tokenization everything you need to know

Download Tokenization Everything You Need to Know

Post on 11-Jul-2016




0 download

Embed Size (px)


  • White Paper Tokenization: Everything You Need to Know

  • 2Executive summary 3

    1. What is tokenization? 5

    1.1 A definition 5

    1.2 Tokenization a brief history 7

    1.3 How are tokens used? 8

    1.4 What is the aim of tokenization? 9

    2. Different types of tokens 10

    2.1 How can tokens be used to protect payments? 12

    2.2 Tokenization is already here 13

    2.3 Tokensa step further 15

    2.4 When tokens are a step too far 16

    3. So who should be the token service provider (TSP)? 18

    4. The future of tokenization 23

    About the author 25

    About Bell ID 26



  • 3Executive Summary


    Tokens are used in a number of environments to replace and

    protect the underlying value of credentials. In the payments world,

    tokenization is primarily used to secure payment card data. This can

    be done using EMVCo Tokenization for card payment transactions

    or Payment Card Industry (PCI) Tokenization for card-on-file

    data, which is stored in merchants or acquirers systems after a

    transaction is completed.

    This v is primarily focused on EMVCo Tokenization, although it will

    also address the use of the same underlying security mechanisms

    and technology for use cases beyond bank payment cards. EMVCo

    Tokenization is already a de facto requirement for a number of

    card payment environments: card-on-file (at merchants); mobile

    near field communication (NFC) payments (any of the OEM Pays,

    and all forms of cloud based payments); as well as being used

    increasingly for secure remote payments in e-commerce/m-

    commerce. Therefore, the critical question for most issuers is not

    if to tokenize, but instead where to tokenize. It is important to do

    this in the most efficient and effective way to support that issuers

    short, medium and long term strategic goals.

    The critical question for most issuers is not if to tokenize, but instead where to tokenize.

  • 4US-based issuers of early payment industry tokenization initiatives

    had very limited (or no) deployment options, since their services

    were implemented by the payment networks. Now, however,

    many issuers want to regain control of their cardholder payments

    processing. The opportunity to deepen their understanding of

    cardholder transaction behavior, together with the growing number

    of payment channels that can be processed as separate token

    domains and the enhanced token controls that can now be applied

    to the process, are all factors that are driving issuers to establish a

    cost effective token processing service before moving to significant

    production volumes.

    Outside of the US, many issuers can strategically consider

    tokenization from day one. This needs to be done quickly given

    the accelerating pace of global mobile NFC payments rollout, the

    increasing frequency of data breaches at merchants and the growth

    in fraud rates in the rapidly expanding e/m-commerce payments


    This white paper looks to inform the reader on the subject of tokenization, specifically. What is tokenization? How can it be implemented? Why is this payment solution getting so much industry attention?

    For those still relatively new to tokenization, this white paper

    includes valuable references to help readers get to grips with the

    subject, including information on token service providers, token

    vaults and token domains.


  • 55

    01 What is


    1.1 A definition The process of tokenization replaces sensitive data with surrogate

    values, i.e. tokens, which remove risk but preserve value to the

    business. These tokens are then used in place of the sensitive data

    throughout the channel ecosystem, or token domain, until they can

    be mapped back (de-tokenized), in a secure environment, to the

    original value allowing any subsequent processing or reconciliation

    to take place.

    In an EMV payments context and in simple terms, the EMVCo

    Payment Tokenization Specification for payment cards requires

    the replacement of the cards primary account number (PAN) with

    an alternate unique identification number, or token. To allow

    this token to be processed over the EMVCo stakeholders existing

    payments infrastructure, the token must be formatted to look like a

    PAN. This enables transaction routing and satisfies legacy validation


    PAN Token

    0123 4567 8910 1112


    5793 6589



  • 6Token

    Acquirer Payment network


    Token Service Provider

    TokenToken Token



    A token request is generated by any third party that needs a token

    instead of the original card (PAN). When tokens are required for

    specific token domains such as a wallet on an NFC mobile device,

    or a merchant to replace a card-on-file for internet purchases. The

    exact parameters of the token issued in response to the request

    depend on the domain and technology. It could, however, range

    from single or limited use, and static token data, through to a fully-

    functional EMV payment application populated with a token PAN,

    token card data (expiry, etc.) and token EMV keys.

    During the tokenization process, the real PAN also known as the

    funding PAN or true PAN is sent to, and stored on, a centralized

    and highly secure server called a token vault. This PAN is held

    in the token vault with information on its relationship to the

    one or more unique token PANs that represent it in different

    token domains. Whenever one of the token PANs is used for a

    transaction, it is identified as a token allowing the token vault to be

    consulted to confirm the real PAN so that the transaction can be


  • 77

    1.2 Tokenization a brief history In late 2013 American Express, MasterCard and Visa announced

    their intentions to develop specifications for payment tokenization

    in response to increasing fraud resulting from merchant data

    breaches and growing e-commerce (card not present) concerns.

    The responsibility for the development and maintenance of the

    payment industry tokenization standards was subsequently

    delegated to EMVCo.

    In March 2014 EMVCo released its EMV Payment Tokenization

    Specification Technical Framework v1.0 and, later in 2016, will

    issue the next version of this document as part of its increased

    industry responsibilities for payment standards across tokenization,

    mobile payments and 3D Secure 2.0.

    The idea of replacing real card data with an alternate PAN or

    surrogate card data to deal with fraud is much older, however,

    and was initially introduced by several banks over a decade ago

    to combat growing card not present fraud. Under this scheme,

    bank cardholders could apply for a complementary virtual card

    to be used for e-commerce purchases meaning their plastic cards

    data would not be exposed to the real and perceived dangers of

    the internet. Depending on the bank, these virtual card products

    could be single use, limited by value or expiry or simply used until


    Restricted to the e-commerce domain, and easily replaced, the

    payment card token was born.


  • 88

    1.3 How are tokens used? A token is issued for use in a transaction within its token domain,

    and then passed through the card payments infrastructure until

    it can be de-tokenized, often by the issuer, their processor, or the

    (domestic or international) payment network.

    Once de-tokenized, the payment authorization request is passed

    to the issuers authorization system with the real PAN, plus details

    that the transaction originated as a tokenized payment request

    within a particular token domain. The authorization response is

    then returned to the point of origin.

    NFC Payment




    Acquirer Payment Network Issuer/Processor

    Token Vault

    Tokenization interface


  • 99

    1.4 What is the aim of tokenization? The process removes the real PAN information from environments

    where data can be vulnerable and, if stolen, used for fraudulent

    purposes. Tokenization quickly and completely removes the real

    PAN from a payment domain and replaces it with a token, while

    maintaining backwards compatibility with existing business


    By making tokens domain-specific, secure segregation of payments

    data is enabled for example, a token designated for mobile

    NFC payments cannot be used in place of a card-on-file token for

    an e-commerce merchant. This segregation allows appropriate

    levels of security and domain-specific risk management to be

    implemented separately for each domain, and only restricted

    by that domains limitations. So while a mobile NFC payment

    application would support a full EMV implementation, including the

    generation of transaction-specific cryptograms (a unique digital

    signature for each payment), the token replacing the card-on-file in

    an e-commerce merchants system would simply be a token PAN

    with its own expiry date and verification code (equivalent to the

    3-digit number usually read f


View more >