Security Experts:

New American Express Services Combat Fraud Through Tokenization

American Express has launched a new services designed to protect online and mobile payments by replacing sensitive card information with tokens.

The American Express Token Service solutions can be used by card issuers, payment processors, acquirers and merchants to replace payment card account numbers with unique tokens. The tokens can be used to make payments online, in mobile apps, and in stores via mobile devices that support near-field communications (NFC).

Businesses that use the Token Service will no longer have to worry about storing sensitive financial information on their systems, the company said. The solution offers additional fraud protection because the tokens can be assigned for use with a specific payment device, transaction type or merchant.

The American Express Token Service provides the ability to issue tokens; lifecycle management services for creating, suspending, resuming and deleting tokens; and a vault where tokens are stored and mapped to account numbers. Card issuers will also benefit from payment data validation capabilities and other fraud and risk management services.

All these features are based on the EMV Payment Tokenization Specification technical framework released by EMVCo in March 2014. 

"We believe our payments network is a tremendous asset to American Express – one that will allow us to offer our customers new features and technologies to meet their evolving spending needs," commented Paul Fabara, president of Global Banking and Global Network Business at American Express. "As we move ahead, we are excited to bring these new capabilities to our customers and look forward to continuing to serve them."

For the time being, American Express Token Service is available only in the United States, but the company expects it to launch internationally in 2015.

American Express has also developed network specifications for cloud-based Host Card Emulation (HCE). The specifications provide card issuers with additional security options and solutions for payments via NFC-enabled mobile devices running Android KitKat. Card issuers using HCE store their customers' information on a secure cloud server, from where it is transmitted to mobile phones and then to PoS terminals quickly and securely. The HCE specifications are available globally, American Express said.

Payment card fraud is highly problematic these days and many organizations have started taking steps to put an end to the phenomenon. However, cybercriminals are not giving up.

Last month, researchers revealed the existence of Voxis, a new automated tool that can be used by cybercriminals to send batches of fraudulent payment card charges to multiple gateway processors. Voxis increases the chances of avoiding fraud detection systems and having fraudulent charges authorized because it emulates human behavior and buying patterns.

Fraudsters could also target payment cards directly. Researchers at the Newcastle University have shown that the contactless cards released by Visa in the U.K. are vulnerable to fraudulent foreign currency transactions, in theory allowing the theft of up to 999,999.99 in any foreign currency.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.