Viewpoint: What’s Next for Tokens?
By David Worthington, Bell ID
U.S.-based issuers of early payment industry tokenization initiatives had limited (or no) deployment options, since the services only were offered by the payment networks. Now, however, many issuers want to exercise more control by bringing some or even all of the tokenization process in-house, or hosting it with a trusted third-party service provider. This strategic imperative could help drive the future of tokenization.
Tokenization involves replacing a cardholders’ primary account number (PAN)—effectively the number on the front of their debit or credit card—with a similarly formatted token. These tokens, often incorporating EMV mechanisms to make individual transactions unique and secure, can only be used in a specific token domain, such as a single merchant’s Web store or NFC transactions. By reducing the exposure of any successful data breach to a minimal domain—e.g., just one merchant—the value of attacking the token is significantly reduced.
Meanwhile, existing risk and fraud management techniques can be fine-tuned to monitor each token domain for suspicious transactions. If a token is suspect, lost or stolen, it can be switched off independently and then replaced, without any interruption or impact to the other tokens that have been generated for the same payment card.
Tokens therefore provide security and significantly lower risk for payments in card-not-present (CNP) environments such as e/m-commerce, mobile NFC and the Internet of Things. Issuers are therefore evaluating their long-term strategies to ensure they’re in control of their tokenization destiny, ensuring cost-effective token issuance and processing before moving to mass issuance of tokens across multiple channels and domains.
Already, significant firms have become token requestors, connecting via various token service providers (TSPs) to enable their devices or wallets to support secure tokenized payments:
- Google’s own wallet for Android smartphones, Android Pay, was released at Google I/O 2015 as a successor to Google Wallet, which was released in 2011. It also uses technology from the carrier-backed Softcard, which Google acquired in February 2015.
- Apple Pay. The service was announced at Apple’s iPhone 6 event on Sept. 9, 2014. Apple Pay is founded on an embedded secure element (eSE) to perform secured iPhone payments with support from the device’s biometrics service, Touch ID.
- Samsung Pay. Samsung’s wallet was launched in South Korea on Aug. 20, 2015. It features a bundle of technologies supporting NFC and MST (magnetic secure transmission) mobile payments.
More developments are on tap. Later in 2016, for instance, EMVCo is expected to issue the updated and expanded second version of its EMVCo EMV Payment Tokenization Specification—Technical Framework. EMVCo has brought this forward to expand the number of defined tokenization use cases, clarify some points from the original 2014 version, and add potential new implementation and data considerations.
Going forward, the expanding remit of EMVCo means that there will be tighter integration between tokenization and other EMVCo standardization across mobile and e-commerce security. This may include an expanded scope to try to catch up with alternative formats for presenting or reading tokens, such as QR codes and other mechanisms that individual payment brands and competing third parties already are considering.
For now, payment card token-based services have moved beyond the initial U.S. implementations, and while there might be some rapid rollouts in regions that will accept incumbent network TSPs as a day-one solution to get to market, there are alternative TSPs coming into play. This aligns with issuers’ differing strategic needs both in the U.S. and other areas.
Given the diversity of existing and emerging partners and service providers in the tokenization ecosystem, it’s set to be an interesting few years. The industry will adapt over time to the eventual survivors of the “wallet wars,” mobile market share changes and the ability for differing TSP models to fit with longer-term issuer needs. One thing is sure: While it is in no stakeholder’s interests for there to be millions of TSPs, there may well be hundreds. This will bring sufficient competition to ensure service pricing and quality and give issuers the choice to match their individual needs for security, ownership and levels of control while also meeting national and regional requirements for security and competition.
David Worthington joined Bell ID in 2011 to advise the company and its major clients on strategic opportunities in the application of new payments, mobile and chip technologies. He has more than 20 years in the smart card, certification authority and payments industries. He can be reached at [email protected]. The full tokenization white paper from Bell ID can be downloaded for free here.
In Viewpoints, payments professionals share their perspectives on the industry. Paybefore presents many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.
