Securing Real-time Payments with Payment Account Tokenization

“Tokenization has succeeded in mitigating fraud elsewhere in mobile payments, and is now ready to do the same for real-time payments, enabling account-based transactions to be processed faster and safer than ever before.”

- David Worthington, VP, Strategic Business Development, Rambus

Securing Real-time Payments with Payment Account Tokenization 01 01

Table of Contents

The Introduction of Real-time Payments Brings Significant Challenges for Central Banks & Clearing Houses ...............02

Existing Measures are Not Sufficient for the Current Account-Based Model, Let Alone Instant Payments ...........03

Tokenization Stops the Theft of Account Details and Makes Fraud Detection Easier ..........................04

A New Ecosystem is Created, with Central Banks and Automated Clearing Houses at its Center ...................06

There are Added Benefits for the Ecosystem Beyond Security .................................................08

Payment Account Tokenization Addresses Account-based Fraud Head On ..........................09

Securing Real-time Payments with Payment Account Tokenization 02

The Introduction of Real-time Payments Brings Significant Challenges for Central Banks & Clearing Houses Real-time payments (RTP) have been proliferating globally since 1973, increasingly driven by the need for payments clearing to keep pace with today’s on-demand digital world.

But the shift from traditional automated clearing systems to ‘faster payments’ brings challenges.

The success of anti-fraud measures like EMV® chip, EMV® 3-D Secure and payment tokenization to mitigate card-present and -not present fraud in-store and online, has caused fraudsters to look elsewhere for more vulnerable targets.

Demand Deposit Account (DDA) credentials for business or consumer current, savings or checking accounts are stored in a wide range of locations. E-commerce websites, invoices, payroll, mobile wallets all store account numbers in their raw form, making them vulnerable to fraud.

Attacks involving account-to-account transactions are therefore increasing.

One reason is the potential payoff. While card and mobile payment fraud is much more common, the size of the stolen funds is limited. The average value of unauthorized account-based transactions, however, is significantly higher. For example, the average value of an unauthorized ACH transaction in 2012 was $736, whereas the average fraudulent debit card payment was $104.

RTP – otherwise known as instant or faster payments – are account-to-account transactions that can be made 24/7, 365 days a year, and will be completed (nearly) instantly.

What are RTPs?

Automated clearing fraud represents an ongoing problem for banks, but the introduction of RTP adds another layer of complexity.

Ramping up the speed of the clearing process makes fraud prevention even more difficult. Detecting irregularities over a matter of seconds, rather than days, is a big challenge for banks. This increased risk can be seen in the experience of the UK, where payment fraud more than doubled in the first three years following the arrival of Faster Payments in 2008 and six years later had risen by nearly 270%.

Central banks that have implemented, are deploying or are looking at RTP therefore need to assess their current account-to-account fraud detection measures, and look for other ways to mitigate the impact of fraud.

Tokenization is one measure gaining significant momentum, as it removes sensitive data from the transaction process, but first let’s look at what many banks are currently working with.

Securing Real-time Payments with Payment Account Tokenization 03

Existing Measures are Not Sufficient for the Current Account-Based Model, Let Alone Instant PaymentsResearch from the Federal Bank of Minneapolis provides insight into the types of transaction fraud screening and scoring methods that are used by financial institutions to mitigate automated clearing fraud. These include:

• Financial intelligence – in-country agencies such as OFAC (Office of Foreign Assets Control) in the US and OFSI (Office of Financial Sanctions Implementation) in the UK collaborate with financial institutions

• Manual review – checking payment mandates and unusual account activity (possibly flagged by a fraud or risk management system detecting out of pattern activity) daily via a manual process

• Out of pattern activity – identifying and flagging irregular or unusual payments, which then need to be processed, as simply rejecting them leads to increasing customer issues

• Transaction value – imposing limits on account transactions to mitigate fraud

• ACH block services – use of credit and debit filters

Manual review continues to be a mainstay of bank processes to check transactions in traditional clearance. 83% of banks in the US use this as a primary line of defense, yet in 43% per cent of cases they admitted it was “somewhat effective or ineffective”.

With increasing volumes and decreasing staff, these checks become more difficult. But, this policy and practice exists in a world where banking processes for automated clearing is still a number of days. With the introduction of RTP, measures like this fall even further behind the curve and the potential for fraudsters to exploit vulnerabilities grows.

Securing Real-time Payments with Payment Account Tokenization 04

Tokenization Stops the Theft of Account Details and Makes Fraud Detection EasierTokenization is the process of replacing unique sensitive information or data with a context-specific proxy, which can have policies applied to its usage to increase security, and can be managed and replaced without impacting the underlying credential.

Depending on the system and token usage, it could be formatted and validated in the same way as the original credential, allowing non-disruptive use in an existing ecosystem.

Alternatively, for new services tokens can be formatted in an easier format for frictionless use by the consumer. It is important to note that, the underlying account credential can have multiple tokens associated with it, each supporting a specific relationship or defined functionality.

Tokenization has already proved successful in mitigating fraud in-store and online, with all of the major payment systems, digital wallets and original equipment manufacturers embracing it, and the benefits can be applied to account-based transactions.

Account Tokenization

Securing Real-time Payments with Payment Account Tokenization 05

Why Payment Account Tokenization?

• Reduce the impact of data breaches: Sensitive account information is not stored and stolen tokens cannot be used outside the authorized channels

• Transaction protection: Reduce risk of fraudsters using stolen account numbers to commit transactional fraud by substitution of account numbers in instructions.

• No change in consumer behavior: Consumers and businesses send and accept payments without having to change their procedures

• Control parameters can be used to apply limits to the scope of tokens: Limit the channels, merchants, amounts or dates for use of specific tokens via domain controls

• No change in payment authorizations: Tokens route normally through the payment systems and networks.

Payment Account Tokenization as a technology is suitable to support multiple payment use cases via a single system.

It is important to note that tokenization is a process that should be considered as complementary to all existing anti-fraud measures, adding another robust layer of security.

The process significantly reduces the risk and impact of account-based fraud to support the development of a safe and secure instant payments framework. Issuers and merchants can also react and isolate emerging threats, mitigating fraud across all channels.

In applying this technology to the account-based ecosystem, Central Banks and Automated Clearing Houses take on a critical role in the management of tokenization within a region, but also a strategic one moving forward.

Multiple Use Cases

Securing Real-time Payments with Payment Account Tokenization 06

A New Ecosystem is Created, with Central Banks and Automated Clearing Houses at its Center The infrastructure required for tokenization must be implemented at a systemic level. The role of Central Banks and Automated Clearing Houses as the Payment Account Tokenizer and manager of the Token Vault – a centralized and highly secure server where the issued tokens and the account numbers they represent are stored – is essential.

Necessarily, the transaction process must also change to accommodate the initial creation of the token and factor in the validation of tokens during the transaction.

Creating a token:

• When Laura wants to transfer money from her account (1), her bank sends the transaction to the central operator (2), such as an automated clearing house.

• When the central operator identifies that the linked account number to the transaction is not yet tokenized, it passes a message to the Payment Account Tokenization solution to request a token (3).

• This token is sent bank via the central operator (4) to Laura’s bank (5), who updates its files for future transactions and deletes the original account number.

• From here on, any time Laura will make a payment from her bank’s account, a token will be used in the transaction rather than the original account number.

Creating a Token

Securing Real-time Payments with Payment Account Tokenization 07

Using the token in a transaction:

• In this example, Laura wants to send money from her account to Steve’s account. The transaction including the token is sent to the central operator (2).

• Once received, the central operator identifies that the payment contains a token and forwards to the Payment Account Tokenization solution (3).

• Here, the token is being detokenized to reveal the original account number (4). The central operator then forwards the transaction with the true credentials to Steve’s bank (5), who credits Steve’s account with Laura’s payment (6).

Using the Token in a Transaction

Securing Real-time Payments with Payment Account Tokenization 08

There are Added Benefits for the Ecosystem Beyond Security

While the primary objective of tokenization is to protect account credentials before, during and after payment, banks should take a wider view on the strategic use and potential of tokenization. Tokens represent opportunities, beyond security, and increased privacy, including the ability to support new account-to-account based payment services, such as mobile payments and P2P.

And with financial regulators around the world introducing new regulations to protect consumers and business in the faster payments landscape, such as PSD2 in Europe, the potential use-cases and business models for instant account-based payments will increase.

Consequently, banks will look to push ahead with new use-cases outside their typical areas of day-to-day activity, such as enabling customers to create new payment relationships among themselves and directories.

In doing so, banks can use tokenization as a means to build stronger trust with customers through the provision of ever-simpler and seamless account-to-account payments.

Securing Real-time Payments with Payment Account Tokenization 09

Payment Account Tokenization Addresses Account-based Fraud Head OnACH and real-time payments present a range of challenges. The combination of the availability of account details to fraudsters and the reduced time for banks to identify invalid transactions, however, make security one of the biggest priorities.

Payment Account Tokenization addresses the issue of fraud head on. Over time, real account numbers will no longer be shared, meaning they cannot be stolen. The ability to tailor the security level of tokenization itself – by adding domain controls or cryptograms – will also be key as tokens used outside of their pre-defined parameters are easily identifiable and the transaction can be automatically declined.

It is important to note that tokenization does not only mitigate fraud for countries currently migrating to RTP. Regions that have already implemented instant payments can reap the same rewards.

The best solutions integrate with existing infrastructure, enabling the swift onboarding of member financial institutions, and support ISO20022 to futureproof implementations in line with future requirements.

Tokenization has succeeded in mitigating fraud elsewhere financial services, it is now ready to do the same for account-based transactions, enabling payment data to be processed faster and safer than ever before.

Payment Account Tokenization introduces a trusted and highly effective means of managing data, enabling real-time payments to be sustainable for all stakeholders.

To learn more, visit rambus.com/payments.

Securing Real-time Payments with Payment Account Tokenization 10

The Rambus Security Division is dedicated to providing a secure foundation for a connected world. Integrating technologies from Cryptography Research, Bell ID and Ecebs, our innovative solutions span areas including tamper resistance, network security, mobile payment, smart ticketing and trusted transaction services. Our technologies protect nearly nine billion licensed products annually, providing secure access to data and creating an economy of digital trust between our customers and their customer base. Additional information is available at rambus.com/security.

About Rambus Security Division

11

For more information, visitrambus.com/payments

©Rambus Inc. • rambus.com

Rambus1050 Enterprise Way, Suite 700Sunnyvale, CA 94089