Webinar Tokenization 101

Similar documents
PCI DSS 3.2 AWARENESS NOVEMBER 2017

NFC embedded microsd smart Card - Mobile ticketing opportunities in Transit

Digital Payments Security Discussion Secure Element (SE) vs Host Card Emulation (HCE) 15 October Frazier D. Evans

DERIVED UNIQUE TOKEN PER TRANSACTION

Site Data Protection (SDP) Program Update

How Mobile is Reshaping Payments

Secure Elements 101. Sree Swaminathan Director Product Development, First Data

Account Management. Pilot Support Guide

Account Management. Pilot Support Guide

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

BML MobilePay FAQ. Page 1

MDES to support converged wallets CEESCA 2015 Dubrovnik

Apple Pay - Frequently Asked Questions

BluePay Apple Pay User Guide

GUIDE TO STAYING OUT OF PCI SCOPE

Payment Card Industry (PCI) Data Security Standard

iphone User Guide & Manual

Merchant Guide to PCI DSS

Payment Card Industry (PCI) Data Security Standard

The Role of TSM. TSM Functions. Guy Berg President Collis America May 6, 2009

Portico VT. User Guide FOR HEARTLAND MERCHANT USERS APRIL 2015 V2.8

Security Requirements and Assessment Procedures for EMV 3-D Secure Core Components: ACS, DS, and 3DS Server

3. Why should I use Samsung Pay instead of my physical cards?

Next steps for NFC and mobile wallets

QUICK REFERENCE GUIDE iphone. Chase Mobile Checkout. FOR U.S. CLIENTS NOVEMBER 2017 NEXT è

D220 - User Manual mypos Europe Ltd. mypos Mini Ice En

Visa Inc Investor Day. Technology at Visa. Rajat Taneja EVP, Technology and Operations

Payment Card Industry (PCI) Data Security Standard

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

GSM Association (GSMA) Mobile Ticketing Initiative

How to Complete Your P2PE Self-Assessment Questionnaire

Payment Technique and Process

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

Security of NFC payments


You can use your PIN to complete your purchases at point-of-sale and for ATM transactions.

Simplify PCI Compliance

PayPlug. The payment solution that increases your sales PAYPLUG EXTENSION FOR MAGENTO V1

PCI DSS Illuminating the Grey 25 August Roger Greyling

Navigating the PCI DSS Challenge. 29 April 2011

Payment Card Industry (PCI) Data Security Standard

2012PHILIPPINES ECC International :: MALAYSIA :: VIETNAM :: INDONESIA :: INDIA :: CHINA

The Future of PCI: Securing payments in a changing world

mypos Go User Manual mypos.com mypos Go - User Manual

Payment Card Industry Data Security Standards Version 1.1, September 2006

GLOBAL TRANSPORT VT & BATCH SOLUTION

User Guide. Accept EFTPOS, Visa and Mastercard payments on the go with Kiwibank QuickPay.

mypos Mini - User Manual mypos Europe Ltd. mypos Mini En

Processing Payments Securely in the Digital World

Payment Card Industry (PCI) Data Security Standard

Sterling Virtual Terminal. User Guide

CONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014

User Guide. Accept EFTPOS, Visa and Mastercard payments on the go with Kiwibank QuickPay.

MObIlE MOnEy PhoTo by istock

Identity-Enabled Transactions Based on the EMVCo Payment Tokenization Specification. Authors: Yue Zhu Asmaa Aljohani Gyan Singh Namdhari.

Prepaid visa bank of america

Navigate our app like a pro. How-to s, guides and more. Certified by J.D. Power* for providing An Outstanding Mobile Banking Experience.

Payment Card Industry (PCI) Data Security Standard

Wirecard CEE Integration Documentation

PCI DSS COMPLIANCE DATA

HCE security implications. Analyzing the security aspects of HCE

Credit Card Data Compromise: Incident Response Plan

PCI Compliance: It's Required, and It's Good for Your Business

Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard

P2P Instructions. 4. Select Person to Person

Have you updated your security lately?

Payment Card Industry (PCI) Data Security Standard

Natural Security Alliance

Will Mobile Phones Replace Cards?

RMS Payment Bridge User s and Setup Guide Version 2.0

Ch 9: Mobile Payments. CNIT 128: Hacking Mobile Devices. Updated

Tokenisation: Reducing Data Security Risk

Evolution of Cyber Attacks

NAB EFTPOS USER GUIDE. for Countertop

Frequently Asked Questions

Donor Credit Card Security Policy

Cipherithm LLC 2013 PCI SSC North America Community Meeting Notes

EFTPOS 1. User guide.

Payment Card Industry (PCI) Data Security Standard

QUICK REFERENCE GUIDE ipad. Chase Mobile Checkout

DIGITAL TECHNOLOGY An Evolution in the Payment Landscape. AMEX Digital Solutions

Streamline Business Processes and Save Money With Commercial Prepaid Solutions

A QUICK PRIMER ON PCI DSS VERSION 3.0

Payment Card Industry (PCI) Data Security Standard

PCI DSS 3.1 is here. Are you ready? Mike Goldgof Sr. Director Product Marketing

How to Take your Contact Centre Out of Scope for PCI DSS. Reducing Cost and Risk in Credit Card Transactions for Contact Centres

Wichita State University Credit Card Security Incident Response Team

Baptist Financial Services

COMPLETING THE PAYMENT SECURITY PUZZLE

Mobile Payments: the Second Wave

Samsung Pay - Frequently Asked Questions

Mobile Access is the Killer App The Path to Flexible, Secure Credentials Brandon Arcement Senior Director, Product Marketing April 8, 2019

Data Security Standard

Transaction fees (for SNAP EBT, credit, and debit payments) are not covered through this program.

Will you be PCI DSS Compliant by September 2010?

DynaPro Go. Secure PIN Entry Device PCI PTS POI Security Policy. September Document Number: D REGISTERED TO ISO 9001:2008

Frequently Asked Questions

mbank s mobile payments journey Joanna Erdman Director, Card Business Development

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Transcription:

Webinar Tokenization 101 René M. Pelegero Retail Payments Global Consulting Group L.L.C December 15 th, 2014

Webinar Overview A description of tokenization and how the technology is being employed in the payments space Agenda What is tokenization? What is NOT tokenization? Tokenization in payments Card scheme tokenization and Apple Pay Tokenization issues 2

History of Tokens Token Definition Tōkən/noun A thing serving as a visible or tangible representation of a fact, quality, feeling, etc. A voucher that can be exchanged for goods or services, typically one given as a gift or offered as part of a promotional offer. 3

Tokens in the Digital World Replace sensitive data elements to protect them from exposure An HR number instead of SSN as the primary access key to an employee database An Address ID to identify a full address Have no business meaning Cannot be used to derive the original value Do not have to change as the underlying value changes 4

Tokenization Is Not Encryption EMV NFC Host Card Emulation (HCE) 5

Tokenization is NOT Encryption However, tokens are often encrypted 6

Encryption 101 7

Tokenization is NOT EMV Europay, MasterCard, Visa (EMV) Founded in 1999 to define the specifications of chip based payment instruments Presently six member organizations American Express Discover JCB MasterCard (merged with Europay in 2002) Union Pay Visa EMV name used to describe chip based bankcards Tapped by members to define tokenization standards Version 1.0 of tokenization published in March 2014 8

Tokenization is NOT NFC Near Field Communications (NFC) NFC is a set of standards for smart phones and similar devices to establish radio communication with each over very short ranges Different implementations Embedded in mobile phone SIM based Removable SE (SD Card) NFC in Payments NFC chip includes a Secure Element Stores information in a secure manner It is controlled by telephone carrier (MNO) or phone manufacturer 9

Tokenization is NOT HCE Host Card Emulation (HCE) Card number stored in host rather than Secure Element Solves the MNO control, provisioning and associated expense issues 10

Putting It All Together Tokens can be Defined by the EMVCo specification or by any proprietary standard but have nothing to do with standards for EMV chip cards Stored in NFC s Secure Element or a Host in the Cloud Can be stored encrypted or in the clear Tokens can be exchanged Between devices using NFC, HCE, or any other technology Generally in an encrypted manner 11

Use of Tokens in the Payments Industry Tokens replace bankcard numbers at different points in the process Tokens reduce card vulnerabilities Tokens reduce PCI compliance burdens Tokens can be generated in multiple places Merchant Generated Tokens Acquirer/Processors Generated Tokens Network Generated Tokens 12

Merchant Generated Tokens Merchant generates token when card number is first entered into merchant system Token database behind firewalls and public access (e.g. cc motel, Fluffy, Card Vault, etc.) All further activity for customer only uses the token, not the card number Token is converted to actual card number when it is time to authorize payment 13

Acquirer/Processor Generated Tokens Card is swiped at POS and PAN, track data, and expiration date are encrypted and sent to processor data center Card number is decrypted and sent to issuer for authorization and to tokenization server for token assignment Processor returns authorization and token to merchant who proceeds to store only the token Settlement, refunds, adjustments, chargebacks, etc. use the token number, not the card number 14

Network Generated Tokens Similar to Acquirer/Processor generated tokens but the token is generated, stored, and maintained as a paid service by the card networks Visa Token Service MasterCard Digital Enablement Service American Express Token Service Based on a standard published by EMVCo in March 2014 15

Card Scheme Tokenization Services Visa waving all fees until the end of 2015 Amex has not releases fees yet MasterCard Digital Enablement Services (DES) Issuers Digital Enablement Service Lifecycle Management 10 per PAN Digitation fee of 50 when provisioning a token to a device Acquirers Digital Enablement fee of 0.01% for select CNP transactions 16

Apple Pay Tokenization How it works Registration/Enrollment Apple Pay app sends card number to issuing bank through Visa or MasterCard Issuing bank approves card number to be tokenized Visa or MasterCard tokenize the card number and sends token back to app Apple Pay provisions (i.e. stores) token onto Secure Element (SE) in iphone binding it to a unique device (DAN) 17

Apple Pay Tokenization How it works Purchases Consumer taps on POS device (using Touch ID to authenticate the user) iphone transmits DAN to POS plus a one time code number POS sends DAN to Acquirer who sends to Visa or MasterCard Visa or MasterCard translate token back to the original card number and sends it to issuer (after insuring that the token came from the proper device) Issuer approves or declines transaction as normal 18

Tokenization Benefits Reduce attractiveness of mass data breaches Reduced scope of PCI DSS Increased security of mobile payments Increased perception of security by consumers 19

General Tokenization Issues Token generation How random is random? Can true isolation be achieved Token availability Database management Availability, backup, and restore Interoperability Routing debit transactions Conflict with current loyalty schemes Token safety Token DB protection 20

Visa and MasterCard Tokenization Issues Compatibility with existing services Visa Token Service, MasterCard Digital Enablement Service, American Express Token Service vs. First Data Transarmour, TSYS Guardian Tokenization, Bell ID Tokenization Manager, etc. Compatibility with other standard schemes Secure Remote Payment Council Accredited Standards Committee X9 Inc. International Standards Organization (ISO) Operational Issues GUI and Customer Service Recurring payments Chargebacks, refunds, and investigations 21

Tokenization Services Strategic Issues Open Standards Tokenization as an Open Standard Is EMVCo the right home for tokenization standards? Control Visa and MasterCard control the data and access to funding account Those of us that participate in the token infrastructure can make decisions on who you want to give access to, whether you want to charge for it and things like that. Visa CEO Charles Scharf, Bank of America Merrill Lynch 2014 Banking & Financial Services Conference Conflict With Durbin Routing Accounts with debit cards tokenized by Visa and MasterCard can only be accessed by merchants through Visa and MasterCard 22

Tokenization Summary Tokenization is the concept of substituting sensitive data with meaningless values Tokenization is being used by merchants, acquirers, processors, and now card schemes to help reduce vulnerabilities of cards Visa, MasterCard, and Amex have introduced tokenization standards that gives them control over access and data and which will be provided for a fee to issuers and acquirers A number of significant issues related to tokenization have to be addressed and resolved by the payments industry 23

24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback