- Wahid Ahmed Choudhury
The payment industry saw more innovations and changes in last few years compared to all other ones combined over the decade before that. Digital payment is quite a convincing way of tapping into the potential customer segment. With rise of the digital wallets, newer channels for issuance and transactions have been created; and along with that, the need for specialized capability to handle backend complexities.
In recent times, it has been observed that different companies are adopting technologies and keeping themselves relevant in the race toward digital payment and other innovative solutions. A lot is going on in the payment and security industry, and it is shaping the FinTech industry in Bangladesh.
Part of that movement is the system security that necessitated a new method of ensuring user’s data and transaction safety in a mobile operating system. Otherwise, despite the advantages of quick service deployment, players in the payment industry would be in a vulnerable environment where fraud can cause serious damage to both the service providers and consumers.
The industry’s answer came in the form of Tokenization.
User’s confidential data – their personal account number (PAN), expiry date etc. – are stored in a secure server (Token Vault) online. Alternate randomly generated numbers called tokens are generated which are then downloaded to the mobile phone. During a contactless payment transaction, they travel through the POS to the Issuer system. The Issuer sends the token to the Tokenization Server for checking, and upon getting confirmation that it is valid, authorizes the transaction.
Only the Token Vault in secure storage has access to the actual PAN. Eavesdropping on any part of the transaction flow will not reveal the user’s confidential information. Also, tokens can be changed at set intervals, rendering the previous token invalid. Thus, replay attacks (recording and replaying whatever information is transmitted by a card, to impersonate that card) are useless. Tokens can be changed as frequently as once after every transaction.
Tokenization brings effective data security to emulated cards. Its online updating method is a good fit for the online provisioned nature of Host Card Emulation, the underlying technology for digital mobile payment.
Over the course of 2014, the payment brands have been publishing specifications for using Host Card Emulation along with Tokenization as a much more secure mobile payment system package. Using these specifications, service providers can deploy secure HCE-based payment cards in Android smartphones.
Kona Software Lab Limited, the Bangladesh office of South Korean smartcard payment and security industry pioneer Kona I Co., Ltd., has been steering the HCE-based digital payment platform deployment with tokenization in Bangladesh FinTech industry. The company already rolled out its state of the art payment platform for a number of leading players in the financial sector. It will continue its drive towards making the digital payment safe and secure for all.
The author is the Manager, Technical Marketing at Kona Software Lab Limited
