Tokeizatio: A Fraudfree Paymets Ladscape i the Makig Abstract Baks are uder pressure to meet customers' demads for coveiet ad frictioless digital paymets. At the same time, they are required to esure the security ad safety of such trasactios a effective tokeizatio solutio is fast emergig as the aswer. There are various approaches to implemetig a tokeizatio solutio depedig o the diverse paymet offerigs offered by baks ad the extet of their participatio i the larger ecosystem. This paper describes the cosideratios, impacts, ad implicatios of build ad buy approaches to implemetig tokeizatio solutios.
Tokeizatio: What is i it for Baks? A effective tokeizatio solutio will eable baks to esure the safe ad secure coduct of paymet trasactios i ay cotext of moey movemet or commerce. With ew paymet form factors, chaels, ad paymet models drive by ope APIs, ad real-time paymet schemes drivig paymet iitiatives, tokeizatio is o loger restricted to card paymets. By removig sesitive data from the trasactio process, tokeizatio makes it impossible for fraudsters to misuse trasactio data. With icreasig regulatory focus o cosumer protectio, the potetial use cases ad busiess models for tokeized accout-based istat paymets will icrease. A effective tokeizatio solutio will help baks acquire the ecessary agility to leverage ew paymet form factors ad allow customers to make secure paymets, i tur ulockig expoetial value for baks. Implemetatio Approaches ad Models Depedig o their size ad scope of operatios, baks may choose to either maitai all the tokeizatio compoets ihouse or opt for a combiatio of outsourcig ad i-house operatios or outsource the complete process. For example, large baks may choose to maage all the tokeizatio elemets such as issuace, storage, trasactio processig, ad eve risk authorizatio services i-house, while mid-sized players may restrict themselves to buildig risk authorizatio services. Small baks, o the other had, may collaborate with a strategic parter for the complete solutio. Implemetatio models vary across the idustry with three stadard variats: O-premise tokeizatio: maaged withi the acial istitutios' IT ifrastructure deliverig a high degree of security but with sigi cat overheads Hybrid: mix of o-premise ad outsourced compoets for iche use cases but with loger time-to-market Cloud-based APIs for as-a-service models: outsourced to service providers outside the istitutios' IT ifrastructure but with limited exibility ad cotrol I our view, cloud-based tokeizatio services will become domiat i the ext few moths ad trasced well beyod the cards segmet. It will facilitate overlay services o faster paymet etworks ehacig coveiece ad creatig
expoetial value for customers through social commerce ad Iteret of Thigs (IoT) eabled paymets. No- acial use cases such as the use of tokes for loyalty coupos aboud ad multiple providers will grab the opportuity to offer such services. Key Cosideratios for Buildig a Tokeizatio Solutio Tokeizatio is a secure ad cost-effective alterative to data ecryptio as it miimizes applicatio level chages ad reduces the potetial for data exposure. Some key aspects that must be cosidered while buildig tokeizatio solutios iclude: Flexibility to support varied formats keepig i mid the sesitive data they will eed to hadle. Tokes must have the capability to adapt to additioal format costraits; for example, tokeizatio of credit card umbers may require the actual last four digits of the umber to be retaied i the toke. Sychroizatio services to esure data recovery ad data availability i applicatios that use toke services through periodic replicatio as servers may be distributed across differet data ceters. Architecture appropriate desig to esure superior performace, icreased scalability, ad higher security. Tokeizatio ad de-tokeizatio services should be available through APIs to eable itegratio of ew applicatios ad support secure data exchage. Autheticatio bi-directioal autheticatio for all applicatios prior to servicig requests to verify that the coectio was started with a trusted certi cate from a approved applicatio ad to validate the user who issues a request. Ecryptio of the sesitive data for storage i the toke database. Whe a de-tokeizatio request is made, the origial sesitive data should be erased immediately from the temporary memory ad the log les should record oly the last four or X digits of the origial data for trackig purposes.
Puttig it all Together: Approach to Implemetatio Before embarkig o implemetatio, baks must esure a clear uderstadig of the existig state, aalyze the busiess requiremets, coduct system aalysis, ad idetify possible use cases. Requiremets gatherig: Idetify the key capabilities required icludig but ot limited to PCI DSS compliace, data security, ad ecryptio ad the various use cases for which the tokeizatio solutio ca be leveraged. System aalysis: Aalyze ad map the systems that store ad access sesitive data (platform, database ad applicatio co guratios), ad idetify the processig depedecies betwee upstream ad dowstream applicatios. Applicatio-speci c requiremets: Idetify speci c requiremets madatory for itegratig the tokeizatio solutio with other systems, the database platform to be used, laguages to be used for writig applicatios, the autheticatio methods, ad the APIs to be developed to facilitate data exchage betwee applicatios. De e solutio capabilities: Based o aalysis of how the credetial data is to be used by differet applicatios, assess whether sigle- or multi-use tokes are required. Also, determie the expiry timelies for sigle-use tokes ad check whether multi-use tokes ca be used for differet trasactio cotexts such as i-store purchase, ecommerce, or peer-topeer (P2P) moey trasfer. Implemetatio optios: Based o busiess requiremets, use cases, aalysis of the applicatio systems withi the paymet processig platform, ad applicatio itegratio requiremets, decide whether to build ad deploy the solutio i-house or choose oe of the various solutios available i the market after a well-rouded aalysis. Baks that choose to use a third-party solutio must also decide whether to host it opremise or parter with a service provider. Several third-party tokeizatio solutios are available i the market. Some of the top players i this space are Gemalto, TokeEx, Hosted PCI, Thales esecurity, SafeNet Tokeizatio, Vaultive, Ic., ad Spreedly. These solutios are cloudcompatible ad have the capability to provide vault ad vaultless toke services. Baks lookig at third-party tokeizatio solutios must coduct a proof-of-cocept (PoC) to esure that the chose product meets compatibility ad ful llmet
requiremets for key features. Typically, a tokeizatio solutio must meet the followig requiremets: Itegratio with idetity ad access maagemet systems to esure veri catio ad cotrol of users who place tokeizatio ad de-tokeizatio requests Toke server with embedded data store ecryptio, key maagemet services, trasactio moitorig, securig commuicatios, ad veri catio of de-tokeizatio requests Scalability across geographies ad products to provide the same level of service performace despite icreased volume ad variety of data Quick respose to ew toke requests ad elimiatig delays i ful llig tokeizatio ad de-tokeizatio requests Support for multiple toke vaults (MS SQL, Oracle, MySQL), API services for toke service cosumig etities, ad vedor toke server failover capabilities Makig the Right Choice: Build or Buy? Baks will eed to take ito accout multiple cosideratios while decidig o whether to build the solutio i-house or opt for a third-party solutio. Table 1 depicts a high-level compariso of both optios across some key parameters. Table 1: Build versus Buy Compariso for Tokeizatio Solutio Implemetatio
Based o a evaluatio of speci c requiremets like preferece for sigle or multi-use tokes or differet toke formats, orgaizatios will eed to decide o whether to build or buy the solutio. Buildig the solutio i-house will reduce log-term costs of toke operatios ad reder the exibility required to customize the solutio. Moreover, it will also provide baks a opportuity to white-label the solutio to their parters. However, i-house developmet will take a loger time to roll out ad etail higher iitial ivestmet. As depicted i Table 1, each optio comes with its ow set of stregths ad weakesses. Baks must make a choice based o a assessmet of their critical parameters ad strategic objectives. The Bottom Lie The proliferatio of digital paymets has bee oe of the most promiet outcomes of the digital revolutio. However, this has icreased the ous o baks to esure secure ad safe customer paymets uderscorig the eed for a holistic tokeizatio strategy. Moreover, meetig risig customer expectatios i digital paymets will require baks to leverage exteded parter ecosystems ad offer overlay services, which will help create expoetial value for customers as well as busiesses However, a robust tokeizatio solutio is a prerequisite to offerig overlay services, ad baks would do well to icorporate tokeizatio ito their digital paymet strategies.
About The Author Debasis Thakur Debasis Thakur is a Seior Paymets Cosultat with the Cards ad Paymets group withi TCS' Bakig, Fiacial Services, ad Isurace (BFSI) busiess uit. He has over 20 years of experiece i workig with global bakig cliets i the areas of busiess developmet ad solutio desig focusig o cards ad paymets. Thakur has achored several trasformatioal projects for TCS' cliets the world over, ad is curretly focusig o iovatios i the digital paymets space to help global fiacial istitutios reimagie their paymet processes. Cotact Visit the Bakig & Fiacial Services page o Email: bfs.marketig@tcs.com Blog: Drive Goverace www.tcs.com Subscribe to TCS White Papers TCS.com RSS: http://www.tcs.com/rss_feeds/pages/feed.aspx?f=w Feedburer: http://feeds2.feedburer.com/tcswhitepapers About Tata Cosultacy Services Ltd (TCS) Tata Cosultacy Services is a IT services, cosultig ad busiess solutios orgaizatio that delivers real results to global busiess, esurig a level of certaity o other firm ca match. TCS offers a cosultig-led, itegrated portfolio of IT ad IT-eabled, ifrastructure, egieerig ad assurace services. This is TM delivered through its uique Global Network Delivery Model, recogized as the bechmark of excellece i software developmet. A part of the Tata Group, Idia s largest idustrial coglomerate, TCS has a global footprit ad is listed o the Natioal Stock Exchage ad Bombay Stock Exchage i Idia. For more iformatio, visit us at www.tcs.com All cotet / iformatio preset here is the exclusive property of Tata Cosultacy Services Limited (TCS). The cotet / iformatio cotaied here is correct at the time of publishig. No material from here may be copied, modified, reproduced, republished, uploaded, trasmitted, posted or distributed i ay form without prior writte permissio from TCS. Uauthorized use of the cotet / iformatio appearig here may violate copyright, trademark ad other applicable laws, ad could result i crimial or civil pealties. Copyright 2018 Tata Cosultacy Services Limited TCS Desig Services I M I 10 I 18