Ensuring the Safety & Security of Payments. Faster Payments Symposium August 4, 2015

Similar documents
TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERS. Steve Ledford The Clearing House

Quick Guide. Token Service Provider

Tokens, Tokens, Tokens: What are the different kinds of tokens and what do they do?

Tokenization: The Future of Payments

Tokenization: What, Why and How

The Evolution of Payment Specifications and Tokenization. Smart Card Alliance and EMVCo Webinar November 4, 2015

In this Document: EMV Payment Tokenisation Payment Account Reference (PAR) FAQ EMV Payment Tokenisation Technical FAQ

Quick Guide. Token Service Provider

Apple Pay and Tokenization Background and Overview

Best Practices For Tokenization Projects In The Payments Industry

Tokenization April Tokenization. Gregory H. Soule, CPA, CISA, CISSP, CFE Senior Manager. Andrews Hooper Pavlik PLC

Mobile and Contactless Payments Requirements and Interactions

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

HCE Driving NFC: From Idea to Reality to Ubiquity. Mobey Day October 7/8, 2014

EMV and Apple Pay. The world of credit cards is on the move.

EMV Adoption in the U.S.

EMV Migration Updates and Next Steps

The Future of Payment Security in Canada

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

How Safe Are Mobile Payments? MAC Webinar

EMV Implementation Guide

ADDING VALUE TO SECURITY. How Issuers Can Leverage Tokenization to Capture New Revenue-Generating Opportunities. firstdata.com

Securing Our Future Growth Gord Jamieson Visa North America Risk Services. Visa Public

The Evolution of Payment Specifications and Tokenization. Smart Card Alliance and EMVCo Webinar October 1, 2015

EMV Migration Forum. How EMV Significantly Lessens the Impacts of Data Breaches. David Worthington, Principal Consultant// 12th March 2014

EMV: Strengthen Your Business Through Secure Payments

Andreas Strobel SPA Board Member shaping the future of payment technology

Beyond Tokenization Ensuring secure mobile payments using dynamic issuance with on-device security and management

Changing Consumer Purchasing Patterns

STAR Network Overview

NetSuite Integration for CyberSource. Getting Started Guide

EMV Terminology Guide

HCE E-Book HOST CARD EMULATION: NFC S MISSING LINK

Secure Remote Payment Council (SRPc) White Paper Discussion: EMV Enhancements Post Implementation September 13, 2016

Agenda. What is EMV. Chip vs Mag Stripe. Benefits of EMV. Timeframes & Liability Shift. Costs. Things to consider. Questions

EMV and Educational Institutions:

Proxama PIN Manager. Bringing PIN handling into the 21 st Century

EMV 3-D Secure Press Kit Q&A

Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization

EMV Frequently Asked Questions for Merchants May, 2015

Introduction to EMV BEYOND PAYMENT

EMV: Facts at a Glance

EMV: Frequently Asked Questions for Merchants

ATM Webinar Questions and Answers May, 2014

EMV Basics and the market

Frequently Asked Questions for Merchants May, 2015

The Small Business Guide to Mastering EMV

EMV 3-D Secure Press Kit Q&A

Merchant Considerations for U.S. Chip Migration. EMV Migration Forum/National Retail Federation September 2014

Merchant Considerations for U.S. Chip Migration. EMV Migration Forum/National Retail Federation September 2014

DIGITAL CREDIT for EMV QR Credit Card Apps

The Changing Landscape of Card Acceptance

Ignite Payment s Program on EMV

EMV FAQ S FROM A MERCHANT S PERSPECTIVE

Cards on the table! Bernd Filsinger Payment Technology Services Lead Client Support Services, Europe region

ECSG (Vol Ref. 8.A01.00) SEPA CARDS STANDARDISATION (SCS) VOLUME. Payments and Cash Withdrawals with Cards in SEPA

Tokenization. Transformation to digital payments

EMV: GET READY. Michelle Thornton, CO-OP Financial Services

Visa s Future of Security Roadmap: Australia

Technology Developments in Card-Based Payments WACHA Payments 2013

Covering Your Assets: Payment Landscape and Technology

EMV Cards - Chipping Away at Fraud

Securing Card Payments Challenges & Opportunities. Julie Hanson Senior Vice President, Card & Payment Products ICBA Bancard & TCM Bank, NA

EMV Secure Remote Commerce. Frequently Asked Questions (FAQ)

Minimizing the Impact of EMV & Churn on Your Subscription Business

Chargeback Best Practices. September 7, 2016

VARTECH NATION. EMV Certification for IT Professionals

At a Glance: The Payment Ecosystem. Powering Subscription Success

EMV Validation (on-behalf of) Service

Pinless Transaction Clarifications

Is Your Organization Ready for the EMV Challenge?

See Your Customers, Not Payment

Aconite Smart Solutions

Seeds of Change in Debit

EMV A Chip Off the New Block

PROTECT AGAINST A DATA BREACH & ADDRESS PCI DSS COMPLIANCE WITH TRUSTCOMMERCE

EMV is coming. Here s how to stay ahead of the trend. Presented by CO-OP Financial Services

EMV for Merchants and Merchant Acquirers: U.S. Migration Considerations. Smart Card Alliance Webinar October 6, 2011

Crash Course: What are EMV and the EMV Liability Shift?

Finding the Best Route for EMV in the US

Introduction to Faster Payments in the U.S. REGIONAL PAYMENTS ASSOCIATIONS

Dates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV. International ATM liability shift 2

Winter 2019 Network Updates. Webinar Presentation January 29, 2019

MITIGATE THE RISK OF FRAUD AND COMPLIANCE COSTS with EMV mandates. An NCR white paper

Payment Card Industry Data Security Standard Self-Assessment Questionnaire B Guide

TAS CASHLESS 3.0 FOCUS ON. The absolute framework for electronic payment management. CASHLESS 3.0: the ultimate. payment experience

Topics. First Data and STAR Network overview. Competitive advantage. Fraud in emerging payments. Fraud innovation what s coming

EMV 101. EMV Migration Forum Webinar March 6, 2014

WELCOME THE CHANGING LOOK OF FRAUD CURRENT FRAUD TRENDS INCLUDE:

My new Apple device will have a payment feature. How do I set it up?

The Top 5 Myths About Financial Instant Issuance

EMV Beyond October 1, Kristi Kuehn VP, Compliance Heartland

X Infotech Banking. Software solutions for smart card issuance

Safeguarding Online Transactions, Reducing Fraud and Improving the Consumer Experience

E M V O V E R V I E W. July 2014

Payeezy.com Security in Apple Pay In-App Development

Heartland Payment Systems

A CryptoCodex Ltd. Product

Card Technology. November 6, 2017 / Jennifer Baur, Conduent & Jamie Topolski, Fiserv

Top 5 Facts Merchants Need To Know About EMV

Transcription:

Ensuring the Safety & Security of Payments Faster Payments Symposium August 4, 2015

Problem Statement: The proliferation of live consumer account credentials Bank issues physical card Plastic at point of sale Future Ecommerce at checkout Mobile Wallet Web bill payment Mobile Apps Payment Aggregators TCH CONFIDENTIAL 2

Large scale data breaches brought payments security into the public consciousness 2014 was a bad year for credit card hacks, hitting companies in very different industries Reputational impact - Combined effect of several big breaches created an environment of concern for anyone holding credit cards on file Financial impact - Stolen credit card information has a real cost to issuers which is typically then borne by the entity that was hacked Consumer impact - Consumers have to update billers with new card information which can be time consuming Retailers, banks and consumers agreed that additional securities are needed TCH CONFIDENTIAL 3

EMV and tokenization work together to create vastly greater protections against credit card fraud EMV has been in use outside of the U.S. for decades. Tokenization is a newer concept but governed by the same organization as EMV cards, so the two efforts are cross compatible EMV Protects against card-present fraud EMV (a.k.a. chip and PIN), secures against stolen card numbers being loaded onto a fake card and then used at a retailer Cryptographic protection An EMV chip creates a dynamic cryptogram for each transaction that prevents stolen account information from being used without the presence of the correct chip Multi-factor Use of the chip (something you have), and PIN (something you know) prevents thieves from using stolen cards Tokenization Protects against card-not-present fraud- Tokenization replaces real card account numbers with different digits, protecting cards on file with different merchants Tokens have limitations on use Tokens prevent fraud by limiting their use to a single merchant or mobile wallet. Steal them and they aren t useful anywhere else Know your customer Tokens also rely on a process known as ID&V or identification and verification that validates the cardholder is involved in the creation request for a token TCH CONFIDENTIAL 4

Tokenization definition and attributes Tokenization Substitutes a limited-use random number (secure digital token) for customer s account numbers so that the sensitive information remains safe. Even if compromised, the token is of limited or no use to cybercriminals Token Vaults Bank (or multi-bank) vaults create tokens, perform customer authentication and provision tokens to digital wallets or directories Typical Attributes of Payment Tokens Format-preserving for legacy compatibility Either dynamic or static ; if static, may be combined with a cryptogram Restricted in scope / not general purpose Can be used live to authorize / clear transactions Token Components Consists of 15-19 digits + expiration date Domain Restrictions limit the use of the token Cryptogram that is unique to each transaction TCH CONFIDENTIAL 5

Major tokenization use case overview DDA tokenization is part of the roadmap, as a fast follow to card based payments Mobile POS ECommerce DDA/ACH EMV Cards (potential) Mobile has been industry focus and primary use case at this time Secures mobile wallets (NFC HCE, NFC SE, QR, etc.) by using a token instead of PAN on device User experience defined by wallet provider, meeting bank ID&V and security requirements Use cases range from traditional card on file to in App User experience defined by merchant or digital wallet provider, meeting bank ID&V and security requirements Tokenized DDA account information masks transaction initiated via ACH EMV and card tokens could likely shift fraud to ACH Increased usage of ACH for one-time payments (POS, WEB) highlights risks of misuse Reduce breach risk of mass account on file databases Chip on EMV card stores token instead of PAN Enables fully tokenized POS transactions, addressing retailer breach concerns EMVCo evaluating opportunity Assessment of residual risk post EMV rollout to determine attractiveness TCH CONFIDENTIAL 6

Secure Token Exchange replaces live credentials with digital tokens consistent with the EMVCo framework Consumer Payment with Token Merchant Acquirer Card Networks Bank Issuer mw *token / account exchange ID&V ew Customer Authentication (ID&V) Token Provisioning) Token Service Provider Token Vault No access to customer bank account information Access to customer bank account information TCH CONFIDENTIAL 7

Tokenization benefits all parties in the eco-system Today With Tokenization Sensitive account information is static Customers provide live bank data to retailers, wallets, alternative payment providers, aggregators, others Fraud risk increasing as cards upgrade to EMV, and as e-commerce and mobile grow Confusing and complicated process to maintain and update consumer information across multiple providers when a card is lost, stolen or expired Customer bank data securely held behind bank firewalls Consumers don t need to provide sensitive information to multiple providers Lower fraud potential in event of data breach or lost/stolen device Single contact point to update and maintain consumer information No change in consumer behavior at POS U.S. has opportunity to lead the world by rolling out tokenization in conjunction with EMV to protect against card present and card not present fraud TCH CONFIDENTIAL 8

Six Safety & Soundness Principles guide TCH token efforts 1. OPEN: Allows for different business models Fosters innovation Ensures competition among market participants (e.g., vaulting) 4. STANDARDS-BASED: Establishes clearly defined standards Aligns with regulatory environment and avoids overlap with existing standards Considers and respects int'l standards as a means of facilitating interoperability 2. SAFE & SECURE: Protects confidential personal, financial, and transactional information within the mobile and e-commerce payments ecosystem Facilitates secure interactions 5. SUSTAINABLE: Creates a path forward to support long-term viability Adapts over time as technology evolves Allows for economically viable business models that accelerate adoption 3. RESPONSIVE TO END USER AND MERCHANT NEEDS: Provides for ease of use, speed, availability, security, transparency, choice and consistency for users 6. INITIAL FOCUS ON HIGH-RISK USE CASES: Mobile and e-commerce Supports exception flows, lifecycle management Supports multiple form factors (e.g., NFC, QR codes) Extension to ACH/DDA based payments TCH CONFIDENTIAL 9

Existing Entities New Entities Token eco-system The token ecosystem is comprised of the same general players as regular card transactions, with the additional roles of token requestor and token service provider Entity Token Vault Token Service Provider (TSP) Token Requestor Description The token vault is responsible for token creation, maintaining token-to-pan mapping, and performing detokenization The token service provider is the all-encompassing term that includes the functions of the token vault, but also provides application of security controls, provisioning, lifecycle management, and token requester registry services Entity that requests to receive a token instead of using and storing real account data for payments. Can be digital wallets, merchants, or acquirers, payment gateways etc. on behalf of merchants Cardholder Card Issuer Merchant Acquirer Payment Network Issuer Processor Initiates the creation of a token by adding their account into a tokenized environment such as a mobile wallet or token enabled e-commerce merchant Financial institution that issues the payment account. Ultimately responsible for customer authentication (ID&V) and token issuance either through their own TSP or a 3 rd party. Can act as a token requestor (e.g., card-on-file e-commerce) or simply as a recipient of a token based transaction (e.g., Apple Pay) Acquirers process all transactions as they do today including authorization, capture, clearing and exception processing. Additional fields are required for token conveyance Continue to facilitate authorization and settlement, and provide optional vault and TSP services to issuers Receive additional token related fields from payment network, call-out to TSP for detokenization, and perform ID&V on behalf of issuers TCH CONFIDENTIAL 10

Key token related components Tokenization uses several unique terms that are important to understand Terminology Cryptogram Domain Restriction Identification & Verification (ID&V) Token Assurance Level Definition A transaction unique value that is generated via an algorithm using transactional information and cryptographic keys. The cryptogram is generated by the token requestor and verified by the token service provider. The algorithm used is defined by respective card networks A set of parameters established as part of token issuance that limits token usage to a specific wallet, entry mode/channel, merchant, merchant category, and/or dollar limits and velocity of transactions. Method(s) used for issuers to authenticate the end-user (e.g., fingerprint on device, challenge questions, password entry etc.) A value between 0-99 assigned by the TSP using issuer specified rules that conveys the level of confidence in the customer authentication performed during token provisioning, reflecting the type of ID&V that was performed and who performed it. TCH CONFIDENTIAL 11

Secure Token Exchange walk-through Token Definition Token Data Flow Token Management Infrastructure BIN Digits Check Digit Determines token format, additional security layers and new token transaction fields Includes both provisioning and transactional data flows which need new messages between entities The token vault and TSP are designed to comply with the specs from previous two stages Token Exchanges PAN and expiration date for format preserving digital numbers unseen by the consumer Cryptogram Contains an algorithm that adds a dynamic component to the token and makes the token useless without proper keys Provisioning Flow Token request messages between wallet/merchant and TSP ID&V level of assurance that request is valid Token delivery messages to load token into wallet Transaction Flow Cryptogram created at time of purchase Detokenization request by network Primary Functions Account (PAN) to token mapping Provisioning management Lifecycle management Domain Control Cryptogram Validation Check Eligibility ID&V TCH CONFIDENTIAL 12

Token PAN Token cryptogram characteristics Token Characteristics Cryptogram Characteristics 6 + 9 + 1 BIN Digits Check Digit Format preserving 16 digits for Visa and MasterCard, works with existing systems without modification Required Fields Token PAN Token Expiration (which can be different from the PAN expiration) Token BIN Tokens are issued from special BINs which identify the presence of a token to all parties. The token BIN contains all of the attributes of the original PAN: e.g., begins with 4 for Visa, 5 for MasterCard, indicates debit vs. credit, routing instructions etc. Due to BIN exhaustion, networks have subdivided some BINs changing the structure from 6+9+1 to 8+7+1 with eight digits representing the token BIN range instead of 6 Cryptogram is a transaction-unique value calculated at time of purchase; designed to validate authorized use of token Crypto Keys Each network can establish a proprietary cryptographic algorithm that uses different transactional information and requires corresponding keys Dynamic Component If the token itself remains static, then the cryptogram adds the dynamic component that dissuades fraud EMV Compatible Cryptograms used for mobile payments use rules very similar to cryptograms used in EMV card transactions Use case specific Cryptograms are not used in every token use case, such as lower risk use cases TCH CONFIDENTIAL 13

Secure Token Exchange provisioning Provisioning When consumers sign up for a digital wallet directly, this generates a token request that must be validated by the Issuer before a token can be used 1 PAN, Exp. Date, CVV 1 6 Token Requestor 2 3 Token Requestor ID PAN, Exp. Date, CVV Token Assurance Data Requested TAL (O) 5 6 STE Token (if approved or pending) Eligibility Status Token Assurance Level Additional ID&V Method (if applicable) Card Art + Description Terms and Conditions 2 5 4 3 Token Requestor ID PAN, Exp. Date, CVV Token Assurance Data Requested TAL (O) 4 Issuer / Processor Eligibility Status Additional ID&V (if applicable) Possible Eligibility Statuses: Approved The token is provided to the Token Requestor in an active state Pending The token is sent to the Token Requestor, but is inactive until the cardholder takes additional verification steps Denied A token is not returned to the Token Requestor and the cardholder is informed to contact their financial institution for more information (O) Legend Request Response Optional Fields TCH CONFIDENTIAL 14

Secure Token Exchange provisioning Additional Verification Provisioning Issuers can use different methods of additional ID&V including out of band authentication, banking application or 1-800 number to resolve a pending yellow-path token 1 4 7 Token Requestor 3 2 5 6 STE Out of Band Authentication: 1. Consumer selects SMS, Email or other out of band method to provide additional verification 2. Token Requestor informs STE which option was chosen 3. STE generates a verification code and sends to device or email (alternatively, issuer can generate code and send to device) 4. Consumer enters code 5. Token Requestor passes along entered code 6. STE validates code entry and sends Token Requestor confirmation or denial 7. Token Requestor sends device approval messages or additional steps for consumer to contact Issuer 1 Bank Application/ Call Center -or- Bank Application/ Call Center 2 STE 3 Token Requestor Banking Application/Call Center 1. Consumer selects bank application or 1-800 number to provide additional verification 2. Banking App or Call Center informs STE the outcome of the verification challenge 3. STE informs Digital Wallet if the token is approved or denied 4. Token Requestor moves token to live status if approved 4 TCH CONFIDENTIAL 15

Secure Token Exchange payment transaction flow: Mobile point-of-sale, Pass-Through model Net new token fields are shown, all other data is passed as usual Transactions 1 2 3 4 5 Token ** Token Exp. Date ** Token Requestor ID*** Token Cryptogram ** Token ** Token Exp. Date ** Token Requestor ID (O)*** Token Cryptogram ** POS Entry Mode * * ** *** (O) Mobile Wallet Legend 1 2 3 Payment 4 Merchant Acquirer 10 9 8 Network 7 Auth Request Auth Response BAU Data Fields Token Data in Current Fields New Data Fields Optional Fields Issuer / Processor 9 8 7 6 Token ** Token ** Token Assurance Level *** Token Assurance Level *** Last 4 digits of PAN*** PAN Product ID (O) ** Last 4 digits of PAN*** Token ** Token Requestor ID (O) *** POS Entry Mode PAN* Token Assurance Level *** PAN Product ID (O) ** 5 6 STE Token ** Token Exp. Date ** Token Requestor ID*** POS Entry Mode PAN* PAN Exp. Date * Token Assurance Data (O) *** Token Assurance Level *** TCH CONFIDENTIAL 16

Lifecycle Management Functions Transactions Issuer tokens allow for several important lifecycle management functions Cardholder Initiated: Suspend Resume Delete STE Issuer Initiated: Suspend Resume Delete Update Transaction History Functions Suspend Resume Delete Update Transaction History (optional) Definition A request to freeze the tokens in the digital wallet, e.g., mobile device is lost The freeze placed on tokens by a suspend request is lifted and tokens are once again live. A resume request can only be issued by the party who originally suspended the token Tokens can be removed from the wallet at any time by a request for deletion An Issuer request to update various fields associated with a token, including, expiration date of token or PAN, change to underlying PAN, domain restriction change, change to attributes of PAN, token assurance level, or a change to the last four digits of PAN Provides information on past purchases to the digital wallet. Contains location, date, amount and merchant information TCH CONFIDENTIAL 17

The DDA Token working group is focusing on adapting card token standards into a tokenization solution for DDA-based transactions, beginning with ACH payments Workshop Deliverables Generate a DDA Token framework to include: DDA token scope and definition Corresponding data elements Flows for provisioning, transactions and lifecycle management Guiding Principles DDA Tokenization applies to both current ACH as well Same-Day and/or Real-Time transactions Consistency with mobile/card tokenization, with differences to account for new requirements and use cases for ACH Minimize change to ACH formats and processing flows Support for merchant / digital wallet use cases where both card and ACH tender options are tokenized Follow-on efforts Generate an industry business case to evaluate the opportunity Evaluate potential NACHA rule changes needed to support token formats and drive ubiquity Engagement with the Federal Reserve RPO to generate alignment Develop a timeline for implementation TCH CONFIDENTIAL 18

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback