.svg)
Visa has launched a new tool that aims to prevent token provisioning fraud, a type of fraud that has grown alongside the use of virtual cards and digital wallets.
Known as "Visa Provisioning Intelligence" (VPI), the solution uses machine learning to rate the likelihood of fraud when a token provisioning request is initiated.
James Mirfin, SVP and global head of risk and identity solutions at Visa, said that although tokenisation is one of the ”most secure” ways to transact, its weak point is the provision of the token itself.
“We are seeing fraudsters use social engineering and other scams to illegitimately provision tokens,” he said.
“With VPI, we are leveraging Visa’s vast network and data insights to help clients detect and prevent provisioning fraud before it happens."
In 2022, according to Visa’s internal data, losses to token provisioning fraud reached an estimated $450m worldwide.
How fraudsters hijack tokens
Token provisioning takes place when a cardholder links their card to a digital wallet, such as Google Pay, Apple Pay or Samsung Pay.
If the provisioning request is approved, a token is generated that links to the card and the device.
The token is then used in place of the card number (PAN) for future purchases, thus increasing security by limiting the exposure and use of the real PAN.
However, if a card is stolen or its details are hacked, the token can be fraudulently obtained through a digital wallet provider.
If a token provisioning fraud is successful, the fraudster may be able to make multiple transactions using the victim’s token.
This is because, following what looks like a legitimate authentication of the token request, issuers and merchants may perform less rigorous fraud monitoring on each transaction.
From one to 99: A fraud probability indicator
VPI offers card issuers a real-time fraud propensity score for each token provision request. Requests are scored between one (indicating the lowest probability of fraud) and 99 (indicating the highest probability of fraud).
To generate each probability, VPI uses a machine learning model to identify patterns in past token requests across device, e-commerce and card-on-file token metrics.
The tool aims to help issuers detect token provisioning fraud attempts and decline requests before fraud occurs.
By ensuring that token provisioning requests are legitimate, Visa can also reduce subsequent fraudulent transactions and maintain trust in its network.
“In an age where most of our financial lives exist digitally, Visa remains focused on providing clients with advanced technologies to ensure customer data is protected wherever transactions take place,” the company said.
Mastercard publishes best practice for issuers
Mastercard has also highlighted the threat of token provisioning fraud. In correspondence with issuers, Mastercard published a list of best-practice tips for when a token provisioning request is initiated.
For example, card issuers are advised to decline any request with a CVC2 security code mismatch, and make use of additional authentication, such as an activation code sent to the cardholder’s device.
Issuers are also advised to set up velocity checks that can track behaviour patterns linking devices, IP addresses and card PANs.
If a customer — or an imposter — calls the issuer regarding a token provisioning request, issuers are advised to train their representatives in how to spot social engineering and phishing attempts.
“Stopping fraudsters before they transact is the ultimate solution for digital wallet security,” said Mastercard.
“This will ensure that tokenisation continues to grow and keep its status as the most secure and robust tool against digital pickpockets.”
