Tokenization April Tokenization. Gregory H. Soule, CPA, CISA, CISSP, CFE Senior Manager. Andrews Hooper Pavlik PLC

Similar documents
Mobile and Contactless Payments Requirements and Interactions

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

Electronic Payments in US

EMV Terminology Guide

Tokenization: What, Why and How

Agenda. What is EMV. Chip vs Mag Stripe. Benefits of EMV. Timeframes & Liability Shift. Costs. Things to consider. Questions

Ensuring the Safety & Security of Payments. Faster Payments Symposium August 4, 2015

ATM Webinar Questions and Answers May, 2014

Introduction to EMV BEYOND PAYMENT

Covering Your Assets: Payment Landscape and Technology

The Small Business Guide to Mastering EMV

Is Your Organization Ready for the EMV Challenge?

EMV and Educational Institutions:

EMV FAQ S FROM A MERCHANT S PERSPECTIVE

Tokens, Tokens, Tokens: What are the different kinds of tokens and what do they do?

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

EMV A Chip Off the New Block

Quick Guide. Token Service Provider

Apple Pay and Tokenization Background and Overview

Changing Consumer Purchasing Patterns

How Safe Are Mobile Payments? MAC Webinar

Tokenization: The Future of Payments

The Changing Landscape of Card Acceptance

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

EMV: Frequently Asked Questions for Merchants

E M V O V E R V I E W. July 2014

Quick Guide. Token Service Provider

DIGITAL CREDIT for EMV QR Credit Card Apps

Technology Developments in Card-Based Payments WACHA Payments 2013

EMV: Facts at a Glance

Securing Card Payments Challenges & Opportunities. Julie Hanson Senior Vice President, Card & Payment Products ICBA Bancard & TCM Bank, NA

EMV Frequently Asked Questions for Merchants May, 2015

Why chip cards? HELP PREVENT FRAUD: HELP AVOID LIABILITY: ACCEPT MOBILE TAP & PAY TOO: DYNAMIC AUTHENTICATION: Contact us

The Future of Payment Security in Canada

EMV for Merchants and Merchant Acquirers: U.S. Migration Considerations. Smart Card Alliance Webinar October 6, 2011

Frequently Asked Questions for Merchants May, 2015

HCE Driving NFC: From Idea to Reality to Ubiquity. Mobey Day October 7/8, 2014

THE FUTURE OF TRANSACTING

Adapting to Mobile Wallets: The Consumer Experience

EMV Implementation Guide

HCE E-Book HOST CARD EMULATION: NFC S MISSING LINK

Semi-Integrated EMV Payment Solution

EMV Beyond October 1, Kristi Kuehn VP, Compliance Heartland

Effective Communication Practices for U.S. Chip Migration. Communication & Education Working Committee June 2014

The Future of Payments. Federal Home Loan Bank Conference Presented by: Brian Day

THE ADOPTION OF EMV TECHNOLOGY IN THE U.S. By Guy Berg Global Industry Sales Consultant Datacard Group

Protecting Payments Throughout the Ecosystem. Emma Sutcliffe Senior Director, Data Security Standards PCI Security Standards Council

Secure Remote Payment Council (SRPc) White Paper Discussion: EMV Enhancements Post Implementation September 13, 2016

EMV: The Next Generation of Payments

Ignite Payment s Program on EMV

Heartland Payment Systems

Cards on the table! Bernd Filsinger Payment Technology Services Lead Client Support Services, Europe region

Top 5 Facts Merchants Need To Know About EMV

In this Document: EMV Payment Tokenisation Payment Account Reference (PAR) FAQ EMV Payment Tokenisation Technical FAQ

Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization

October is Here: Are Issuers, Merchants & Consumers Ready for EMV?

Proxama PIN Manager. Bringing PIN handling into the 21 st Century

The Evolution of Payment Specifications and Tokenization. Smart Card Alliance and EMVCo Webinar October 1, 2015

PCI BLOG. P2PE, EMV, Tokenization, Oh My!

EMV Basics and the market

EMV Adoption. What does this mean to your ATMs?

The Global Migration to EMV and What is Happening in the U.S.

The Evolution of Payment Specifications and Tokenization. Smart Card Alliance and EMVCo Webinar November 4, 2015

What Do Merchants Need to Be Successful Online?

Payment Gateway Overview. Get familiar with credit card processing & our platform

EMV Adoption in the U.S.

Finding the Best Route for EMV in the US

Verifone MX 915/925 Payment Devices. with KWI 6.x POS Registers: What s New?

EMV is coming. Here s how to stay ahead of the trend. Presented by CO-OP Financial Services

Payeezy.com Security in Apple Pay In-App Development

Datacap s Guide to EMV in the US

INNOVATION AT A GLANCE. Wally Mlynarski Chief Product Officer

TOKENIZATION OF A PHYSICAL DEBIT OR CREDIT CARD FOR PAYMENT

Mobile Payment Platforms For The Artist

EMV Migration Forum. How EMV Significantly Lessens the Impacts of Data Breaches. David Worthington, Principal Consultant// 12th March 2014

A Merchant s Path to EMV Understanding Impacts To Your Business

Securing Our Future Growth Gord Jamieson Visa North America Risk Services. Visa Public

Best Practices For Tokenization Projects In The Payments Industry

Getting Out of PA-DSS Scope and Eliminating the High Cost of EMV: What you need to know

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD SELF-ASSESSMENT QUESTIONNAIRE (SAQ) A GUIDE

Tokenization. Transformation to digital payments

EMV Just the Facts. Ozarks Association of Government Accountants

X Infotech Banking. Software solutions for smart card issuance

EMV: GET READY. Michelle Thornton, CO-OP Financial Services

EMV: The Race Is On! September 24, 2013

Card Payment acceptance at Common Use positions at airports

EMV Migration Updates and Next Steps

Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure?

Let s Talk about EMV. getnationwide.com

Optimizing Transaction Speed at the POS

A Buyer s Guide to POS

EMV and Apple Pay. The world of credit cards is on the move.

Emerging Payments: The Next Step in Providing Member Convenience via Channel Expansion. Presented by CO-OP Financial Services

Contactless payments are in your future.

VIRTUAL TERMINAL USER GUIDE

Mobile POS and EMV Acceptance

Visa Minimum U.S. Online Only Terminal Configuration

Security & Compliance Trends in Innovative Electronic Payments

Virtual Terminal User Guide

Visa and MasterCard Drive Adoption of EMV Payment Technologies in the United States

Transcription:

ization Gregory H. Soule, CPA, CISA, CISSP, CFE Senior Manager Andrews Hooper Pavlik PLC 1

Agenda and Implementation EMV, Encryption, ization Apple Pay Google Wallet Recent Trends Resources Agenda and Implementation 2

EMV Encryption ization How do these three technologies work together to secure payments? How do these technologies facilitate mobile payments? EMV Europay, Mastercard, Visa Global standard for the use of integrated circuit (i.e., chip) cards and applicable card readers Contact and contact-less POS terminals Authentication for physical transactions Standards managed by EMVCo LLC Magnetic Stripe = data store EMV Chip = data processing capabilities 3

EMV EMV chip, PAN, and POS terminal generate a security key (i.e., application cryptogram) Cryptogram is sent through the payments system to the issuer to process the transaction Issuer responds with a separate cryptogram Encryption Transforming plaintext data into ciphertext using a key / algorithm Encryption of primary account number (PAN) upon presentation (i.e., at the POS terminal) Point to point encryption data is encrypted at POS terminal and decrypted by provider / processor / acquirer Various methods and solutions Applies to magnetic stripe, EMV, card-not present (CNP), and tokenized transactions 4

ization The process of substituting a sensitive data element with a non-sensitive data element, referred to as a token, that has no extrinsic or exploitable meaning or value ization Removes account data from the environment and replaces it with data that is meaningless outside of that environment Not a new technology Gateway-side tokenization Network-side tokenization Current standard issued by EMVCo in March 2014 5

Layers of Data Security PIN-based transactions Must know PIN for card to work at POS, ATM, etc. PINs are static data, PANs are still used Encryption Protects data in transit PAN, token is encrypted Spans other methods Layers of Data Security EMV Chip Unique information generated for each transaction EMV chip provides authentication to the POS terminal and processing system ization is used in place of the PAN is sent to tokenization system to detokenize to PAN 6

Benefits of ization Security Logical separation Data de-valuation Can be applied to multiple types of data SSN, drivers license, health Reduced PCI scope Less cardholder data Invisible to the consumer Objections Cost New systems Analytics Buyer behavior and trends Sales analysis Demographics 7

Gateway-Side ization Initial tokenization technology Merchants data storage Single pay tokens = One token for one transaction Multiple pay tokens = One token for many transactions Subsequent transactions Returns, future purchases Gateway-Side ization Card is presented PAN is encrypted and sent to Acquirer Acquirer passes PAN through payment network to Issuer for authorization Acquirer also tokenizes PAN and stores PAN- mapping in a secure token vault Issuer provides authorization back to Acquirer Authorization and token are returned to merchant is stored in all places where PAN would reside 8

Consumer - authenticated through EMV Card Present Transaction Payment Network Auth + Acquirer Auth Merchant Encrypted PAN Encrypted PAN Issuer Auth Stored ized PAN Created Gateway-Side ization Particularly valuable in CNP and ecommerce transactionsti Encrypted card data previously was stored and submitted to the acquirer for each transaction With tokenization, the e-tailor can now store and submit multiple pay tokens to the acquirer The acquirer then de-tokenizes and sends the PAN to the issuer for authorization 9

Consumer - authenticated through other mechanisms (user credentials, etc) Card Not Present Transaction Payment Network Auth Acquirer Auth Merchant is submitted Encrypted PAN Issuer Auth Stored De-tokenized into the PAN Key Players Consumer Merchant Acquirer Payment networks Issuer is tied to acquirer Random string of numbers, formatted unique to the acquirer 10

Network-Side ization New model, based on EMVCo s ization Standards Introduces new parties into payments system Requestor Service Provider Instead of tokens issued/managed by acquirer or gateway, they are managed by the payment networks s look just like PANs (i.e., 16 digits) Compatible with existing payment infrastructure ization phases provisioning Payment process using tokens lifecycle 11

Authenticated Consumer enters PAN into app or secure wallet PAN Requestor PAN Provisioning Service Provider Issuer PAN Approval is created and stored in secure token vault Consumer Auth Merchant Payment Process Service Provider Acquirer Auth De-tokenize to PAN Vault PAN Payment Network Auth PAN + Issuer Auth 12

lifecycle Updates to the PAN / token mapping Initiated by either token requestor or issuer Consumer driven Examples of token service providers Mastercard Digital Enablement Service Visa Service American Express Service Other items One PAN can have multiple tokens Merchant App (i.e., Starbucks) Apple Pay Google Wallet vault Fully PCI compliant Maintained by the payment networks use If the tokenized PAN is used outside of the token ecosystem, it will be recognized by the Service Provider (based on the cryptogram) and rejected 13

Agenda Apple Pay Google Wallet Android HCE Softcard Recent Trends 14

Apple Pay Secure Element Dedicated d chip built into iphone 6d devices that t stores tokens Physically separate from other storage areas on the device s stored within the iphone s secure element are called the Device Account Number ization based on EMVCo standard Supports in-app payments Device Account Number Does not change over the life of the card it represents 16 digits similar to normal PAN Issued by Service Provider Cryptogram One-time number Created at time of transaction based on data provided by the POS terminal, the tokenized PAN stored on the secure element, and a derived key created when the token is issued Apple Transaction-specific dynamic security code 15

Provisioning Consumer enters card info into iphone s Passbook Use the device s camera or manually enter This data is encrypted and sent to Apple, who functions as the Requester This data is then passed to the Service Provider (TSP), depending on which card is used (i.e., Visa, Mastercard, AMEX) The TSP contacts the issuing bank for approval to issue a token A token is generated by the TSP and mapped to the PAN in the token vault The token is passed back to Apple and to the device to store in the secure element Provisioning Apple does not store the PAN Apple does not store the token (or Device Account Number) This is stored on the device, in the secure element vault maintains the mapping between token and PAN Apple does not store transaction details Recent purchases are maintained in Passbook, however The merchant does not see the PAN Merchant does have access to the DAN 16

Consumer enters card info into Passbook Provisioning PAN Service Provider Requestor PAN PAN Issuer Approval is created and stored in secure token vault Transactions Using contactless NFC reader iphone is held near the NFC reader Device can be locked and screen off Default card will appear on the screen Provide Touch ID or passcode The device will vibrate and the reader will beep If enabled, a notification will appear on the lock screen confirming the transaction Authentication Provided by Touch ID or Passcode Nothing for the merchant cashier to verify May need to sign receipt 17

Payment Process Consumer DAN Merchant Service Provider Acquirer Auth De-tokenize to PAN Vault PAN Payment Network Auth PAN + Issuer Auth Google Wallet HCE Host Card Emulation Android multiple device manufacturers, software developers Who owns / controls the secure element or SIM card? Will the carriers allow access to the secure element or SIM card? Solution: To the cloud 18

Google Wallet Card data stored in the cloud Consumer provides PAN detail to Google Wallet Google Wallet creates Google Wallet Virtual Card (GWVC), which is essentially a virtual prepaid debit card issued by Google s partner, Bancorp Bank Google Wallet Virtual Card is provided to merchants during NFC transactionsti Google then requests funds from the original issuer PAN is not stored on the device, but is stored by Google Google Wallet Allows person-to-person payments through GMail Users can obtain a physical Google Wallet Card that functions as a debit Mastercard connected to their Wallet Balance Can also be used at ATMs For NFC payments, the device must be awake and screen unlocked Google provides fraud protection Google stores transaction details 19

PAN + GWVC Funds requested Original PAN Issuer GWVC Funds GWVC Merchant Merchant Acquirer GWVC Issuer Bancorp Bank GWVC is stored on the device Contactless terminal Softcard Joint venture between AT&T, T-Mobile, and Verizon Initially, carrier response to Google Wallet Fully released in 2013 Used NFC communication for contact-less payments Acquired by Google in February 2015 Carriers will now include Google Wallet app on supported Android devices 20

Samsung Pay Announced in March 2015 Samsung Galaxy S6 Uses tokenized transactions with information stored on the device Authentication is provided by fingerprint reader on the device Supports NFC-based payments Also supports magnetic stripe-based payments Samsung Pay Samsung acquired LoopPay LoopPay developed Magnetic Secure Transmission (MST) which uses magnets to emulate a magnetic stripe card as it is swiped through a reader Users place the Galaxy S6 near a standard magstripe reader, and the transaction will be read like a normal card transaction To be released with firmware update to supported Galaxy devices this summer 21

Others: CurrentC Developed by Merchant Customer Exchange Merchant-owned Uses QR codes, either on the merchant s screen and scanned by the user; or on the user s device and scanned by the merchant Connected to bank account, not credit card Others: Coin, Wocket, Plastc Pre-release or invite based Physical card that stores multiple cards Credit/debit cards Gift cards Proxmity-based door swipe cards Cards connected to mobile device using Bluetooth Comes with reader to swipe existing physical cards Includes charging method 22

Agenda Resources \ Resources EMVCo LLC: A Guide to EMV Chip Technology, November 2014 Payment isation Specification Technical Framework, March 2014 Smart Card Alliance: Technologies for Payment Fraud Prevention: EMV, Encryption, and ization October 2014 American Bankers Association Vendor-Specific: Visa, MasterCard, American Express First Data Apple, Google 23

Questions? \ Contact Information Gregory H. Soule CPA, CISA, CISSP, CFE Senior Manager Andrews Hooper Pavlik PLC 691 N. Squirrel Road, Suite 280 Auburn Hills, MI 48326 p: 248-340-6050 f: 248-340-6104 e: gregory.soule@ahpplc.com www.ahpplc.com 24

Thank You \ This presentation was produced in connection with an educational and informational program. It represents the statements and views of the author(s) alone and does not necessarily represent the official policies or positions of Andrews Hooper Pavlik PLC, its partners, or any sponsor of this program. This presentation is not intended to be, nor should it be construed as constituting tax, accounting, auditing, security, or consulting advice with regard to specific cases, transactions, or situations used by the author(s). Any accounting, business, or tax advice contained in this presentation, including attachments and enclosures, is not intended as a thorough analysis of specific issues, nor a substitute for a formal opinion, nor was it written to be used to avoid tax related penalties. Any brand names and/or logos displayed or discussed in this presentation are the property of their respective owners, are used for identification purposes only, and do not imply endorsement by or affiliation with AHP. 25

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback