Tokenization is an increasingly popular way to add security to digital payments globally. It is adopted by Apple Pay and backed by major payment providers such as Visa, Mastercard, and Amex. It addresses the credit card data leakage that can happen at the time of payment, also known as "front-end risk".
Currently, a user's card information (credit card number, date of expiry) is visible to a merchant or a PSP and stored in their systems when users make Internet and mobile payments. This data is susceptible to fraudsters who seek to steal those credentials to make fraudulent transactions. Tokenization reduces this risk as the bankcard number (wallet number in case of a PSP) and verification code is replaced with a series of randomly generated numbers, or a “token”. This token can only be decrypted by a trusted party.
Tokenization also addresses the risk of unencrypted data leakage by payment companies in China. Caixin reported that after information from 10 million bankcards was leaked by a PSP in January 2015, criminal groups stole nearly RMB 40 million over the next six months.
Separately, China UnionPay (CUP) has also issued a set of tokenization rules guiding the adoption of this new technology. The rules explain the role of CUP and other players in the ecosystem and provide implementation instructions. CUP is ready to support tokenization for near-field communication (both host card emulation and secure element modes), digital wallet payments, large merchant payments and QR payments. The company is still researching tokenization for IC cards.
As tokenization spreads globally, China's PSPs will have to adopt the technology if they want their digital wallets to be accepted overseas. CUP's leadership in this respect may also put it ahead of the aggressive PSP competitors.