Webinar‐ Tokenization101RenéM.Pelegero

RetailPaymentsGlobalConsultingGroupL.L.CDecember15th,2014

2

WebinarOverview

– Adescriptionoftokenizationandhowthetechnologyisbeingemployedinthepaymentsspace

– Agenda• Whatistokenization?• WhatisNOTtokenization?• Tokenizationinpayments• CardschemetokenizationandApplePay• Tokenizationissues

3

HistoryofTokens

– TokenDefinition• Tōkən/noun• A thingservingasavisibleortangiblerepresentationofafact,quality,feeling,etc.

• A voucherthatcanbeexchangedforgoodsorservices,typicallyonegivenasagiftorofferedaspartofapromotionaloffer.

4

TokensintheDigitalWorld

– Replacesensitivedataelementstoprotectthemfromexposure

• AnHRnumberinsteadofSSNastheprimaryaccesskeytoanemployeedatabase

• AnAddressIDtoidentifyafulladdress– Havenobusinessmeaning

• Cannotbeusedtoderivetheoriginalvalue• Donothavetochangeastheunderlyingvaluechanges

5

TokenizationIsNot

– Encryption

– EMV

– NFC

– HostCardEmulation(HCE)

6

TokenizationisNOTEncryption

However, tokens are often encrypted

7

Encryption101

8

TokenizationisNOTEMV

– Europay,MasterCard,Visa(EMV)• Foundedin1999todefinethespecificationsofchip‐basedpaymentinstruments

• Presentlysixmemberorganizations– AmericanExpress– Discover– JCB– MasterCard(mergedwithEuropay in2002)– UnionPay– Visa

– EMVnameusedtodescribechip‐basedbankcards– Tappedbymemberstodefinetokenizationstandards

• Version1.0oftokenizationpublishedinMarch2014

9

TokenizationisNOTNFC

– NearFieldCommunications(NFC)• NFCisasetofstandardsforsmartphonesandsimilardevicestoestablishradiocommunicationwitheachoververyshortranges

– Differentimplementations• Embeddedinmobilephone• SIMbased• RemovableSE(SDCard)

– NFCinPayments• NFCchipincludesaSecureElement• Storesinformationinasecuremanner• Itiscontrolledbytelephonecarrier(MNO)orphonemanufacturer

10

TokenizationisNOTHCE

– HostCardEmulation(HCE)• CardnumberstoredinhostratherthanSecureElement

• SolvestheMNOcontrol,provisioningandassociatedexpenseissues

11

PuttingItAllTogether

– Tokenscanbe…• DefinedbytheEMVCo specificationorbyanyproprietarystandardbuthavenothingtodowithstandardsforEMVchipcards

• StoredinNFC’sSecureElementoraHostintheCloud• Canbestoredencryptedorintheclear

– Tokenscanbeexchanged…• BetweendevicesusingNFC,HCE,oranyothertechnology

• Generallyinanencryptedmanner

12

UseofTokensinthePaymentsIndustry

– Tokensreplacebankcardnumbersatdifferentpointsintheprocess

• Tokensreducecardvulnerabilities• TokensreducePCIcomplianceburdens

– Tokenscanbegeneratedinmultipleplaces• MerchantGeneratedTokens• Acquirer/ProcessorsGeneratedTokens• NetworkGeneratedTokens

13

MerchantGeneratedTokens

– Merchantgeneratestokenwhencardnumberisfirstenteredintomerchantsystem

– Tokendatabasebehindfirewallsandpublicaccess(e.g.cc‐motel,Fluffy,CardVault,etc.)

– Allfurtheractivityforcustomeronlyusesthetoken,notthecardnumber

– Tokenisconvertedtoactualcardnumberwhenitistimetoauthorizepayment

14

Acquirer/ProcessorGeneratedTokens

– CardisswipedatPOSandPAN,trackdata,andexpirationdateareencryptedandsenttoprocessordatacenter

– Cardnumberisdecryptedandsenttoissuerforauthorizationandtotokenizationserverfortokenassignment

– Processorreturnsauthorizationandtokentomerchantwhoproceedstostoreonlythetoken

– Settlement,refunds,adjustments,chargebacks,etc.usethetokennumber,notthecardnumber

15

NetworkGeneratedTokens

– SimilartoAcquirer/Processorgeneratedtokensbutthetokenisgenerated,stored,andmaintainedasapaidservicebythecardnetworks

• VisaTokenService• MasterCardDigitalEnablementService• AmericanExpressTokenService

– BasedonastandardpublishedbyEMVCo inMarch2014

16

CardSchemeTokenizationServices

– Visawavingallfeesuntiltheendof2015– Amexhasnotreleasesfeesyet– MasterCardDigitalEnablementServices(DES)

• Issuers– DigitalEnablementServiceLifecycleManagement10¢perPAN

– Digitationfeeof50¢whenprovisioningatokentoadevice

• Acquirers– DigitalEnablementfeeof0.01%forselectCNPtransactions

17

ApplePayTokenization

– Howitworks‐ Registration/Enrollment• ApplePay“app”sendscardnumbertoissuingbankthroughVisaorMasterCard

• Issuingbankapprovescardnumbertobetokenized• VisaorMasterCard“tokenize”thecardnumberandsendstokenbacktoapp

• ApplePay“provisions”(i.e.stores)tokenontoSecureElement(SE)iniPhone“binding”ittoauniquedevice(DAN)

18

ApplePayTokenization

– Howitworks‐ Purchases• Consumer“taps”onPOSdevice(usingTouchIDtoauthenticatetheuser)

• iPhonetransmitsDANtoPOSplusaonetimecodenumber• POSsendsDANtoAcquirerwhosendstoVisaorMasterCard• VisaorMasterCardtranslatetokenbacktotheoriginalcardnumberandsendsittoissuer(afterinsuringthatthetokencamefromthe“proper”device)

• Issuerapprovesordeclinestransactionasnormal

19

TokenizationBenefits

– Reduceattractivenessofmassdatabreaches

– ReducedscopeofPCIDSS

– Increasedsecurityofmobilepayments

– Increasedperceptionofsecuritybyconsumers

20

GeneralTokenizationIssues

– Tokengeneration• Howrandomisrandom?• Cantrue“isolation”beachieved

– Tokenavailability• Databasemanagement

– Availability,backup,andrestore• Interoperability

– Routingdebittransactions– Conflictwithcurrentloyaltyschemes

– Tokensafety• TokenDBprotection

21

VisaandMasterCardTokenizationIssues

– Compatibilitywithexistingservices• VisaTokenService,MasterCardDigitalEnablementService,AmericanExpressTokenService

vs.• FirstDataTransarmour,TSYSGuardianTokenization,BellIDTokenizationManager,etc.

– Compatibilitywithotherstandardschemes• SecureRemotePaymentCouncil• AccreditedStandardsCommitteeX9Inc.• InternationalStandardsOrganization(ISO)

– OperationalIssues• GUIandCustomerService• Recurringpayments• Chargebacks,refunds,andinvestigations

22

TokenizationServicesStrategicIssues

– OpenStandards• TokenizationasanOpenStandard‐ IsEMVCo theright“home”fortokenizationstandards?

– Control• VisaandMasterCardcontrolthedataandaccesstofundingaccount– “Thoseofusthatparticipateinthetokeninfrastructurecanmakedecisionsonwhoyouwanttogiveaccessto,whetheryouwanttochargeforitandthingslikethat.”VisaCEOCharlesScharf,BankofAmericaMerrillLynch2014Banking&FinancialServicesConference

– ConflictWithDurbinRouting• AccountswithdebitcardstokenizedbyVisaandMasterCardcanonlybeaccessedbymerchantsthroughVisaandMasterCard

23

TokenizationSummary

– Tokenizationistheconceptofsubstitutingsensitivedatawithmeaninglessvalues

– Tokenizationisbeingusedbymerchants,acquirers,processors,andnowcardschemestohelpreducevulnerabilitiesofcards

– Visa,MasterCard,andAmexhaveintroducedtokenizationstandardsthatgivesthemcontroloveraccessanddataandwhichwillbeprovidedforafeetoissuersandacquirers

– Anumberofsignificantissuesrelatedtotokenizationhavetobeaddressedandresolvedbythepaymentsindustry

24