1

Quick GuideToken Service

Provider

2

The mobile payments revolution is here! Driven by the development of

near field communication (NFC) enabled smartphones, the launch of

various mobile payments platforms and a sharp increase in consumer

demand, the contactless payments market is set to be worth $9.88 billion

by 2018 (Source: MarketsandMarkets). The value of mobile payments is

projected to hit $721 billion by 2017, increasing from $53 billion in 2010.

(Source: Statista).

The value of mobile payments is projected to hit $721billion by 2017, increasing from $53 billion in 2010.

The rise of mobile payments has been accompanied by a lexicon of new

and technical buzzwords, many of which refer to security measures that

can be applied to the mobile payments infrastructure. The tokenization

process has given us a number of terms, among which ‘token service

provider’ features front and center.

Introduction to Mobile Payments

3

To fully appreciate the role of the token service provider, it is helpful to

also understand ‘tokenization’ technology and how it is utilized to secure

mobile payments.

What is Tokenization?

Tokenization reduces the value of stored payment credentials by

replacing them with a randomly generated number which resembles the

customer’s primary account number (PAN). This unique identifier, called

a Payment Token or Tokenized PAN, is worthless if stolen as it essentially

acts as a reference for a consumer’s corresponding card data which only

the card networks and/or the consumer’s bank can map back to the

original account.

This unique identifier, called a Payment Token orTokenized PAN, is worthless if stolen.

Tokenization Process

Prepare Tokenization

PHASE 1

PHASE 2

PHASE 3

PHASE 4

PHASE 5

PHASE 6

TokenPAN

A payment token is generated

from the PAN. For security

reasons, tokens can be restricted

to be valid for single use and/or

use within a specific domain. The

token is then sent to the token

vault, typically, a Payment Card

Industry-compliant environment.

Bank Loads Token on DeviceTokens are loaded onto the consumer’s mobile device

as part of what is known as the virtual card profile.

The NFC device makes a payment at a

merchant’s contactless point-of-sale terminal

using the token as the card number.

Make a Payment 3.

The POS terminal sends the token to the acquiring

bank, which sends it to the issuing bank through

the payment network.

Connect with Network

The issuer de-tokenizes the token to the real

PAN and uses the real PAN for authorization and

funds transfer

Detokenize

Approved Token

Token

The real PAN is re-tokenized and the authorization

response is returned to the POS terminal.

Finalize Payment

How Does Tokenization Secure Mobile Payments?

4

5

What is a token vault?

What is a token?

A token vault is a centralized and highly

secure server where issued tokens, and

the PAN numbers they represent, are stored.

A payment token is a surrogate randomly

generated number which replaces the

customer’s PAN. Tokens are reversible

and generated at the payment issuer

level meaning that they can be securely

mapped back to their original card account

numbers by the provider of the payment

token and authorised entities only.

5

6

Where Does Tokenization Fit in the Payment Processing Chain?

The implementation of tokenization has led to the involvement of new actors in

the payments ecosystem.

In a non-tokenized payment, the card information is simply sent down the

payment processing chain from the merchant to the issuing bank which relays

the information back down the chain.

With a tokenized payment, however, there needs to be an entity within the

ecosystem that issues and manages the tokens. This entity is known as a token

service provider.

Token

Acquirer Payment network

Issuer

Token Service Provider

Token Token Token

Real

CardToken

7

What is a Token Service Provider?

The token service provider is an entity within the payments ecosystem that is

able to provide registered token requestors – for example the merchants holding

the card credentials – with ‘surrogate’ PAN values such as dynamic/alternate

PANs, otherwise known as payment tokens.

These payment tokens can only be used temporarily in a specific domain such as

a merchant’s online website or a channel, for example a mobile device to make

an NFC payment.

The token service provider is an entity within the payments ecosystem that is able to provide surrogate PAN values. Payment credentials are protected throughout the transaction as the surrogate

data obtained from a data breach will be largely useless to hackers.

The issuance and remote management of the payment credentials provided by

token service providers must comply with specifications defined by EMVCo and

the globalpayment schemes; this can take place in the cloud using HCE or on a

smartphone inside a secure element.

8

What is the Role of a Token Service Provider?

Token service providers have the ability to issue and manage the entire lifecycle

of payment credentials, implement tokenization to reduce payment card fraud

and manage transactions to integrate with the existing authorization host by

converting or validating cryptograms as well as performing processing checks.

This process includes:

1. TokenizationReplacing the PAN with the token.

2. DetokenizationConverting the token back to the PAN

using the token vault.

3. Token VaultEstablishing and maintaining the

payment token to PAN mapping.

4. Domain ManagementOffers additional security by restricting

tokens to use within a specific

(retail) channel or domain.

5. Identification and VerificationEnsures that the payment token

references a legitimate PAN from the

token requestor.

6. Clearing and SettlementAd-hoc detokenization during the

clearing and settlement process.

9

Token service providers are responsible for a number of other functions. They

oversee the ongoing operation and maintenance of the token vault, deployment

of security measures and controls, and the registration process of allowed token

requestors.

Who Can Be a Token Service Provider?

The token service provider can be a wholly independent party from the payment

network or payment processor, or alternatively can be integrated with a

payment network or payment processor. Essentially, any entity within the

payment ecosystem can become a token service provider if they need to

perform that role.

How to become a Token Service ProviderService providers can either draw on the services provided by selected payment

schemes to manage the tokenization process. Alternatively, they can insource a

solution to enable them to host and manage their own vault.

10

The Benefits of Becoming a Token Service Provider?

Reduced payment network feesIssuing and managing tokens internally means you

will not have to request tokens from a third party,

saving service fees. Service providers can also avoid

detokenization charges.

Increased securityService providers won’t have to integrate with any

third parties to perform this service, so their security

is increased. They keep full control of the original PAN

number and have no requirement to share it. They

also have no need to integrate with third party external

systems, which could generate security vulnerabilities.

In adopting the role of the token service provider, issuers, acquirers and

merchants that wish to offer mobile payments to customers can manage all

elements of the tokenization process. There are several reasons why entities, like

issuing banks, would consider becoming a token service provider and manage

their own tokens:

11

Reduced time to marketControlling a proprietary token vault means that service

providers have the freedom to determine when and

where to launch their tokenized services.

Flexibility to expand to other usesService providers that manage their own token vault can

easily expand their services to encompass other related

areas, such as embedded secure elements in mobile

devices, the cloud, eCommerce or card on-file scenarios.

Competitive edgeBy taking control of the project, issuers can control the

information shared outside of the organization. In taking

a service, banks may need to share details of product

and service development plans with third parties so

that integration work can run in parallel. In a fast-paced

market, banks and service providers don’t want to share

their roadmap outside of the organization to ensure they

keep their competitive edge.

12

About Bell IDIssuers worldwide rely on Bell ID software to safely issue

and manage credentials on many millions of smartcards,

smartphones and connected devices. Whether it’s EMV

payments data stored on a chip card, in an NFC-enabled

mobile device or in the cloud leveraging HCE, Bell ID has

the expertise to manage the lifecycle of any application

on any form factor and has one of the largest teams

worldwide dedicated to this field.

www.bellid.com