Digital Payment Solutions TSYS Enterprise : FAQs & General Information FAQ TSYS DIGITAL DIGITAL PAYMENT PAYMENTS SOLUTIONS SOLUTIONS Account Holder Experience Apple Pay 1 Android Pay 2 Samsung Pay 2 Issuer Branded *1 HCE Wallets Apple Pay Enablement (SE) Android Pay Enablement (HCE) Samsung Pay Enablement (HCE & MST) Issuer Branded HCE Wallet Enablement TSYS Enterprise TSYS Product(s) Call Center Management Professional Services * Could include proprietary third party wallets providers with whom issuers elect to partner 1 Available to U.S. and U.K. issuers only 2 Available to U.S. issuers only Transaction Processing BACKGROUND TSYS offers a full line of digital payment solutions, including technologies to enable payments for iphone, Android, Samsung, and Blackberry devices, for wallets including Apple Pay, Android Pay, Samsung Pay and issuer-branded wallets. Blue: Delivered With Green: criminals In Progress inventing new ways to steal customer information, it is more important than ever for financial institutions, merchants Orange: Under and Consideration payment brands to ensure consumer security. While EMV chip cards provide substantial protection for cardpresent Grey: Sunset transactions, a similar need exists to minimize unauthorized use of cardholder account data and to reduce crosschannel fraud for card-not-present transactions, as well as in emerging transaction environments that combine elements of card-present and card-not-present transactions. One such way is through the use of payment token numbers. GENERAL TERMS What is? is a method for protecting card data by substituting a card s Primary Account Number (PAN) with a unique, randomly generated sequence of numbers. This token can be reversed to its true associated PAN value by the service provider who initially created the token. Tokens can be either single- or multi-use. The number is the same length and format as the original PAN; it is no different from a standard payment card number in the virtual eyes of back-end transaction processing systems, applications and storage tools. The random token sequence acts as a substitute value for the actual PAN while the data is at rest inside the cardholders mobile device or retailer s systems. eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks. Payment allows a consumer to register a payment card with a mobile wallet or online store and replace the actual card number with a payment token number used for that merchant or wallet vendor. What is Near Field Communication (NFC)? NFC wirelessly transmits data using radio waves. Samsung Pay uses NFC to wirelessly transmit payment information to payment terminals with NFC readers that have been activated for use. What is Magnetic Secure Transmission (MST)? MST (Magnetic Secure Transmission) is a groundbreaking technology for sending data using magnetic waves with the same card readers retailers have been using for years. It replicates a card swipe by wirelessly transmitting magnetic waves to a standard card reader, enabling virtually every card reader to receive mobile payments.
Which is more secure, MST or NFC? Actually, they both have the same level of security. Payment information transmitted by MST and NFC is protected using the same tokenization process. What is Host Card Emulation (HCE)? HCE allows payment card information that is typically transferred when a card is swiped to be stored in the cloud and transferred by a tap of the mobile device on the merchant terminal. This provides an alternative way for mobile wallet providers to store credentials other than leveraging secure element hardware embedded in the phone. GENERAL INFORMATION What are the benefits of payment for the issuer and cardholder? For the cardholder, provides a digital user experience offering: Data security the payment token number is meaningless to anyone except the issuer and payment brand, and it can only be used with the registered mobile device or online merchant with whom the consumer registered. Simplified purchasing experience for consumers by largely eliminating the need to enter and re-enter the account number when shopping on a consumer controlled mobile device Reduced proliferation of account numbers for both e-commerce and m-commerce Issuers benefit from: Data security Enhanced cardholder experience Global standard and interoperability helps reduce data protection requirements for the payment brand and its participants New POS payment protocol support (i.e., NFC, MST, other) Increased transparency of transactions from alternative payment providers Simplified payment process for the cardholder Improved transaction approval levels, and reduced risk of subsequent fraud in the event of a data breach in which payment tokens are exposed instead of PANs How does benefit the merchant? A token is stored in the merchant environment in place of the primary account number, making it possible for a merchant to process follow-up transactions, without having to store customers account data in the clear: Tokens remove the need for merchants to retain PANs in card data environment. Tokens cannot be used by an unauthorized party to conduct fraudulent transactions. Tokens match the format of the initiating PAN. Tokens do not overlap major brands. Visa, MasterCard and American Express are using different BIN ranges for that look exactly like their PANs today. Visa and MasterCard will be using BINs within their existing range today. Tokens are card-based, meaning a merchant will always get the same token back for a specific PAN. A payment token can be used freely by systems and applications within a merchant environment. Where payment is properly implemented, merchants can limit the storage of cardholder data to within the system, and can simplify an entity s assessment against PCI DSS standards. Acquirers and merchants may experience a reduced threat of online attacks and data breaches, as payment token databases are less appealing targets given their limitation to a specific domain (i.e., online, NFC, or MST). Acquirers and merchants may also benefit from the higher assurance levels that payment tokens offer. Merchants can use to facilitate on-demand, subscription or recurring transactions. Decreased shopping cart abandonment rates. How does payment affect the consumer experience? gives the consumer the ability to make purchases and payments with his or her device in a secure manner without actually interfering with the consumer experience. That is the beauty of tokenization, it provides the security and yet it is seamless to the cardholder. When tokenization is used in e-commerce or m-commerce scenarios, once the consumer associates their payment card with a merchant, they receive a new payment token number to be used solely with that particular e-commerce merchant. When the consumer shops online with that merchant, the payment token is the only data being passed to the merchant s site. Just as in the in-store example above, if a criminal hacked the e-commerce site and accessed the consumer s information, the hacker would find the information completely useless. Why is needed today? Over the past few years, broad proliferation of card-on-file models, both Remote and Proximity, has created an industry need to produce and use tokens. Some examples: These new business models and use cases for card-on-file transactions create several issues: Emerging Payment models within the current industry infrastructure result in the lack of full visibility into transaction data. Reduced security with the card credentials passed through new channels and form factors Challenges in ownership of customer service and post-transaction issues/dispute resolution 2
What is the difference between and encryption? protects data at rest, while encryption protects data in motion. Other differences between tokenization and encryption are outlined in the table below: Performance 1 Data portability Off-line use Operational impacts Deployment impacts Centralized model with good performance in data center, assuming a robust back-end. Network latency is a performance consideration. Data must be de-tokenized to be exported outside of customer-controlled domain. Requires connection to token server, or distributed token servers. Can customize token to reduce or eliminate operational impacts. Low. Only applications capturing or using the PAN need to be changed. No DB/file changes needed. encryption Distributed model with excellent performance. Key can be exported to allow encrypted data to be exported. Locally cached keys permit offline use. Format of encrypted elements cannot be defined. Moderate. All applications capturing or using the PAN, plus *all* applications where the expansion of the PAN impacts other fields. 1 Applies to a typical, smaller sizes. Source: RSA Data Server with Encryption. What is the difference between a token and a single-use or virtual accounts? Tokenized accounts, single use accounts and virtual accounts are similar in that each masks the original PAN. However, each differs in use case as well as how it translates back to that PAN behind the scenes. A single-use account number is typically used once for a specific purchase and changed for each transaction. There are also other forms of virtual accounts or ghost accounts that can be used for more than one purchase or transaction. Usually the financial institution or processor owns the conversion of the single use/virtual account to the PAN. Tokenized accounts can be used for multiple purchases, and can be restricted in how they are used with a specific merchant, device, transaction or category of transactions. Token purchases go through the Network Service with the card brands for conversion to the PAN. how is the credential created and transmitted to the storage location? where and how is the credential stored? How is payment affecting the payments ecosystem? how is the credential used to create a payment transaction? With Plastics Create a 16 or 15-digit PAN, personalize plastic EMV, mag stripe, card-on-file system Swipe, dip or tap plastic Beyond Plastics Create token, transmit to consumers devices Mobile device, card-on-file system Tap device, encrypted stream Technology is changing the way we deal with payments. As the table below highlights, there are a number of differences in how the payments ecosystem deals with plastic and non-plastics in the market. entities Cardholder Card Acceptor Issuer Acquirer Network (Visa, MasterCard, American Express) Token Requestor Token Service Provider description Consumer-enrolled issuer / network Merchant-enrolled acquirer / network Financial Institution / Processor Financial Institution / Processor Card network / Processor Enrolled entity requesting tokens Authorized entity providing tokens Regardless of how the payment token is created, stored, or used, the token must be compatible with the existing payment processing ecosystem. The industry recognizes two new entities for payment tokenization, as indicated in the following table. TOKEN STANDARD What standards are in place to guide the industry for? On March 11, 2014, EMVCo (Visa, MasterCard, American Express, JCB, Discover and UnionPay ) published the first guide covering industry specifications for Titled EMV Payment Specifications. The specifications deal with the required technical architecture of the standard for securing online payments using tokens via consumer-controlled mobile devices. 3
Current payment token standards include: Tokens will meet ISO standards (13- to 19-character numeric length) to support payment processing within the existing ecosystem. There is no conflict with an issuer-assigned PAN, and tokens are generated from a separate BIN /BIN Range. Token BIN/PAN ranges reflect the product attributes, such as debit or signature. Payment tokens must pass basic validation rules of an account number while reinforcing interoperability. All tokens are mapped and associated with an underlying PAN that is sent in authorization to the issuer. Tokens are accepted, processed and routed based on the ecosystem (i.e., merchants, acquirers, processors, networks and issuers). I ve seen several references to a new data element called Payment Account Reference (PAR) in the industry recently. Does TSYS have plans to make this available to clients? The process of replacing Primary Account Numbers or PANs with a surrogate value that is restricted to use within a specific device, merchant, transaction type or domain is called tokenization. In order to link the PAN and its corresponding tokens together, EMVCo has proposed a new data element call Payment Account Reference or PAR. This field will be alpha/numeric, will be designed so it cannot ever be used to generate a payment, and cannot be reverse engineered to obtain the PAN. PAR will enable merchants and acquirers to consistently link transactions initiated with payment tokens after the PAN has been tokenized. Issuers, acquirers and merchants will receive the PAR in transaction messages, but the consumer will not have visibility nor access to the PAR associated with their PAN nor can it be used as a consumer identifier. Through PAR, the merchant and acquiring community can link PANs and tokens to facilitate their loyalty, anti-money laundering and fraud/risk processes. Please note that while all currently defined use cases for PAR are specific to tokenization, it is possible that PAR will have use cases outside of the model. As the proposed field is not in place, and has not been approved or required by the brands; TSYS does not have definite plans at this time to implement the field. However, as an acting member active member EMVCo, we are watching its progress, will take the appropriate action when we know more. What are the token-related fields that TSYS is supporting? TSYS clients can refer to the need a link to this on Docline for this information. How are token decisions made? Token approvals for requesting card accounts will not always be granted. Issuers will be able to evaluate each token request based on numerous risk parameters in place at the time. Generally, this results in one of the following outcomes: Successfully approve to generate and issue an active token Decline the request to issue the token Conditionally approve, requiring additional step-up authentication before final approval If additional step-up authentication is required, issuers have the option to perform additional Identification and Verification (ID&V) checks (i.e., one-time password (OTP) or knowledge-based authentication (KBA) with the consumer to decide whether the card qualifies to be tokenized. What does the payment token request process look like? The illustration below highlights the process of a Payment Token Request: Step 1: The Token Requestor sends a cardholder PAN to the token vault (i.e., a request). Step 2: TSYS Enterprise performs ID&V for the issuer and passes those results to the vault. This completes the payment token registration. ID&V ensures that the payment token is replacing a PAN that was legitimately being used by the Token Requestor. ID&V is performed each time a payment token is requested. Step 3: As part of the Payment Token Evaluation Request Process, the Token Vault alerts the issuer that Identification and Verification (ID&V) is needed. Step 4: The Token Vault passes the registered payment token to the Token Requestor, completing the payment token request. 1 PAN 2 ID&V Token Requestor Token 4 Token Vault Token Evaluation Request 3 TSYS Enterprise 4 Merchant Authorization Request 1 2 3
Token Authorization 1 PAN 2 ID&V The illustration below demonstrates the Payment Token Transaction Authorization process: Step 1: The cardholder initiates a purchase with a payment token, which then passes through the merchant acquirer as if it were a PAN. Step 2: The payment token Token is de-tokenized 4 into a PAN by the Token Service Evaluation Provider Request (TSP). 3 Step Token 3: The PAN and token are sent to TSYS for the issuer, which makes an authorisation decision. Requestor Token Vault Step 4: TSYS sends the PAN and authorization response back to the TSP. Step 5: The TSP re-tokenizes the PAN. Step 6: The TSP sends the PAN and authorisation response through the TSYS acquirer to the merchant Authorization Request TSYS Enterprise Merchant 1 2 3 Token Token PAN+Token 6 Acquirer 5 4 Token Service TSYS Enterprise Authorization Response Is TSYS ready for from a compliance standpoint? Yes. TSYS supports the mandates issued by the payment brands relating to processing. TSYS ENTERPRISE TOKENIZATION Is TSYS supporting the Network Token On Behalf Of (OBO) Services? Yes. TSYS Enterprise SM is a plug-and-play solution specifically designed to secure payment card information for Mobile use cases whether those are through digital wallets or In-App transactions. POS and online purchases remain unchanged as they are today with no token. It is our belief that via the digital/mobile wallet will be the catalyst that fuels mobile payment growth and proliferation because both the consumer s and the merchant s data are more secure. TSYS Enterprise solution is designed for compatibility with various mobile offerings. As cardholders begin to shift to mobile payments, we recommend that you provide the highest protection available. Brand Enrollment and Configuration Service Administration ENROLLMENT CONFIGURATION As part of the set up, TSYS will do the enrollment on behalf of the issuer Issuer must identify BINs, provide card art and sign the appropriate agreements Availably of this service varies by region. Transaction Processing Token Operations AUTHORISATION/CLEARING/ SETTLEMENT EXCEPTIONS FRAUD/RISK VALUE-ADD APPS Implementation Configuration management, authorization logs, fraud & risk, testing Processing Provisioning authorization requests, account verification, tapped transaction & e-commerce Service provided by TSYS Managed Services Management of step-up authentication calls and activation Management of tokens through brand portals What steps do I need to take to begin offering digital or mobile payments to my cardholders? 1. Determine your digital payments strategy. TSYS is available to assist you in this process. 2. Build and educate your team; research the requirements. Contact TSYS to receive the initial Product Documentation that includes our Implementation Overview with a questionnaire and pricing. 3. Engage TSYS to formally begin the process of enrolling with the networks, processing transactions and readying your call center representatives to receive inquiries related to tokenized transactions and accounts. More detail on each of the steps above can be found in our published best practices document, located on tsys.com. Call Center Management Token Administration LIFE CYCLE MANAGEMENT TSYS recognizes that continued investment and development is required to support tokenization as a global standard. Further development is under way to support tokenization beyond the U.S. and the U.K., and will be communicated in the future. 5
Will we need to re-issue cards in order to offer this product to our cardholders? No. Offering any digital wallet to your cardholders does not have any impact on your issued cards. What is unique about the TSYS Solution? TSYS is able to utilize the OBO services provided by the payment brands and combine the results with account data, using issuer defined rules and parameters to process transactions. TSYS is also preparing to enhance reporting capabilities associated with token authorizations through TSYS Analytics. Should I contact at the wallet provider (Apple Pay, Samsung...) to begin discussions on offering their payment solution? All activities for enablement will be managed through a combination of TSYS and the payment brands. In the enrollment process, you will need to accept the non-negotiable Issuer Terms and Conditions. The initial TSYS solution includes the following products and services: Brand Enrollment and Configuration to manage issuer enrollment with digital wallets (i.e. Apple Pay) and Network Services, Availably of this service varies by region. Transaction Processing to on-board clients to the platform and process token authorizations across TSYS systems and applications Call Center Management for existing TSYS Managed Services clients to tokens and tokenized cardholder accounts TSYS recognizes that continued investment and development is required to support as a global standard. Further development is under way to support beyond the U.S. and the U.K., and will be communicated in the future. Which digital or mobile payments does TSYS support? Currently TSYS supports the following: Apple Pay Android Pay Samsung Pay Issuer-Branded Wallets If I offer more than one type of mobile payment, how can I differentiate between the transactions - Apple vs. Samsung vs. issuer-branded wallet? The wallet provider can be derived from the token requestor ID field. TSYS supports the display of the token requestor ID. Will I be able to determine which mobile payment type is tied to an account? Can one account be tied to more than one mobile wallet or payment option? Yes. An account can be tied to more than one wallet provider or token requestor. A token will be assigned for each wallet provider and device so an account could be associated to multiple tokens. TSYS supports the display of a token counter at the token requestor ID level. How do I launch multiple mobile payment brands? Will I have the same expense and implementation process? The initial token set up fee applies to one wallet regardless of the number of payment brands at launch. Set up for subsequent wallets will incur an additional wallet enablement fee per wallet. For U.S. issuers where TSYS will do the brand enrollment on the issuer s behalf, there is an enrollment fee charged per brand. DIGITAL PAYMENTS SUPPORTED BY TSYS Apple Pay Who is eligible to offer Apple Pay? Apple Pay is now available to U.S. and U.K. issuers on the Consumer platforms. TSYS is waiting for Apple and the brands to finalize the rollout dates for commercial portfolios and other regions, and we will be able to determine eligibility or implementation dates shortly thereafter. Contact your account manager for updates. *Available to Visa, MasterCard, Maestro, Interlink supported; PULSE available November 2015. When will Apple Pay be available for the rest of North America and other International locations? Apple has not specified a date for Apple Pay to be available to the rest of North America or wider European deployment. What about Commercial and Prepaid? We are evaluating other card types, platforms based on both client demand and changes in the industry. Contact your TSYS account manager or relationship manager to discuss your specific needs, and we will share additional details as our plans and long-term roadmaps develop. Is my small business portfolio eligible for Apple Pay? If your small business customers are on the Consumer Credit or Debit* platform, they could be included. However, current use cases are consumer-focused. This service is BIN-driven. Check with your TSYS account manager or sales representative to verify availability. Which Apple device supports Apple Pay? Currently Apple Pay is only available through the iphone 6, 6 +, 6S and 6S + and the Apple Watch. For more information visit the Apple website - http://www.apple.com/apple-pay/ 6
Android Pay Who is eligible to offer Android Pay? Currently, Android Pay is only available to United States issuers, TS1 and TS2, Consumer Credit and Debit* platforms. *Available to Visa, MasterCard, Maestro, Interlink supported; PULSE available November 2015. What is the difference between Google Wallet and Android Pay? Post Android Pay launch, Google Wallet and Android Pay will be two different apps. Google Wallet allows consumers to hold a wallet balance, send and receive money from friends in the United States, and use a plastic card in stores and online. Android Pay allows users to tap and pay in stores and use/redeem loyalty cards, gift cards, and offers in store. Can Android Pay be used on any Android device? No. Google tests various Android makes and models to determine which are technically ready to use Android Pay. What card data is stored on the phone? The only card data stored on a user s mobile device is the token Android Pay passes to the payment processor. This token represents a user s card and helps ensure account security because it differs from the card number it represents. How many cards can the Android Pay app store? As many as the user would like! There is no limit on the number of cards storable in the Android Pay app. How will proxy transactions work in Android Pay? For a limited time Android Pay will allow users to add a card to Android Pay that is not be supported by the card s issuer using Google s proxy tokenization service. Users will only be able to add a card using Google Proxy if they had already used that card with Google Wallet. To ensure that your cardholders cards still work if tokenized through Google proxy, please ensure that there are no risk rules around transactions with a merchant name by GOOGNFC*, as that is how Google marks proxy transactions during authorization. Are there any payment limits or restrictions imposed by Google? There is a $1,000 per card / per-day spending limit for proxy cards. Google also may restrict a card from being added to Android Pay based on the initial risk check Google performs (before an issuer makes an ID&V decision). Some networks and issuers may have additional limits on their card usage. In case of lost devices, how is Android Pay disabled? Google provides a service called Android Device Manager which allows user to find, locate and erase device if it is lost or stolen. Additionally, users can contact the issuer for cards added to Android Pay and the issuer can disable the card token. What information is being shared with Google? Google will receive minimal transaction information (e.g., transaction amount, merchant name, merchant zip code) from the network to include in the rich receipt view. What is the Android Pay Risk Engine and when is it used? Android Pay Risk Engine is a fraud prevention system used in Google Payments for a wide variety of products. The Risk Engine has been battle tested and tuned over the past many years to develop excellent fraud prevention capabilities without compromising the user experience. When the user adds a card to Android Pay, the card is first validated by the Android Pay Risk Engine. Why is Google validation is necessary? There are two reasons why Google validates cards with Android Pay Risk Engine: 1. Ecosystem safety. Google is committed to making Android Pay ecosystem safe for all participants. The best way for Google to achieve that is to check cards for fraud on Android Pay level first. The issuer will complete ID&V for fraud after it passes Android Pay Risk Engine validation. 2. Google security. Android Pay cards could be used for make Google Play Store purchases that expose Google itself to a fraud risk. The Risk Engine ensures that the card is valid and Google can safely to accept it is as a payment instrument. Does Android Pay work on smart watches? Google is working with the Android Wear but no date has been announced. What types of data does Android Pay Risk Engine use to make a decision? Android Pay Risk Engine uses multiple data points to make a decision if the card could be used for Android Pay: Account level Has the user logged in from unusual places? How long has the user had another card with the same name and ZIP on file? ZIP codes of other cards added to the account Number of cards on the account Device level Number of cards added to the device in the last 24 hours Card level Number of failed attempts to enter card number and CVV code 6
What kind of information does Google share with retailers? Google does not pass full credit and debit card information to merchants in the US they generate a virtual card and a one-time-use security code that is passed to the merchant to process each transaction. For participating merchants, they also pass any loyalty program, gift card or offers that the user has saved to Android Pay along with payment. Does Google keep track of user purchases? Where is that data stored? Purchase details are available in the Android Pay app for the cardholders reference that can be used to help keep track of purchases, and identify potentially fraudulent transactions. Samsung Pay Who is eligible to offer Samsung Pay? Currently, Samsung Pay is only available to United States issuers, TS1 and TS2, Consumer Credit and Debit* platforms. *Available to Visa, MasterCard, Maestro, Interlink supported; PULSE available November 2015. What is Samsung Pay? Samsung Pay is a safe and simple way to make mobile payments with select Samsung Galaxy phones, and it works at virtually any retailer where you can swipe your card.* What are Samsung Pay s main features? Samsung Pay allows you to use the Galaxy S6, S6 edge, and other select Samsung phones to make in-store mobile payments through the use of proprietary built-in technology. It s accepted at more places than any other mobile payment service because the technology works on new card readers as well as most of those that have been in place for years. How does Samsung Pay work? Samsung Pay uses proprietary Magnetic Secure Transmission (MST) and NFC to make contactless mobile payments. MST and NFC enable the Galaxy S6, S6 edge, S6 edge+ and Note 5 to make secure transactions at virtually every card reader where you can swipe or tap your card. Which phones will support Samsung Pay? Samsung Pay will initially launch on the Galaxy S6 and S6 Edge, and soon be available on select new phones. Please visit http://www.samsung.com/pay for a full list of compatible phones. Issuer-Branded Wallets How do I begin the process of building an issuer-branded wallet? TSYS Enterprise services are available to U.S. and U.K. clients interested in offering issuer-branded wallets. Contact account manager for more information. Who is eligible to offer an issuer-branded wallet? This technology is available to U.S. and U.K. clients on TS1 or TS2, Consumer Credit and Debit* platforms. *Available to Visa, MasterCard, Maestro, Interlink supported; PULSE available November 2015. to learn more contact your sales representative or account manager at +1.706.649.2307, +44 1904 562 000 or visit us at. twitter.com/tsys_tss facebook.com/tsys1 linkedin.com/company/tsys 2015 Total System Services, Inc.. All rights reserved worldwide. Total System Services, Inc., and TSYS are federally registered service marks of Total System Services, Inc., in the United States. Total System Services, Inc., and its affiliates own a number of service marks that are registered in the United States and in other countries. All other products and company names are trademarks of their respective companies. (11/2015)