top of page



Secure Tokens are also known as Fobs, Hardware Tokens and RSA Tokens.

The device is a good way to ensure that the consumer is who they say they are. To use this solution you have to have the consumer and merchant participating for it to work. It requires the consumer carry a “fob” to produce the unique number and it requires the merchant to have the ability to authenticate the number the “fob” created. It is not likely that a fraudster will be able to mimic or copy the number, as they change every minute, but the device can be stolen by a fraudster.

Typically this solution is offered by a particular merchant or bank and the consumers can use it at any of the participating merchant locations. If they go outside of the supported merchant base the tool is useless and the regular fraud-prevention techniques come into play. Market adoption of this type of solution is extremely low.

Secure tokens as a fraud-prevention technique:

Don't catch true identity theft cases.

Require the consumer carry a “fob.”

Require all merchants to support the validation of the number.

Is a good method to get non-traditional e-commerce or MOTO customers to make purchases through these channels.




Alternative SolutionsSmart cards, consumer authentication

Building this In-House - N/A

Estimated Cost - Moderate

Sample Vendors - RSA


Secure tokens use a device to create a unique number to authenticate the end user. Typically these devices have been used in network security, but there are vendors now offering this type of solution for consumer authentication.

Key considerations when implementing or buying this functionality include:

  • What type of device or “fob” does the solution offer?

  • Will the device work with any other merchant site?

  • Who provides customer support if the “fob” is defective?

  • How long is the “fob” going to last?

  • Does the device use a unique PIN combined with the Fob to increase the security?


The merchant or bank issues the consumer a “fob.” This is a device the size of a key that creates a unique number every minute. These fobs come in different sizes and shapes, and you can get them as key rings or credit cards. The consumer is also issued a PIN to use with the unique number.

When the consumer is ready to make a purchase, he or she goes to a merchant that supports the technology and they chose what they want to buy and then start the check-out process. When going through the buy process, the consumer will be asked to give the PIN and the unique number generated by the fob. The merchant will likely be going to a third-party service that has an application that can match the exact number the fob will create to see if the number provided by the consumer matches or not. If it does you have authenticated the consumer, if it does not you would then reject the order or attempt another authentication technique.


If the consumer can authenticate via the secure token, then you would accept the order. If the consumer cannot authenticate, you would reject the order. If a consumer comes in that is not using the secure token you will need to have processes in place to catch fraud with these orders.

If you support this type of solution you should also set up a process to confirm a card is not supposed to be using a secure token. This will prevent you from processing an order for a consumer that had their card stolen, and is being used fraudulently.

bottom of page