Tokenization, the New Security Standard for Mobile Payment

Deciphering one of the key topics of the CARTES SECURE CONNEXIONS show

PARIS--()--CARTES SECURE CONNEXIONS 2015, the show dedicated to secure solutions for payment, identification and mobility, is organising three conference sessions on tokenization.

E-payment systems are rapidly evolving, which shows that the industry is ready to meet the demands of portable device users. The emergence of new types of service providers, such as Token Service Providers, would suggest that the scope of tokenization goes much further than payment.

During three conference sessions on "Navigating the mobile contactless payments landscape" – to take place between 17 and 19 November– we will look at this ever-growing security procedure and the relevant strategic issues; how it is making its way into the scope of payment and its potential future in other sectors. A large number of exhibitors will be presenting their innovations in terms of tokenization during this 3-day event.

Tokenization: the natural evolution of secure payment

How has tokenization evolved to become a secure solution for electronic payments? For a long time, it has only been possible to "physically" pay for something in a shop, by inserting your card into a card terminal (for card present transactions).

However, the emergence of two phenomena has shaken this model:

  • Firstly, contactless payments, which are made directly using a card or a mobile phone. The objective is to facilitate payment and speed up transactions, while ensuring a high level of security.
  • Secondly, the arrival of the Internet and e-commerce, which have called for the implementation of virtual payment systems (for card not present transactions). However, these systems may represent serious risks, because, quite often, it is enough to have the primary account number (PAN) and expiry date of the card to carry out a transaction online.

Given that the number of virtual transactions is increasing considerably, new technologies –for example, NFC, Bluetooth LowEnergy, QR codes and HCE– have had to rise to a number of challenges, particularly in terms of security.

Tokenization is a process which is part of this development in payment systems and it consists in replacing sensitive data with substitute data to make electronic transactions more secure. The most representative example is the use of a token instead of a bank card number (or PAN). By using a token rather than a PAN, it is possible to limit the damage caused if the security system is breached and details of payment are revealed.

In the future, users may not even be able to differentiate between card present and card not present transactions and user identification used will vary, depending on the type of terminal and network used and their preferences (consumer or retailer).

The token: fail-safe protection against hackers

Tokens are used to substitute sensitive data. They are not related in any way to the data they replace and hackers cannot read any of the data substituted. Tokenization can reduce the risk of using sensitive data online, for example in the event of data theft or misappropriation.

It is in this context that tokenization comes into its own.

The developers and users of payment systems seek the following security benefits:

  • Sensitive data associated with the card used for payment and the holder should lie in the hands of the bank and retailer only. Under no circumstances may these data be made available to third-party systems.
  • Tokens created are based on random numbers and characters and should not be associated with the data that they replace;
  • Tokens created should have the same format, size and characteristics as the original data.

EMV has shown how effective it is in fighting against fraud in card present transactions: apart from "chip and pin" transactions, the PAN may only be used if the card is physically presented.

The situation is, however, completely different for card not present transactions and the level of fraud is increasing in this use. Despite an array of measures designed to secure these types of transactions, the best way to fight against fraud is to have a secret PAN.

In the case of cross-channel transactions, which may be in a store or online, the card data obtained fraudulently, via a faulty payment terminal, may be used for card not present transactions on the Internet. This is where the token plays a key role, as even if the security system is breached and the payment details are unveiled, the damage is limited since the token value is revealed rather than the PAN that it replaces.

For card not present transactions in particular, tokenization offers the best features in terms of security. However, other security measures such as readers or terminals must also be implemented since tokenization alone cannot totally guarantee security.

From payment to a new scope: the omnipresent token

The launch of Apple Pay in September 2014 has strongly affected the mobile payment ecosystem. This offer has three main characteristics:

  • NFC as a communications protocol with the payment terminal;
  • Using the Secure Element as a security platform;
  • Using tokens to protect the card number.

Apple's announcement came at the same time as the announcement made by Visa and Mastercard who gave their approval of tokenization as a security solution for transactions, particularly card not present transactions. A few months earlier (March 2014), EMVCo issued a document entitled "EMV Payment Tokenization Specification – Technical Framework" which inspired the Apple Pay solution.

The rapid innovation of payment systems is unprecedented. It shows that the industry is rapidly evolving to meet the demands of portable device users - primarily the Smartphone - who believe that this device is fully adapted for transactions carried out online or at home. New types of service providers are emerging, such as Token Service Providers, which complement the already wide range of suppliers of components and applications.

This is particularly important since the scope of tokenization goes beyond payment. The health sector, like the payment industry, relies on security access devices to identify a lot of individuals. It therefore represents a strong candidate for new generation tokens.

Tokenization at the heart of CARTES SECURE CONNEXIONS 2015

Payment is a complex and rapidly evolving area. The ever-growing mobile ecosystem is crossing and integrating into more industry segments than ever before. Tokenization is an alternative to hardware solutions used to date for secure transaction payments.

From 17 to 19 November, CARTES SECURE CONNEXIONS places mobile contactless payment under the spotlight at three day-long sessions on: "Navigating the mobile contactless payments landscape".

  • HCE & Tokenization: What is the role of the Secure Element?
    Presented by Francesco IARLORI, Managing Director - BizDev & Strategy Italy
  • New business models: What is the impact on the banking, telecommunications and retail industries?
    Presented by Laurent NIZRI, CEO, Alteir Consulting & Vice-President, ACSEL
  • Mobile payments: NFC, HCE, SE, Tokenization
    Presented by Nathan HILT, Director – PriceWaterhouseCoopers

This is an opportunity for participants to look into the latest technologies on the payments market (for example, NFC, HCE, SE and tokenization), to discuss how the mobile is creating new ways to pay and to assess the new players and trends.

Several companies* which specialise in tokenization will be presented at CARTES SECURE CONNEXIONS:

  • CryptoExperts
  • Cryptomathic

* Non-exhaustive list of exhibitors working on this topic.

For more information and a list of exhibitors by sector, please see:


Book your dates: 17-19 November 2015

Register to visit the show:

Request press passes:
(from September 2015)

For more information, please visit:



CARTES SECURE CONNEXIONS, the world’s most comprehensive event for Secure Payment, Connection and Identification changes its name this year to TRUSTECH. The global TRUSTECH Network also organises leading exhibitions and conferences in Asia and North America. With an ambitious programme of exhibitor stands, conferences and awards and a focus on innovation, CARTES SECURE CONNEXIONS 2015 confirms its position as the leading global event in the sector. In November, 460 exhibitors and 20,000 visitors from the Finance, Retail, Telecommunications, Government, Healthcare, Transport and many other sectors, from 160 countries, will converge on Paris to explore the way our digital world will evolve. For further information or to register, go to:

For further information:

COMEXPOSIUM, 4th leading event organiser world-wide*, is involved in 114 events for the general public and professionals, covering 17 different sectors. The group welcomes 38,000 exhibitors every year, 40% of whome are international, and 3,5 million visitors, 350,000 of whome come from abroad. COMEXPOSIUM organises 5 of the 10 biggest events held in France: SIAL, Foire de Paris, Intermat, SIMA and Paris International Agricultural Show.
Customer satisfaction, innovation, growth and development and commitment to an eco-friendly approach are the key commitments of the COMEXPOSIUM Group’s products. Each event is a market leader, facilitating development, highlighting the sector and pre-empting market trends.

*Source: GLOBEX 2012


Press contacts
Stéphanie Champion – / Cathy Bubbe –
Téléphone : 01 42 30 81 00

Release Summary



Press contacts
Stéphanie Champion – / Cathy Bubbe –
Téléphone : 01 42 30 81 00