Quick Guide Token Service Provider
Introduction to Mobile Payments The mobile payments revolution is here! Driven by the development of near field communication (NFC) enabled smartphones, the launch of various mobile payments platforms and a sharp increase in consumer demand, the contactless payments market is set to be worth $9.88 billion by 2018 (Source: MarketsandMarkets). The value of mobile payments is projected to hit $721 billion by 2017, increasing from $53 billion in 2010. (Source: Statista). The rise of mobile payments has been accompanied by a lexicon of new and technical buzzwords, many of which refer to security measures that can be applied to the mobile payments infrastructure. The tokenization process has given us a number of terms, among which token service provider features front and center. To fully appreciate the role of the token service provider, it is helpful to also understand tokenization technology and how it is utilized to secure mobile payments. "The value of mobile payments is projected to hit $721 billion by 2017, increasing from $53 billion in 2010."
What is Tokenization? Tokenization reduces the value of stored payment credentials by replacing them with a randomly generated number which resembles the customer s primary account number (PAN). This unique identifier, called a Payment Token or Tokenized PAN, is worthless if stolen as it essentially acts as a reference for a consumer s corresponding card data which only the card networks and/or the consumer s bank can map back to the original account. "The value of mobile payments is projected to hit $721 billion by 2017, increasing from $53 billion in 2010."
How Does Tokenization Secure Mobile Payments? Token PAN Phase 1 Prepare Tokenization A payment token is generated from the PAN. For security reasons, tokens can be restricted to be valid for single use and/or use within a specific domain. The token is then sent to the token vault, typically, a Payment Card Industry-compliant environment. Phase 2 Bank Loads Token on Device Tokens are loaded onto the consumer s mobile device as part of what is known as the virtual card profile. Approved Token Phase 3 Make a Payment The NFC device makes a payment at a merchant s contactless point-of-sale terminal using the token as the card number. Phase 4 Connect With Network Through The POS terminal sends the token to the acquiring bank, which sends it to the issuing bank through the payment network. Token Phase 5 Detokenize The issuer de-tokenizes the token to the real PAN and uses the real PAN for authorization and funds transfer. Phase 6 Finalize Payment The real PAN is re-tokenized and the authorization response is returned to the POS terminal.
What is a Token? A payment token is a surrogate randomly generated number which replaces the customer s PAN. Tokens are reversible and generated at the payment issuer level meaning that they can be securely mapped back to their original card account numbers by the provider of the payment token and authorized entities only. What is a Token? A payment token is a surrogate randomly generated Whatwhich is areplaces TokentheVault? number customer s PAN. Tokens are reversible and generated at the payment issuer level meaning they be securelyand mapped back to A tokenthat vault is can a centralized highly secure their original cardissued account numbers bythe the PAN provider of server where tokens, and the paymentthey tokenrepresent, and authorised entities only.` numbers are stored.
Where Does Tokenization Fit in the Payment Processing Chain? The implementation of tokenization has led to the involvement of new actors in the payments ecosystem. In a non-tokenized payment, the card information is simply sent down the payment processing chain from the merchant to the issuing bank which relays the information back down the chain. With a tokenized payment, however, there needs to be an entity within the ecosystem that issues and manages the tokens. This entity is known as a token service provider. What is a Token? A payment token is a surrogate randomly generated number which replaces the customer s PAN. Tokens are reversible and generated at the payment issuer level meaning that they can be securely mapped back to their original card account numbers by the provider of the payment token and authorised entities only.`
What is a Token Service Provider? The token service provider is an entity within the payments ecosystem that is able to provide registered token requestors for example the merchants holding the card credentials with surrogate PAN values such as dynamic/alternate PANs, otherwise known as payment tokens. These payment tokens can only be used temporarily in a specific domain such as a merchant s online website or a channel, for example a mobile device to make an NFC payment. Payment credentials are protected throughout the transaction as the surrogate data obtained from a data breach will be largely useless to hackers. The issuance and remote management of the payment credentials provided by token service providers must comply with specifications defined by EMVCo and the globalpayment schemes; this can take place in the cloud using HCE or on a smartphone inside a secure element. "The token service provider is an entity within the payments ecosystem that is able to provide surrogate PAN values."
What is The Role of a Token Service Provider Token service providers have the ability to issue and manage the entire lifecycle of payment credentials, implement tokenization to reduce payment card fraud and manage transactions to integrate with the existing authorization host by converting or validating cryptograms as well as performing processing checks. This process includes: 1. Tokenization 4. Domain Management Replacing the PAN with the token. 2. Detokenization Offers additional security by restricting tokens to use within a specific (retail) channel or domain. Converting the token back to the PAN using the token vault. 5. Identification and Verification 3. Token Vault Ensures that the payment token references a legitimate PAN from the token requestor. Establishing and maintaining the payment token to PAN mapping. 6. Clearing and Settlement` Ad-hoc detokenization during the clearing and settlement process.
Who Can Be a Token Service Provider? Token service providers are responsible for a number of other functions. They oversee the ongoing operation and maintenance of the token vault, deployment of security measures and controls, and the registration process of allowed token requestors. The token service provider can be a wholly independent party from the payment network or payment processor, or alternatively can be integrated with a payment network or payment processor. Essentially, any entity within the payment ecosystem can become a token service provider if they need to perform that role. How to Become a Token Service Provider Service providers can either draw on the services provided by selected payment schemes to manage the tokenization process. Alternatively, they can insource a solution to enable them to host and manage their own vault.
The Benefits of Becoming a Token Service Provider? In adopting the role of the token service provider, issuers, acquirers and merchants that wish to offer mobile payments to customers can manage all elements of the tokenization process. There are several reasons why entities, like issuing banks, would consider becoming a token service provider and manage their own tokens: Reduced Payment Network Fees Flexibility to Expand to Other Uses Issuing and managing tokens internally means you will not have to request tokens from a third party, saving service fees. Service providers can also avoid detokenization charges. Service providers that manage their own token vault can easily expand their services to encompass other related areas, such as embedded secure elements in mobile devices, the cloud, ecommerce or card on-file scenarios. Increased Security Service providers won t have to integrate with any third parties to perform this service, so their security is increased. They keep full control of the original PAN number and have no requirement to share it. They also have no need to integrate with third party external systems, which could generate security vulnerabilities. Reduced Time to Market Controlling a proprietary token vault means that service providers have the freedom to determine when and where to launch their tokenized services. Competitive Edge By taking control of the project, issuers can control the information shared outside of the organization. In taking a service, banks may need to share details of product and service development plans with third parties so that integration work can run in parallel. In a fast-paced market, banks and service providers don t want to share their roadmap outside of the organization to ensure they keep their competitive edge.
Conclusion Issuers worldwide rely on Rambus software to safely issue and manage credentials on many millions of smartcards, smartphones and connected devices. Whether it s EMV payments data stored on a chip card, in an NFC-enabled mobile device or in the cloud leveraging HCE, Rambus has the expertise to manage the lifecycle of any application on any form factor and has one of the largest teams worldwide dedicated to this field.
References 1. Transport statistics Great Britain 2016 UK Department for Transport 2. EMV in public transport: Needs and benefits Global Mass Transit Report 3. Ticket readers, single use The World Bank 4. EMV in public transport: Needs and benefits Global Mass Transit Report 5. Number of smartphone users worldwide from 2014 to 2020 (in billions) UK Statista Number of smartphone users in the United Kingdom (UK) from 2011 to 2018 UK Statista Near field communication (NFC) and transit: Applications, technology and implementation considerations Smart Card Alliance rambus.com/mobile-payments Rambus Inc. Stationsplein 45 A6.016 3013 AK Rotterdam, The Netherlands rambus.com