Webinar Tokenization 101

Size: px

Start display at page:

Download "Webinar Tokenization 101"

Susan McDaniel
6 years ago
Views:

1 Webinar Tokenization 101 René M. Pelegero Retail Payments Global Consulting Group L.L.C December 15 th, 2014

2 Webinar Overview A description of tokenization and how the technology is being employed in the payments space Agenda What is tokenization? What is NOT tokenization? Tokenization in payments Card scheme tokenization and Apple Pay Tokenization issues 2

3 History of Tokens Token Definition Tōkən/noun A thing serving as a visible or tangible representation of a fact, quality, feeling, etc. A voucher that can be exchanged for goods or services, typically one given as a gift or offered as part of a promotional offer. 3

Tokens in the Digital World Replace sensitive data elements to protect them from exposure An HR number instead of SSN as the primary access key to an employee

4 Tokens in the Digital World Replace sensitive data elements to protect them from exposure An HR number instead of SSN as the primary access key to an employee database An Address ID to identify a full address Have no business meaning Cannot be used to derive the original value Do not have to change as the underlying value changes 4

5 Tokenization Is Not Encryption EMV NFC Host Card Emulation (HCE) 5

6 Tokenization is NOT Encryption However, tokens are often encrypted 6

7 Encryption 101 7

8 Tokenization is NOT EMV Europay, MasterCard, Visa (EMV) Founded in 1999 to define the specifications of chip based payment instruments Presently six member organizations American Express Discover JCB MasterCard (merged with Europay in 2002) Union Pay Visa EMV name used to describe chip based bankcards Tapped by members to define tokenization standards Version 1.0 of tokenization published in March

implementations Embedded in mobile phone SIM based Removable SE (SD Card) NFC in Payments NFC chip

9 Tokenization is NOT NFC Near Field Communications (NFC) NFC is a set of standards for smart phones and similar devices to establish radio communication with each over very short ranges Different implementations Embedded in mobile phone SIM based Removable SE (SD Card) NFC in Payments NFC chip includes a Secure Element Stores information in a secure manner It is controlled by telephone carrier (MNO) or phone manufacturer 9

10 Tokenization is NOT HCE Host Card Emulation (HCE) Card number stored in host rather than Secure Element Solves the MNO control, provisioning and associated expense issues 10

Putting It All Together Tokens can be Defined by the EMVCo specification or by any proprietary standard but have nothing to do with standards for EMV chip cards Stored in NFC s Secure

11 Putting It All Together Tokens can be Defined by the EMVCo specification or by any proprietary standard but have nothing to do with standards for EMV chip cards Stored in NFC s Secure Element or a Host in the Cloud Can be stored encrypted or in the clear Tokens can be exchanged Between devices using NFC, HCE, or any other technology Generally in an encrypted manner 11

Use of Tokens in the Payments Industry Tokens replace bankcard numbers at different points in the process Tokens reduce card vulnerabilities Tokens reduce

12 Use of Tokens in the Payments Industry Tokens replace bankcard numbers at different points in the process Tokens reduce card vulnerabilities Tokens reduce PCI compliance burdens Tokens can be generated in multiple places Merchant Generated Tokens Acquirer/Processors Generated Tokens Network Generated Tokens 12

Merchant Generated Tokens Merchant generates token when card number is first entered into merchant system Token database behind firewalls and public access (e.g. cc motel, Fluffy, Card Vault, etc.

13 Merchant Generated Tokens Merchant generates token when card number is first entered into merchant system Token database behind firewalls and public access (e.g. cc motel, Fluffy, Card Vault, etc.) All further activity for customer only uses the token, not the card number Token is converted to actual card number when it is time to authorize payment 13

Acquirer/Processor Generated Tokens Card is swiped at POS and PAN, track data, and expiration date are encrypted and sent to processor data center Card number is decrypted and sent to issuer for

14 Acquirer/Processor Generated Tokens Card is swiped at POS and PAN, track data, and expiration date are encrypted and sent to processor data center Card number is decrypted and sent to issuer for authorization and to tokenization server for token assignment Processor returns authorization and token to merchant who proceeds to store only the token Settlement, refunds, adjustments, chargebacks, etc. use the token number, not the card number 14

15 Network Generated Tokens Similar to Acquirer/Processor generated tokens but the token is generated, stored, and maintained as a paid service by the card networks Visa Token Service MasterCard Digital Enablement Service American Express Token Service Based on a standard published by EMVCo in March

Card Scheme Tokenization Services Visa waving all fees until the end of 2015 Amex has not releases fees yet MasterCard Digital Enablement Services (DES) Issuers Digital

16 Card Scheme Tokenization Services Visa waving all fees until the end of 2015 Amex has not releases fees yet MasterCard Digital Enablement Services (DES) Issuers Digital Enablement Service Lifecycle Management 10 per PAN Digitation fee of 50 when provisioning a token to a device Acquirers Digital Enablement fee of 0.01% for select CNP transactions 16

17 Apple Pay Tokenization How it works Registration/Enrollment Apple Pay app sends card number to issuing bank through Visa or MasterCard Issuing bank approves card number to be tokenized Visa or MasterCard tokenize the card number and sends token back to app Apple Pay provisions (i.e. stores) token onto Secure Element (SE) in iphone binding it to a unique device (DAN) 17

Apple Pay Tokenization How it works Purchases Consumer taps on POS device (using Touch ID to authenticate the user) iphone transmits DAN to POS plus a one time code number POS sends DAN to Acquirer

18 Apple Pay Tokenization How it works Purchases Consumer taps on POS device (using Touch ID to authenticate the user) iphone transmits DAN to POS plus a one time code number POS sends DAN to Acquirer who sends to Visa or MasterCard Visa or MasterCard translate token back to the original card number and sends it to issuer (after insuring that the token came from the proper device) Issuer approves or declines transaction as normal 18

19 Tokenization Benefits Reduce attractiveness of mass data breaches Reduced scope of PCI DSS Increased security of mobile payments Increased perception of security by consumers 19

20 General Tokenization Issues Token generation How random is random? Can true isolation be achieved Token availability Database management Availability, backup, and restore Interoperability Routing debit transactions Conflict with current loyalty schemes Token safety Token DB protection 20

Visa and MasterCard Tokenization Issues Compatibility with existing services Visa Token Service, MasterCard Digital Enablement Service, American Express Token Service vs.

21 Visa and MasterCard Tokenization Issues Compatibility with existing services Visa Token Service, MasterCard Digital Enablement Service, American Express Token Service vs. First Data Transarmour, TSYS Guardian Tokenization, Bell ID Tokenization Manager, etc. Compatibility with other standard schemes Secure Remote Payment Council Accredited Standards Committee X9 Inc. International Standards Organization (ISO) Operational Issues GUI and Customer Service Recurring payments Chargebacks, refunds, and investigations 21

22 Tokenization Services Strategic Issues Open Standards Tokenization as an Open Standard Is EMVCo the right home for tokenization standards? Control Visa and MasterCard control the data and access to funding account Those of us that participate in the token infrastructure can make decisions on who you want to give access to, whether you want to charge for it and things like that. Visa CEO Charles Scharf, Bank of America Merrill Lynch 2014 Banking & Financial Services Conference Conflict With Durbin Routing Accounts with debit cards tokenized by Visa and MasterCard can only be accessed by merchants through Visa and MasterCard 22

Tokenization Summary Tokenization is the concept of substituting sensitive data with meaningless values Tokenization is being used by merchants, acquirers, processors, and now card schemes to help

23 Tokenization Summary Tokenization is the concept of substituting sensitive data with meaningless values Tokenization is being used by merchants, acquirers, processors, and now card schemes to help reduce vulnerabilities of cards Visa, MasterCard, and Amex have introduced tokenization standards that gives them control over access and data and which will be provided for a fee to issuers and acquirers A number of significant issues related to tokenization have to be addressed and resolved by the payments industry 23

24 24

PCI DSS 3.2 AWARENESS NOVEMBER 2017

PCI DSS 3.2 AWARENESS NOVEMBER 2017 1 AGENDA PCI STANDARD OVERVIEW PAYMENT ENVIRONMENT 2ACTORS PCI ROLES AND RESPONSIBILITIES MERCHANTS COMPLIANCE PROGRAM PCI DSS 3.2 REQUIREMENTS 2 PCI STANDARD OVERVIEW