FAQ Tokenization: FAQs & General Information BACKGROUND As technology evolves, consumers are increasingly making their purchases online or through mobile devices and digital wallet applications and their payment card information may be saved online for more efficiency in future check-out experiences. In response, the industry has moved to support payment form factors that provide increased protection against counterfeiting, account misuse and other forms of fraud. With criminals inventing new ways to steal customer information, it is more important than ever for financial institutions, merchants and payment brands to ensure consumer security. While EMV chip cards provide substantial protection for card-present transactions, a similar need exists to minimize unauthorized use of cardholder account data and to reduce cross-channel fraud for card-not-present transactions, as well as in emerging transaction environments that combine elements of cardpresent and card-not-present transactions. One such way is through the use of payment token numbers. GENERAL INFORMATION What is Tokenization? Tokenization is a method for protecting card data by substituting a card s Primary Account Number (PAN) with a unique, randomly generated sequence of numbers. This token can be reversed to its true associated PAN value by the service provider who initially created the token. Tokens can be either single- or multi-use. The number is the same length and format as the original PAN; it is no different from a standard payment card number in the virtual eyes of back-end transaction processing systems, applications and storage tools. The random token sequence acts as a substitute value for the actual PAN while the data is at rest inside an issuer s or retailer s systems. Tokenization eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks. Payment Tokenization allows a consumer to register a payment card with a mobile wallet or online store and replace the actual card number with a payment token number used for that merchant or wallet vendor. What are the benefits of payment Tokenization for the issuer and cardholder? For the cardholder, Tokenization provides a digital user experience offering: Data security the payment token number is meaningless to anyone except the issuer and payment brand, and it can only be used with the registered mobile device or online merchant with whom the consumer registered. Simplified purchasing experience for consumers by largely eliminating the need to enter and re-enter the account number when shopping on a consumer controlled mobile device Reduced proliferation of account numbers for both e-commerce and m-commerce s benefit from: Data security Enhanced cardholder experience Global standard and interoperability helps reduce data protection requirements for the payment brand and its participants New POS payment protocol support (i.e., NFC, QR code, other) Increased transparency of transactions from alternative payment providers Simplified payment process for the cardholder Improved transaction approval levels, and reduced risk of subsequent fraud in the event of a data breach in which payment tokens are exposed instead of PANs
How does Tokenization benefit the merchant? A token is stored in the merchant environment in place of the primary account number, making it possible for a merchant to process follow-up transactions, without having to store customers account data in the clear: Tokens remove the need for merchants to retain PANs in card data environment. Tokens cannot be used by an unauthorized party to conduct fraudulent transactions. Tokens match the format of the initiating PAN. Tokens do not overlap major brands. Visa, MasterCard and American Express are using different BIN ranges for Tokenization that look exactly like their PANs today. Visa and MasterCard will be using BINs within their existing range today. Tokens are card-based, meaning a merchant will always get the same token back for a specific PAN. Tokens share the last four digits with the corresponding PAN. A payment token can be used freely by systems and applications within a merchant environment. Where payment Tokenization is properly implemented, merchants can limit the storage of cardholder data to within the Tokenization system, and can simplify an entity s assessment against PCI DSS standards. Acquirers and merchants may experience a reduced threat of online attacks and data breaches, as payment token databases are less appealing targets given their limitation to a specific domain (i.e., online, NFC, QR Code). Acquirers and merchants may also benefit from the higher assurance levels that payment tokens offer. Merchants can use Tokenization to facilitate on-demand, subscription or recurring transactions. Decreased shopping cart abandonment rates. How does payment Tokenization affect the consumer experience? The consumer has greater peace of mind with enhanced security measures, and he or she also benefits from a more efficient shopping experience. For instance: The card number and other details a consumer uses during enrollment can be taken by a wallet provider and passed securely to the payment brand. The Token Service Provider then switches the physical card number for a completely different payment token number with a new expiration date. The payment token not the consumer s card number is stored securely in the phone s wallet. The payment token can only be used with the associated device. Similarly, whenever a consumer uses NFC at a merchant, the payment token is used in the transaction. If a criminal compromises the merchant, the data is completely unusable. The consumer can also use payment Tokenization in e-commerce or m-commerce scenarios. When the consumer associates their payment card with an e-commerce merchant using payment Tokenization, they receive a new payment token number to be used solely with that particular e-commerce merchant. When the consumer shops online with that merchant, the payment token is the only data being passed to the merchant s site. Just as in the in-store example above, if a criminal hacked the e-commerce site and accessed the consumer s information, the hacker would find the information completely useless. Why is Tokenization needed today? Over the past few years, broad proliferation of card-on-file models, both Remote and Proximity, has created an industry need to produce and use tokens. Some examples: Card-on-File Merchant Digital Wallet QR and Bar Code NFC and Chip Merchant uses tokens in lieu of PANs in card-on-file database Branded Digital Wallet presents Pay with Wallet in front of card on file QR or Bar Code supplier puts a Bar Code in front of card on file Account number in NFC or chip device 2
These new business models and use cases for card-on-file transactions create several issues: Emerging Payment models within the current industry infrastructure result in the lack of full visibility into transaction data. Reduced security with the card credentials passed through new channels and form factors Challenges in ownership of customer service and post-transaction issues/dispute resolution What is the difference between Tokenization and encryption? Tokenization protects data at rest, while encryption protects data in motion. Other differences between tokenization and encryption are outlined in the table below: Performance 1 Data portability Off-line use Operational impacts Deployment impacts Tokenization Centralized model with good performance in data center, assuming a robust back-end. Network latency is a performance consideration. Data must be de-tokenized to be exported outside of customer-controlled domain. Requires connection to token server, or distributed token servers. Can customize token to reduce or eliminate operational impacts. Low. Only applications capturing or using the PAN need to be changed. No DB/file changes needed. encryption Distributed model with excellent performance. Key can be exported to allow encrypted data to be exported. Locally cached keys permit offline use. Format of encrypted elements cannot be defined. Moderate. All applications capturing or using the PAN, plus *all* applications where the expansion of the PAN impacts other fields. 1 Applies to a typical, smaller sizes. Source: RSA Data Tokenization Server with Encryption. What is the difference between a token and a single-use or virtual accounts? Tokenized accounts, single use accounts and virtual accounts are similar in that each masks the original PAN. However, each differs in use case as well as how it translates back to that PAN behind the scenes. A single-use account number is typically used once for a specific purchase and changed for each transaction. There are also other forms of virtual accounts or ghost accounts that can be used for more than one purchase or transaction. Usually the financial institution or processor owns the conversion of the single use/virtual account to the PAN. Tokenized accounts can be used for multiple purchases, and can be restricted in how they are used with a specific merchant, device, transaction or category of transactions. Token purchases go through the Network Service with the card brands for conversion to the PAN. How is payment Tokenization affecting the payments ecosystem? Technology is changing the way we deal with payments. As the table below highlights, there are a number of differences in how the payments ecosystem deals with plastic and non-plastics in the market. how is the credential created and transmitted to the storage location? where and how is the credential stored? how is the credential used to create a payment transaction? With Plastics Create a 16-digit PAN, personalize plastic EMV, mag stripe, card-on-file system Swipe, dip or tap plastic Beyond Plastics Create token, transmit to consumers devices Mobile device, card-on-file system Tap device, QR reader, encrypted stream Regardless of how the payment token is created, stored, or used, the token must be compatible with the existing payment processing ecosystem. The industry recognizes two new entities for payment tokenization, as indicated in the following table. 3
entities Cardholder Card Acceptor Acquirer Network (Visa, MasterCard, American Express) Token Requestor Token Service Provider description Consumer-enrolled issuer / network Merchant-enrolled acquirer / network Financial Institution / Processor Financial Institution / Processor Card network / Processor Enrolled entity requesting tokens Authorized entity providing tokens TOKEN STANDARD What standards are in place to guide the industry for Tokenization? On March 11, 2014, EMVCo (Visa, MasterCard, American Express, JCB, Discover and UnionPay ) published the first guide covering industry specifications for Tokenization Titled EMV Tokenization Payment Tokenization Specifications. The specifications deal with the required technical architecture of the Tokenization standard for securing online payments using tokens via consumer-controlled mobile devices. Current payment token standards include: Tokens will meet ISO standards (13- to 19-character numeric length) to support payment processing within the existing ecosystem. There is no conflict with an issuer-assigned PAN, and tokens are generated from a separate BIN. Token BIN/PAN ranges reflect the product attributes, such as debit or signature. Payment tokens must pass basic validation rules of an account number while reinforcing interoperability. All tokens are mapped and associated with an underlying PAN that is sent in authorization to the issuer. Tokens are accepted, processed and routed based on the ecosystem (i.e., merchants, acquirers, processors, networks and issuers). What are the token-related fields that TSYS is supporting? TSYS clients can refer to the TSYS Enterprise Tokenization Manual on Docline for this information. How are token decisions made? Token approvals for requesting card accounts will not always be granted. s will be able to evaluate each token request based on numerous risk parameters in place at the time. Generally, this results in one of the following outcomes: Successfully approve to generate and issue an active token Decline the request to issue the token Conditionally approve, requiring additional cardholder authentication before going to the decline If additional cardholder authentication is required, issuers have the option to perform additional Identification and Verification (ID&V) checks (i.e., one-time password (OTP) or Knowledge based authentication (KBA)) with the consumer to decide whether the card qualifies to be tokenized. What does the payment token request process look like? The illustration below highlights the process of a Payment Token Request: 1 PAN 2 ID&V Token Requestor Token 4 Token Vault Token Evaluation Request 3 4 Authorization Request
Step 1: The Token Requestor sends a cardholder PAN to the token vault (i.e., a request). Step 2: The issuer performs 1 ID&V and passes those results to the vault. This is known 2 as binding. This completes the payment token registration. ID&V ensures that the payment token is replacing a PAN that was legitimately being used by the Token Requestor. ID&V is performed each time a payment token is requested. 4 3 Step Token 3: As part of the Payment Token Evaluation Request Process, the Token Vault alerts the issuer that Identification and Verification (ID&V) is needed. Requestor PAN Token Token Vault ID&V Token Evaluation Request Step 4: The Token Vault passes the registered payment token to the Token Requestor, completing the payment token request. Authorization Request Merchant 1 2 3 Token Token PAN+Token 6 Acquirer 5 4 Token Service Authorization Response Token Authorization The illustration below demonstrates the Payment Token Transaction Authorization process: Step 1: The cardholder initiates a purchase with a payment token, which then passes through the merchant acquirer as if it were a PAN. Step 2: The payment token is de-tokenized into a PAN by the Token Service Provider (TSP). Step 3: The PAN and token are sent to the issuer, which makes an authorisation decision. Step 4: The issuer sends the PAN and authorisation response back to the TSP. Step 5: The TSP re-tokenizes the PAN. Step 6: The TSP sends the PAN and authorisation response through the acquirer to the merchant. WHAT TSYS IS DOING IN TOKENIZATION Is TSYS ready for Tokenization from a compliance standpoint? Yes. TSYS is supporting the mandates issued by the payment brands relating to Tokenization processing. Additionally, TSYS is reviewing the EMVCo proposed token standards. There are currently several pieces of compliance information available on Docline that our clients can access: XMLM Enhancements Changes to FCS and WCSA Screens and Reports to Support the Visa Payment Token Standard Compliance Release 14.1 North America Adding Fields to the Authorization Log to Support the Payment Token Standard Is TSYS supporting the Network Token On Behalf Of (OBO) Services? Yes. TSYS Enterprise Tokenization SM is a plug-and-play solution specifically designed to secure payment card information for Mobile use cases whether those are through digital wallets or In-App transactions. POS and online purchases remain unchanged as they are today with no token. It is our belief that Tokenization via the digital/mobile wallet will be the catalyst that fuels mobile payment growth and proliferation because both the consumer s and the merchant s data are more secure. TSYS Tokenization solution is designed for compatibility with various mobile offerings. As cardholders begin to shift to mobile payments, we recommend that you provide the highest protection available. 5
The initial TSYS Tokenization solution includes the following products and services: Brand Enrollment and Configuration to manage issuer enrollment with digital wallets (i.e. Apple Pay) and Network Services, including both Service Administration and Risk Management set-up. This service is not available for our International clients at this time. Transaction Processing to on-board clients to the platform and process token authorizations across TSYS systems and applications Call Center Management for existing TSYS Managed Services clients to administrate tokens and tokenized cardholder accounts Brand Enrollment and Configuration Service Administration ENROLLMENT CONFIGURATION As part of the set up, TSYS will do the enrollment on behalf of the issuer (Enablement model to be confirmed with the schemes) must identify BINs, provide card art and sign the wallet provider agreement 1 Transaction 2 Processing Token Operations AUTHORISATION/CLEARING/ SETTLEMENT EXCEPTIONS FRAUD/RISK VALUE-ADD APPS Implementation Configuration management, authorisation logs, fraud & risk, testing Processing Provisioning authorization requests, account verification, tapped transaction & e-commerce Call Center Management Token Administration LIFECYCLE MANAGEMENT Implementation Configuration management, authorisation logs, fraud & risk, testing Processing Provisioning authorization requests, account verification, tapped transaction & e-commerce This service is not available to International clients at this time. TSYS recognizes that continued investment and development is required to support Tokenization as a global standard. Further development is under way to support Tokenization beyond the U.S. and the U.K., and will be communicated in the future. What steps do I need to take to begin offering Tokenization to my cardholders? 1. Determine your digital payments strategy. TSYS is available to assist you in this process. 2. Build and educate your team; research the requirements. Contact TSYS to receive the initial Product Documentation that includes our Implementation Overview with a questionnaire and pricing. 3. For Apple Pay specifically, engage TSYS to formally begin the process of enrolling with the networks, processing transactions and readying your call center representatives to receive inquiries related to tokenized transactions and accounts. More detail on each of the steps above can be found in our published best practices document, located on Who is eligible to offer Apple Pay? Apple Pay is now available to U.S. and U.K. issuers on the Consumer platforms. TSYS is waiting for Apple and the brands to finalize the rollout dates for commercial portfolios and other regions, and we will be able to determine eligibility or implementation dates shortly thereafter. Contact your account manager for updates. When will Tokenization be available for the rest of North America and other International Locations? TSYS is working now to make our service available to our Canadian clients to accommodate other digital wallets that may be available in the near future. Apple has not specified a date for Apple Pay (Tokenization) to be available to the rest of North America or wider European deployment. 6
What about Commercial, Debit, Prepaid, the rest of North America and other International Locations? We are evaluating other card types, platforms and regions based on both client demand and changes in the industry. Contact your TSYS account manager or relationship representative to discuss your specific needs, and we will share additional details as our plans and long-term roadmaps develop. Is my small business portfolio eligible? If your small business customers are on the Consumer credit platform, they could be included. However, current use cases are consumer-focused. This service is BIN-driven. Check with your TSYS account manager or sales representative to verify availability. Will we need to re-issue cards in order to offer this product to our cardholders? No. Adding Apple Pay or any other digital wallet does not have any impact on your issued cards. What is unique about the TSYS Tokenization Solution? TSYS is able to utilize the OBO services provided by the payment brands and combine the results with account data, using issuer defined rules and parameters to process transactions. TSYS is also preparing to enhance reporting capabilities associated with token authorizations through TSYS Analytics. I know there are other digital wallets available in the market. Can TSYS process transactions for those providers as well as Apple? TSYS is working to enable Tokenization for all issuers through any digital wallet or payment application provider as they are available in your market. Who should I contact at Apple to begin discussions on offering Apple Pay? Contacting Apple is not necessary for each issuer. All activities for enablement with Apple will be managed through a combination of TSYS and the payment brands. In the enrollment process, you will need to accept the non-negotiable Terms and Conditions of Apple. to learn more contact your sales representative or account manager at +1.706.649.2307, +44 1904 562 000 or visit us at. twitter.com/tsys_tss facebook.com/tsys1 linkedin.com/company/tsys 2015 Total System Services, Inc.. All rights reserved worldwide. Total System Services, Inc., and TSYS are federally registered service marks of Total System Services, Inc., in the United States. Total System Services, Inc., and its affiliates own a number of service marks that are registered in the United States and in other countries. All other products and company names are trademarks of their respective companies. (06/2015)