CITI HAS BEEN on a decade-long journey toward becoming an always-on financial partner in our customers’ day-to-day lives. As a company, we’re positioned to show up where our customers want us, and to go a step beyond to help our clients navigate today’s 24/7 connected environment. Safety and soundness remain paramount in everything Citi does as it moves banking beyond the bank to empower our customers to bank anytime, anywhere, with mobile services at the core.
When we see benefit and value for clients in enabling select services on platforms outside of our own, security, privacy, and customer choice always will be critical priorities. Payments, the most frequent interaction customers have with their bank, are one banking service that provides a great opportunity for banks to make their customers’ lives easier.
Around the world, people are opening their wallets a lot less frequently as an increasing number of consumers use their mobile devices to pay for goods and services. Juniper Research estimates the number of global mobile contactless users will exceed 760 million by 2020, up from an estimated 440 million in 2018. The same research forecasts OEM payment services, including Apple Pay, Samsung Pay, and Google Pay, will reach 450 million users by 2020, with Apple accounting for one in two OEM payment users around the world.
Customers continue to adopt new technologies at a rapid pace, and this is changing their lifestyles while also affecting how banks operate. Today’s customer demands seamless, best-in-class experiences for everything, so we must deliver on that and meet our customers where they are.
THE BENEFITS OF TOKENIZATION
There are obvious reasons we are seeing this shift to digital payments, including the speed and ease of use, which are convenient for both the customer and merchants. One reason that’s less apparent to the end user but critical for the industry is the enhanced safety and soundness made possible by the underlying technology of tokenization.
Tokenization protects sensitive data, such as a customer’s primary account number, by replacing it with a unique, random string of characters that has no meaningful value. This nonsensitive data is generated by a nonreversible algorithm called a token. The nonreversible property of the algorithm prevents converting token numbers back to the original data. Instead, tokens are generated and stored with mapping to the credit card number in a secure and centralized system called a token vault. The real data in the vault is secured, often via encryption. Tokens are restricted in usage to a specific device, merchant, transaction type, or channel.
Payment processing is one of the most widespread uses of tokenization today. Tokenization allows customers to securely store their credit card information in mobile wallets, point-of-sale terminals, and e-commerce sites so the card can be charged multiple times without ever exposing the credit card information.
Consumers already are leveraging a range of payments methods that use tokens. While the end user is likely unaware of the tokenization technology making frictionless transactions possible, our goal is to derive value from the customer experience we provide.
Card-on-file tokenization provides an additional layer of convenience for customers. Their payment details can be instantly refreshed and are immediately ready for use when a new card is required, whether the original is lost, stolen, or expired. Customers always have access to valid credentials and don’t need to wait for a new card to arrive in the mail. This removes the hassle of logging in and updating account details or missing out on a subscription-based service because of an expired card.
Tokenization also is an increasingly popular way to prevent credit card fraud. There’s an inherent risk of targeted data breaches for merchants that process and store credit card numbers. Replacing the credit card numbers with tokens is a cost-effective way to mitigate this risk by safeguarding sensitive information. By reducing the risk of fraud related to digital payments, tokenization makes online checkout, mobile contactless payments, and in-app purchases more secure. The widely used single-pay token system prevents data from being used if it’s stolen. This technology works with an increasing number of point-of-sale systems used today.
As Citi’s proprietary digital offerings continue to expand and we increasingly offer our services on different platforms, using tokenization to remove credit card information from the payments ecosystem is another way we are safeguarding the security of our customers’ data, which is a critical piece of our business.
At music and other entertainment events, Citi has been using cashless payments made possible by tokenization for several years. Radio-frequency identification chips are now embedded into ticket wristbands and used for identification, payment, security, and fan engagement. We’ve seen usage of these payments increase significantly year-over-year as the general public embraces the technology and the ease of use it provides. For example, during the Governors Ball Music Festival in New York City in 2018, we saw a 170% increase in cashless spending versus the year before.
As a brand, Citi is continuously aiming to enable our customers to spend less time banking and more time enjoying life’s key moments. Through an all-in-platform that enables cashless payments as well as other powerful capabilities, our customers are able to enjoy what matters most to them and Citi is that enabler.
Citi continuously works with the credit card network partners to drive adoption of tokens. Our own digital wallet, Citi Pay Masterpass, is available to Citi Mastercard customers in the U.S., Singapore, Australia, and Mexico. Mastercard and Visa have had a reciprocal agreement to allow access to the other network’s tokens through their digital wallets for two years.
Earlier this year, Mastercard and Visa announced that they’re exploring plans to adopt a single shared payment button for online payments. American Express and Discover are also considering the project, which would streamline the online checkout process for customers and the system for merchants.
Merchants are seeing the benefits as well. Using tokenization facilitates more secure transactions, faster checkout experiences, new payment options, and additional ways to sell. Tokens can be used as the merchant needs, without security concerns. Tokens are flexible for refunds, chargebacks, and recurring payments while providing end-to-end security, low cost per transaction, and a format that fits with legacy credit card fields.
Tokenization allows merchants to reduce their regulatory obligations and costs associated with meeting Payment Card Industry Data Security Standard (PCI DSS) compliance for storing credit card information.
Tokenization minimizes the scope of PCI compliance by reducing the number of systems that have access to customers’ credit card credentials. In 2011, the Payment Card Industry Security Standards Council (PCI SSC), the organization responsible for enforcing PCI DSS, issued guidelines on tokenization. It recommended tokenization be used to supplement, not replace, the data security standards. While this guidance has yet to be added to the official PCI DSS, Qualified Security Assessors accept tokenization as a viable solution to meet requirements under the standard.
In Citi’s quest to become our customers’ always-on financial partner, we are looking to deliver simpler, better, faster, and consistently excellent experiences across channels that fit seamlessly into their lives. As our customers continue to adopt digital payment offerings, tokenization plays a key part to increase convenience and provide a frictionless, simple experience. We know the concept of what makes a “bank” is changing. Whatever shape the future takes, new technologies cannot be ignored – nor can we hesitate when faced with new customer demands. Citi is embracing the opportunity and responsibility to use the power of new technologies to benefit our customers across the globe.