Webinar Tokenization 101 Ren M. Pelegero Retail Payments Global - PowerPoint PPT Presentation

Webinar ‐ Tokenization 101 René M. Pelegero Retail Payments Global Consulting Group L.L.C December 15 th , 2014

Webinar Overview – A description of tokenization and how the technology is being employed in the payments space – Agenda • What is tokenization? • What is NOT tokenization? • Tokenization in payments • Card scheme tokenization and Apple Pay • Tokenization issues 2

History of Tokens – Token Definition • Tōkən/noun • A thing serving as a visible or tangible representation of a fact, quality, feeling, etc. • A voucher that can be exchanged for goods or services, typically one given as a gift or offered as part of a promotional offer. 3

Tokens in the Digital World – Replace sensitive data elements to protect them from exposure • An HR number instead of SSN as the primary access key to an employee database • An Address ID to identify a full address – Have no business meaning • Cannot be used to derive the original value • Do not have to change as the underlying value changes 4

Tokenization Is Not – Encryption – EMV – NFC – Host Card Emulation (HCE) 5

Tokenization is NOT Encryption However, tokens are often encrypted 6

Encryption 101 7

Tokenization is NOT EMV – Europay, MasterCard, Visa (EMV) • Founded in 1999 to define the specifications of chip‐based payment instruments • Presently six member organizations – American Express – Discover – JCB – MasterCard (merged with Europay in 2002) – Union Pay – Visa – EMV name used to describe chip‐based bankcards – Tapped by members to define tokenization standards • Version 1.0 of tokenization published in March 2014 8

Tokenization is NOT NFC – Near Field Communications (NFC) • NFC is a set of standards for smart phones and similar devices to establish radio communication with each over very short ranges – Different implementations • Embedded in mobile phone • SIM based • Removable SE (SD Card) – NFC in Payments • NFC chip includes a Secure Element • Stores information in a secure manner • It is controlled by telephone carrier (MNO) or phone manufacturer 9

Tokenization is NOT HCE – Host Card Emulation (HCE) • Card number stored in host rather than Secure Element • Solves the MNO control, provisioning and associated expense issues 10

Putting It All Together – Tokens can be… • Defined by the EMVCo specification or by any proprietary standard but have nothing to do with standards for EMV chip cards • Stored in NFC’s Secure Element or a Host in the Cloud • Can be stored encrypted or in the clear – Tokens can be exchanged… • Between devices using NFC, HCE, or any other technology • Generally in an encrypted manner 11

Use of Tokens in the Payments Industry – Tokens replace bankcard numbers at different points in the process • Tokens reduce card vulnerabilities • Tokens reduce PCI compliance burdens – Tokens can be generated in multiple places • Merchant Generated Tokens • Acquirer/Processors Generated Tokens • Network Generated Tokens 12

Merchant Generated Tokens – Merchant generates token when card number is first entered into merchant system – Token database behind firewalls and public access (e.g. cc‐motel, Fluffy, Card Vault, etc.) – All further activity for customer only uses the token, not the card number – Token is converted to actual card number when it is time to authorize payment 13

Acquirer/Processor Generated Tokens – Card is swiped at POS and PAN, track data, and expiration date are encrypted and sent to processor data center – Card number is decrypted and sent to issuer for authorization and to tokenization server for token assignment – Processor returns authorization and token to merchant who proceeds to store only the token – Settlement, refunds, adjustments, chargebacks, etc. use the token number, not the card number 14

Network Generated Tokens – Similar to Acquirer/Processor generated tokens but the token is generated, stored, and maintained as a paid service by the card networks • Visa Token Service • MasterCard Digital Enablement Service • American Express Token Service – Based on a standard published by EMVCo in March 2014 15

Card Scheme Tokenization Services – Visa waving all fees until the end of 2015 – Amex has not releases fees yet – MasterCard Digital Enablement Services (DES) • Issuers – Digital Enablement Service Lifecycle Management 10¢ per PAN – Digitation fee of 50¢ when provisioning a token to a device • Acquirers – Digital Enablement fee of 0.01% for select CNP transactions 16

Apple Pay Tokenization – How it works ‐ Registration/Enrollment • Apple Pay “app” sends card number to issuing bank through Visa or MasterCard • Issuing bank approves card number to be tokenized • Visa or MasterCard “tokenize” the card number and sends token back to app • Apple Pay “provisions” (i.e. stores) token onto Secure Element (SE) in iPhone “binding” it to a unique device (DAN) 17

Apple Pay Tokenization – How it works ‐ Purchases • Consumer “taps” on POS device (using Touch ID to authenticate the user) • iPhone transmits DAN to POS plus a one time code number • POS sends DAN to Acquirer who sends to Visa or MasterCard • Visa or MasterCard translate token back to the original card number and sends it to issuer (after insuring that the token came from the “proper” device) • Issuer approves or declines transaction as normal 18

Tokenization Benefits – Reduce attractiveness of mass data breaches – Reduced scope of PCI DSS – Increased security of mobile payments – Increased perception of security by consumers 19

General Tokenization Issues – Token generation • How random is random? • Can true “isolation” be achieved – Token availability • Database management – Availability, backup, and restore • Interoperability – Routing debit transactions – Conflict with current loyalty schemes – Token safety • Token DB protection 20

Visa and MasterCard Tokenization Issues – Compatibility with existing services • Visa Token Service, MasterCard Digital Enablement Service, American Express Token Service vs. • First Data Transarmour, TSYS Guardian Tokenization, Bell ID Tokenization Manager, etc. – Compatibility with other standard schemes • Secure Remote Payment Council • Accredited Standards Committee X9 Inc. • International Standards Organization (ISO) – Operational Issues • GUI and Customer Service • Recurring payments • Chargebacks, refunds, and investigations 21

Tokenization Services Strategic Issues – Open Standards • Tokenization as an Open Standard ‐ Is EMVCo the right “home” for tokenization standards? – Control • Visa and MasterCard control the data and access to funding account – “ Those of us that participate in the token infrastructure can make decisions on who you want to give access to, whether you want to charge for it and things like that .” Visa CEO Charles Scharf, Bank of America Merrill Lynch 2014 Banking & Financial Services Conference – Conflict With Durbin Routing • Accounts with debit cards tokenized by Visa and MasterCard can only be accessed by merchants through Visa and MasterCard 22

Tokenization Summary – Tokenization is the concept of substituting sensitive data with meaningless values – Tokenization is being used by merchants, acquirers, processors, and now card schemes to help reduce vulnerabilities of cards – Visa, MasterCard, and Amex have introduced tokenization standards that gives them control over access and data and which will be provided for a fee to issuers and acquirers – A number of significant issues related to tokenization have to be addressed and resolved by the payments industry 23

24