The Internet of Things (IoT) has redefined and revolutionized the modern payments landscape. With over 20 billion connected devices expected to reach the market by 2020, device manufacturers and businesses have been quick to seek out new solutions that will allow these ‘smart’ devices to send and receive payments seamlessly. It’s all part of a much broader movement in FinTech that involves new use cases like the No-Money, No-Line Amazon Go flagship in Seattle, but the concept stretches back to the first dot-com boom when companies like PayPal aimed to move past a world of hard currency and into the digital payments space.
Cashless payments can provide huge revenue boosts to companies. Intellitex, which makes RFID-enabled payment solutions for conferences and other large events, has data showing a 15-30% increase in event revenue simply by enabling payments from attendee wristbands. There is also very robust psychological data showing that people tend to spend more the more they are removed from the actual act of handing over paper money, which is in line with lots of other psychological data on how people behave and interact online versus face-to-face. Add to that the fact that going cashless makes certain types of financial crimes much harder to pull off, and it’s easy to see why so many businesses are looking to capitalize on the new payment solutions coming to market.
But for all the data showing that cashless payments make for more revenue, making payments from IoT devices brings its own unique set of challenges. As we’ve talked about on our blog before, a lot of IoT devices aren’t developed with security in mind. Even as regulators are taking steps to standardize security protocols, consumers may still be wary of linking payment information to their ever-expanding cache of connected devices.
One solution for both device manufacturers and consumers is to outsource the payment integration aspect of a device to well-established, trusted companies with the resources and infrastructure to make sure transactions are handled smoothly and securely. That’s the concept behind Visa Ready’s push into the IoT, which gives device manufacturers the ability to handle device payments via mature technology developed by Visa’s strategic partners. It’s a kind of standing-on-the-shoulders-of-giants approach in which companies without deep expertise in payment security can implement safe tools that handle the most nuanced aspects of the process.
Tokenization: The core of cashless payments
The underlying technology of the most secure cashless payments on the Internet of Things is called tokenization, and most technologies (including Visa and tech like ApplePay) implement it under the industry-standard EMVCo payment tokenization specification. In a nutshell, tokenization works by taking something like a credit card or bank account number and replacing it with a string of randomly generated numbers called a token. The token itself is meaningless unless presented to a secure token vault, where it is matched to the actual account number in question. This means that a token can pass through wireless networks without there being danger of it being matched up to the actual PAN (Primary Account Number) of its owner.
Tokenization offers several advantages for eCommerce payments over end-to-end encryption. It’s much cheaper to implement, and while both technologies significantly reduce the exposure of PAN data, only tokenization keeps sensitive data at a single source (the secure token vault).
For example, linking a credit card to apps like ApplePay or Android Pay on a phone keeps the user’s PAN number with the card issuer, which replaces it with a payment token that becomes programmed into the phone via Apple or Google. Any third-party merchant accepting payment via the device's internal payment system (for example, another app on the phone or a brick-and-mortar store) can only ever actually see the token.
This may not seem very different to the casual consumer just looking to make a simple purchase, but it’s a big deal when you look at massive data breaches at places like Target or Home Depot. Both companies had stored data on millions of credit cards used to make purchases, and their lack of security protocols made this information visible to the hackers who gained access to their systems. Breaches like this are essentially impossible with tokenization since tokens (unlike encryption methods) aren’t mathematically reversible and do not carry any information on the ‘vault’ they correspond to. This is all matched up on the backend, which hackers at Target and Home Depot wouldn’t have seen since it lives with device manufacturers and card issuers and is only matched up via a backend process.
Tokenization is already widely implemented on the Internet of Things, and platforms like Visa are becoming a must-have for merchants and manufacturers needing to ensure an enthusiastic-yet-wary consumer base that their payment data is secure. In the future, we think we’ll see this kind of tech everywhere - cars will all pay for their own gas, phones will passively pay for groceries, and biometric measures like fingerprints and facial recognition can be integrated into existing tokenization protocols to make them even more secure.
It’s an exciting time for payments on the IoT, as we’re finally moving from thinking about life in a cashless future to actually living and working in a cashless present.