Security Experts:

Connect with us

Hi, what are you looking for?



New American Express Services Combat Fraud Through Tokenization

American Express has launched a new services designed to protect online and mobile payments by replacing sensitive card information with tokens.

American Express has launched a new services designed to protect online and mobile payments by replacing sensitive card information with tokens.

The American Express Token Service solutions can be used by card issuers, payment processors, acquirers and merchants to replace payment card account numbers with unique tokens. The tokens can be used to make payments online, in mobile apps, and in stores via mobile devices that support near-field communications (NFC).

Businesses that use the Token Service will no longer have to worry about storing sensitive financial information on their systems, the company said. The solution offers additional fraud protection because the tokens can be assigned for use with a specific payment device, transaction type or merchant.

The American Express Token Service provides the ability to issue tokens; lifecycle management services for creating, suspending, resuming and deleting tokens; and a vault where tokens are stored and mapped to account numbers. Card issuers will also benefit from payment data validation capabilities and other fraud and risk management services.

All these features are based on the EMV Payment Tokenization Specification technical framework released by EMVCo in March 2014. 

“We believe our payments network is a tremendous asset to American Express – one that will allow us to offer our customers new features and technologies to meet their evolving spending needs,” commented Paul Fabara, president of Global Banking and Global Network Business at American Express. “As we move ahead, we are excited to bring these new capabilities to our customers and look forward to continuing to serve them.”

For the time being, American Express Token Service is available only in the United States, but the company expects it to launch internationally in 2015.

American Express has also developed network specifications for cloud-based Host Card Emulation (HCE). The specifications provide card issuers with additional security options and solutions for payments via NFC-enabled mobile devices running Android KitKat. Card issuers using HCE store their customers’ information on a secure cloud server, from where it is transmitted to mobile phones and then to PoS terminals quickly and securely. The HCE specifications are available globally, American Express said.

Payment card fraud is highly problematic these days and many organizations have started taking steps to put an end to the phenomenon. However, cybercriminals are not giving up.

Last month, researchers revealed the existence of Voxis, a new automated tool that can be used by cybercriminals to send batches of fraudulent payment card charges to multiple gateway processors. Voxis increases the chances of avoiding fraud detection systems and having fraudulent charges authorized because it emulates human behavior and buying patterns.

Fraudsters could also target payment cards directly. Researchers at the Newcastle University have shown that the contactless cards released by Visa in the U.K. are vulnerable to fraudulent foreign currency transactions, in theory allowing the theft of up to 999,999.99 in any foreign currency.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...