White-box Cryptography: The Future of Payment Tokenisation

POSTED BY Jordan Rookes

What is White-box Cryptography?

As a result of hardware implementations being too variable to rely upon hardware-based keys in all situations, white-box cryptography has become one of many elements in the greater mobile payment security model.
White-box cryptography refers to when cryptographic algorithms assume that hostile actors have access to all the aspects of the cryptographic process and have control over the execution platform and software implementation itself. While tokenisation provides ‘over the air’ payment credential security, white-box cryptography is used to for the protection of cryptographic operations and data and is commonly associated with securing contactless payments with NFC.

Security of IoT Payment Devices Still a Concern

This security model includes a combination of white-box cryptography, tokenisation and other hardening techniques such as anti-tampering capabilities. This is representative of the increasing complexity of processing and securing mobile devices from the actions of malicious actors.
However, it must be noted that due to the growing diversity of IoT devices, applying the model of security is unlikely to be applicable for every device, as the presence of these cryptographic chips cannot be guaranteed. That said, continual innovations within the IoT industry mean that suitable alternatives are likely to exist within the next few years which could further heighten security for IoT payment devices.

The PCI SPoC standards sets out eight primary requirements any organisation that implements white-box cryptography for mobile payments must comply with. This adds further complexity to the process of adding white-box cryptography for mobile use; meaning that specialist tools will be required to successfully manage the process.
By their very nature of white-box cryptography, the encryption key and algorithm are inextricably interlinked, so that they key cannot be identified while the algorithm is being used. Whilst this provides strong security; altering the encryption key poses a significant challenge, especially as mobile devices are changeable objects.
► Download the Whitepaper

Our latest whitepaper, How eCommerce Is Driving Tokenisation Growth, explores:
  • Introduction
  • A Market Shaped by EMVCo
  • P2PE (Point-to-Point Encryption)
  • Market Forecast Summary

► Payment Tokenisation Market Research

Our latest research found:
  • The total volume of tokenised payment transactions will surpass 1 trillion by 2026, rising from 680 million in 2022; representing absolutel grwoth of 58% over the next 4 years.
  • It attributed this growth to the rise of ‘one-click’ solutions, such as Click-to-Pay, that use card-on-file tokenisation to store a customer’s payment credentials, enabling them to auto-fill their checkout details and complete transactions via a single click.
  • Tokenisation growth is being driven by increasing adoption of one-click solutions by merchants within eCommerce to reduce friction, and by card networks, who are encouraging mass adoption of tokenisation at the network level to improve payment approval rates.
  • The volume of tokenised online and mobile eCommerce transactions is anticipated to grow by 74% by 2026. This growth is driven by the increasing customer expectation of a frictionless checkout experience, which one-click solutions via tokenisation offer.
  • IoT payments offer the largest growth amongst the tokenisation market over the next five years, with tokenised IoT transactions expected to reach 19 billion by 2027; growing 400% from just 3.8 billion in 2022. Tokenisation is critical in facilitating IoT payments; enabling transactions to be made via new use cases and form factors, unlocking new revenue opportunities for payment providers.