug. 2013). Nilson notes that global fraud loss from credit and debit cards in 2012 was $11.2 billion.

So we can see that this is big money, and a problem to be solved.

Tokenization - how it works

The concept is very simple, although naturally, details get more complex. I outline first the simplest case. (We assume the card is Visa for the example.)

  1. A customer has a credit/debit card that has its 13-19 digit Primary Account Number (PAN). This is the number that needs to be protected from fraudulent use.
  2. Customer presents card/PAN to merchant for a purchase.
  3. Before the new system, the PAN and the invoice data were transmitted to the issuing bank via Visa for approval.

But with the new system, step 3 is changed:

3. - New process:

  • PAN is sent to the token request system.
  • The token request system returns a token, securely retaining the mapping of token to original PAN.
  • Token is used instead of the PAN for requesting invoice payment, with merchant keeping record of the token, but not of the PAN.

Thus the original customer credit card number is not stored by the merchant, and so is safe from theft from that point on. If there is a computer break-in such as a Target or Home Depot, the thieves get only the temporary token number.

The following points should be noted about the token:

  • It is also a 13-19 digit number that must pass the same basic validation rules of an account number as a PAN, including the Luhn check digit.
  • It has an expiration date.
  • It may be limited to one particular transaction, or tied to a particular merchant, or tied to a particular device (e.g. a card chip or a digital wallet).

The simple case gets expanded by the final point. The token can be assigned to a chip in an EMV card. Card chips can be read by Near Field Communications (NFC) readers attached to cash registers.

If the card is lost, the token is marked as such, and a new token is issued, but the customer keeps the same PAN. Also, the token, while valid, can only be used via that card chip. It cannot be used in a spoofed credit card, nor for online purchases.

Digital Wallets

The use case gets expanded once again with the Digital Wallet. Here, an electronic device holds records of the user's credit cards. This can be programmed to hold a semi-permanent token instead of the actual PAN. If the merchant system has an NFC receiver at the register, then the customer's device will transmit only the token and the merchant may never see the PAN nor any other identifying information of the user.

Of course, this all depends on the merchants and banks all being sure that you are the true owner of the device in use (or at least an authorized user).

[Image source: Google Wallet demo video]

Google (NASDAQ:GOOG) Wallet is one example of the digital wallet. It has apps for Android and iOS devices, and plastic cards for merchants without the NFC equipment. It also allows users to buy online with their system.

Apple Pay

Apple recently announced its entry into the secure payment ring with Apple Pay. This system is tied to the Touch ID on your smartphone (or new iPad?). Apple has implemented what is undoubtedly the most secure and private payment system. I will cover it in detail in a future post.


I believe that the wise investor needs to have a real understanding of technology that affects their investment portfolio. Obviously, no one person can know all about everything, but a solid understanding of the basic concepts is important. It helps them differentiate the misunderstandings that abound in the public mind, and to realistically evaluate various competing systems.

My discussion here only covers the most basic concept. For full details of the EMVCo system, you can access the complete specification document.

Disclosure: The author is long AAPL.

The author wrote this article themselves, and it expresses their own opinions. The author is not receiving compensation for it (other than from Seeking Alpha). The author has no business relationship with any company whose stock is mentioned in this article.