Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
Quick GuideToken Service
Provider
2
The mobile payments revolution is here! Driven by the development of
near field communication (NFC) enabled smartphones, the launch of
various mobile payments platforms and a sharp increase in consumer
demand, the contactless payments market is set to be worth $9.88 billion
by 2018 (Source: MarketsandMarkets). The value of mobile payments is
projected to hit $721 billion by 2017, increasing from $53 billion in 2010.
(Source: Statista).
The value of mobile payments is projected to hit $721billion by 2017, increasing from $53 billion in 2010.
The rise of mobile payments has been accompanied by a lexicon of new
and technical buzzwords, many of which refer to security measures that
can be applied to the mobile payments infrastructure. The tokenization
process has given us a number of terms, among which ‘token service
provider’ features front and center.
Introduction to Mobile Payments
3
To fully appreciate the role of the token service provider, it is helpful to
also understand ‘tokenization’ technology and how it is utilized to secure
mobile payments.
What is Tokenization?
Tokenization reduces the value of stored payment credentials by
replacing them with a randomly generated number which resembles the
customer’s primary account number (PAN). This unique identifier, called
a Payment Token or Tokenized PAN, is worthless if stolen as it essentially
acts as a reference for a consumer’s corresponding card data which only
the card networks and/or the consumer’s bank can map back to the
original account.
This unique identifier, called a Payment Token orTokenized PAN, is worthless if stolen.
Tokenization Process
Prepare Tokenization
PHASE 1
PHASE 2
PHASE 3
PHASE 4
PHASE 5
PHASE 6
TokenPAN
A payment token is generated
from the PAN. For security
reasons, tokens can be restricted
to be valid for single use and/or
use within a specific domain. The
token is then sent to the token
vault, typically, a Payment Card
Industry-compliant environment.
Bank Loads Token on DeviceTokens are loaded onto the consumer’s mobile device
as part of what is known as the virtual card profile.
The NFC device makes a payment at a
merchant’s contactless point-of-sale terminal
using the token as the card number.
Make a Payment 3.
The POS terminal sends the token to the acquiring
bank, which sends it to the issuing bank through
the payment network.
Connect with Network
The issuer de-tokenizes the token to the real
PAN and uses the real PAN for authorization and
funds transfer
Detokenize
Approved Token
Token
The real PAN is re-tokenized and the authorization
response is returned to the POS terminal.
Finalize Payment
How Does Tokenization Secure Mobile Payments?
4
5
What is a token vault?
What is a token?
A token vault is a centralized and highly
secure server where issued tokens, and
the PAN numbers they represent, are stored.
A payment token is a surrogate randomly
generated number which replaces the
customer’s PAN. Tokens are reversible
and generated at the payment issuer
level meaning that they can be securely
mapped back to their original card account
numbers by the provider of the payment
token and authorised entities only.
5
6
Where Does Tokenization Fit in the Payment Processing Chain?
The implementation of tokenization has led to the involvement of new actors in
the payments ecosystem.
In a non-tokenized payment, the card information is simply sent down the
payment processing chain from the merchant to the issuing bank which relays
the information back down the chain.
With a tokenized payment, however, there needs to be an entity within the
ecosystem that issues and manages the tokens. This entity is known as a token
service provider.
Token
Acquirer Payment network
Issuer
Token Service Provider
Token Token Token
Real
CardToken
7
What is a Token Service Provider?
The token service provider is an entity within the payments ecosystem that is
able to provide registered token requestors – for example the merchants holding
the card credentials – with ‘surrogate’ PAN values such as dynamic/alternate
PANs, otherwise known as payment tokens.
These payment tokens can only be used temporarily in a specific domain such as
a merchant’s online website or a channel, for example a mobile device to make
an NFC payment.
The token service provider is an entity within the payments ecosystem that is able to provide surrogate PAN values. Payment credentials are protected throughout the transaction as the surrogate
data obtained from a data breach will be largely useless to hackers.
The issuance and remote management of the payment credentials provided by
token service providers must comply with specifications defined by EMVCo and
the globalpayment schemes; this can take place in the cloud using HCE or on a
smartphone inside a secure element.
8
What is the Role of a Token Service Provider?
Token service providers have the ability to issue and manage the entire lifecycle
of payment credentials, implement tokenization to reduce payment card fraud
and manage transactions to integrate with the existing authorization host by
converting or validating cryptograms as well as performing processing checks.
This process includes:
1. TokenizationReplacing the PAN with the token.
2. DetokenizationConverting the token back to the PAN
using the token vault.
3. Token VaultEstablishing and maintaining the
payment token to PAN mapping.
4. Domain ManagementOffers additional security by restricting
tokens to use within a specific
(retail) channel or domain.
5. Identification and VerificationEnsures that the payment token
references a legitimate PAN from the
token requestor.
6. Clearing and SettlementAd-hoc detokenization during the
clearing and settlement process.
9
Token service providers are responsible for a number of other functions. They
oversee the ongoing operation and maintenance of the token vault, deployment
of security measures and controls, and the registration process of allowed token
requestors.
Who Can Be a Token Service Provider?
The token service provider can be a wholly independent party from the payment
network or payment processor, or alternatively can be integrated with a
payment network or payment processor. Essentially, any entity within the
payment ecosystem can become a token service provider if they need to
perform that role.
How to become a Token Service ProviderService providers can either draw on the services provided by selected payment
schemes to manage the tokenization process. Alternatively, they can insource a
solution to enable them to host and manage their own vault.
10
The Benefits of Becoming a Token Service Provider?
Reduced payment network feesIssuing and managing tokens internally means you
will not have to request tokens from a third party,
saving service fees. Service providers can also avoid
detokenization charges.
Increased securityService providers won’t have to integrate with any
third parties to perform this service, so their security
is increased. They keep full control of the original PAN
number and have no requirement to share it. They
also have no need to integrate with third party external
systems, which could generate security vulnerabilities.
In adopting the role of the token service provider, issuers, acquirers and
merchants that wish to offer mobile payments to customers can manage all
elements of the tokenization process. There are several reasons why entities, like
issuing banks, would consider becoming a token service provider and manage
their own tokens:
11
Reduced time to marketControlling a proprietary token vault means that service
providers have the freedom to determine when and
where to launch their tokenized services.
Flexibility to expand to other usesService providers that manage their own token vault can
easily expand their services to encompass other related
areas, such as embedded secure elements in mobile
devices, the cloud, eCommerce or card on-file scenarios.
Competitive edgeBy taking control of the project, issuers can control the
information shared outside of the organization. In taking
a service, banks may need to share details of product
and service development plans with third parties so
that integration work can run in parallel. In a fast-paced
market, banks and service providers don’t want to share
their roadmap outside of the organization to ensure they
keep their competitive edge.
12
About Bell IDIssuers worldwide rely on Bell ID software to safely issue
and manage credentials on many millions of smartcards,
smartphones and connected devices. Whether it’s EMV
payments data stored on a chip card, in an NFC-enabled
mobile device or in the cloud leveraging HCE, Bell ID has
the expertise to manage the lifecycle of any application
on any form factor and has one of the largest teams
worldwide dedicated to this field.
www.bellid.com