Webinar Tokenization 101 Ren M. Pelegero Retail Payments Global - - PowerPoint PPT Presentation

Webinar ‐ Tokenization 101

René M. Pelegero Retail Payments Global Consulting Group L.L.C

December 15th, 2014

2

Webinar Overview

– A description of tokenization and how the technology is being employed in the payments space – Agenda

• What is tokenization?
• What is NOT tokenization?
• Tokenization in payments
• Card scheme tokenization and Apple Pay
• Tokenization issues

3

History of Tokens

– Token Definition

• Tōkən/noun
• A thing serving as a visible or tangible representation
• f a fact, quality, feeling, etc.
• A voucher that can be exchanged for goods
• r services, typically one given as a gift or
• ffered as part of a promotional offer.

4

Tokens in the Digital World

– Replace sensitive data elements to protect them from exposure

• An HR number instead of SSN as the primary access

key to an employee database

• An Address ID to identify a full address

– Have no business meaning

• Cannot be used to derive the original value
• Do not have to change as the underlying value changes

5

Tokenization Is Not

– Encryption – EMV – NFC – Host Card Emulation (HCE)

6

Tokenization is NOT Encryption

However, tokens are often encrypted

7

Encryption 101

8

Tokenization is NOT EMV

– Europay, MasterCard, Visa (EMV)

• Founded in 1999 to define the specifications of chip‐based

payment instruments

• Presently six member organizations

– American Express – Discover – JCB – MasterCard (merged with Europay in 2002) – Union Pay – Visa

– EMV name used to describe chip‐based bankcards – Tapped by members to define tokenization standards

• Version 1.0 of tokenization published in March 2014

9

Tokenization is NOT NFC

– Near Field Communications (NFC)

• NFC is a set of standards for smart phones and similar devices to

establish radio communication with each over very short ranges

– Different implementations

• Embedded in mobile phone
• SIM based
• Removable SE (SD Card)

– NFC in Payments

• NFC chip includes a Secure Element
• Stores information in a secure manner
• It is controlled by telephone carrier (MNO)
• r phone manufacturer

10

Tokenization is NOT HCE

– Host Card Emulation (HCE)

• Card number stored in host rather than

Secure Element

• Solves the MNO control, provisioning and

associated expense issues

11

Putting It All Together

– Tokens can be…

• Defined by the EMVCo specification or by any

proprietary standard but have nothing to do with standards for EMV chip cards

• Stored in NFC’s Secure Element or a Host in the Cloud
• Can be stored encrypted or in the clear

– Tokens can be exchanged…

• Between devices using NFC, HCE, or

any other technology

• Generally in an encrypted manner

12

Use of Tokens in the Payments Industry

– Tokens replace bankcard numbers at different points in the process

• Tokens reduce card vulnerabilities
• Tokens reduce PCI compliance burdens

– Tokens can be generated in multiple places

• Merchant Generated Tokens
• Acquirer/Processors Generated Tokens
• Network Generated Tokens

13

Merchant Generated Tokens

– Merchant generates token when card number is first entered into merchant system – Token database behind firewalls and public access (e.g. cc‐motel, Fluffy, Card Vault, etc.) – All further activity for customer

• nly uses the token, not the

card number – Token is converted to actual card number when it is time to authorize payment

14

Acquirer/Processor Generated Tokens

– Card is swiped at POS and PAN, track data, and expiration date are encrypted and sent to processor data center – Card number is decrypted and sent to issuer for authorization and to tokenization server for token assignment – Processor returns authorization and token to merchant who proceeds to store only the token – Settlement, refunds, adjustments, chargebacks, etc. use the token number, not the card number

15

Network Generated Tokens

– Similar to Acquirer/Processor generated tokens but the token is generated, stored, and maintained as a paid service by the card networks

• Visa Token Service
• MasterCard Digital Enablement Service
• American Express Token Service

– Based on a standard published by EMVCo in March 2014

16

Card Scheme Tokenization Services

– Visa waving all fees until the end of 2015 – Amex has not releases fees yet – MasterCard Digital Enablement Services (DES)

• Issuers

– Digital Enablement Service Lifecycle Management 10¢ per PAN – Digitation fee of 50¢ when provisioning a token to a device

• Acquirers

– Digital Enablement fee of 0.01% for select CNP transactions

17

Apple Pay Tokenization

– How it works ‐ Registration/Enrollment

• Apple Pay “app” sends card number to issuing bank

through Visa or MasterCard

• Issuing bank approves card number to be tokenized
• Visa or MasterCard “tokenize” the card number and

sends token back to app

• Apple Pay “provisions”

(i.e. stores) token onto Secure Element (SE) in iPhone “binding” it to a unique device (DAN)

18

Apple Pay Tokenization

– How it works ‐ Purchases

• Consumer “taps” on POS device (using Touch ID to authenticate

the user)

• iPhone transmits DAN to POS plus a one time code number
• POS sends DAN to Acquirer who sends to Visa or MasterCard
• Visa or MasterCard translate token back to the original card

number and sends it to issuer (after insuring that the token came from the “proper” device)

• Issuer approves or declines

transaction as normal

19

Tokenization Benefits

– Reduce attractiveness of mass data breaches – Reduced scope of PCI DSS – Increased security of mobile payments – Increased perception of security by consumers

20

General Tokenization Issues

– Token generation

• How random is random?
• Can true “isolation” be achieved

– Token availability

• Database management

– Availability, backup, and restore

• Interoperability

– Routing debit transactions – Conflict with current loyalty schemes

– Token safety

• Token DB protection

21

Visa and MasterCard Tokenization Issues

– Compatibility with existing services

• Visa Token Service, MasterCard Digital Enablement Service, American

Express Token Service vs.

• First Data Transarmour, TSYS Guardian Tokenization, Bell ID Tokenization

Manager, etc.

– Compatibility with other standard schemes

• Secure Remote Payment Council
• Accredited Standards Committee X9 Inc.
• International Standards Organization (ISO)

– Operational Issues

• GUI and Customer Service
• Recurring payments
• Chargebacks, refunds, and investigations

22

Tokenization Services Strategic Issues

– Open Standards

• Tokenization as an Open Standard ‐ Is EMVCo the right “home” for

tokenization standards?

– Control

• Visa and MasterCard control the data and access to funding

account – “Those of us that participate in the token infrastructure can make decisions on who you want to give access to, whether you want to charge for it and things like that.”

Visa CEO Charles Scharf, Bank of America Merrill Lynch 2014 Banking & Financial Services Conference

– Conflict With Durbin Routing

• Accounts with debit cards tokenized by Visa

and MasterCard can only be accessed by merchants through Visa and MasterCard

23

Tokenization Summary

– Tokenization is the concept of substituting sensitive data with meaningless values – Tokenization is being used by merchants, acquirers, processors, and now card schemes to help reduce vulnerabilities of cards – Visa, MasterCard, and Amex have introduced tokenization standards that gives them control over access and data and which will be provided for a fee to issuers and acquirers – A number of significant issues related to tokenization have to be addressed and resolved by the payments industry

24