rené m. pelegero retail payments global consulting group l.l › docs › default... ·...
TRANSCRIPT
Webinar‐ Tokenization101RenéM.Pelegero
RetailPaymentsGlobalConsultingGroupL.L.CDecember15th,2014
2
WebinarOverview
– Adescriptionoftokenizationandhowthetechnologyisbeingemployedinthepaymentsspace
– Agenda• Whatistokenization?• WhatisNOTtokenization?• Tokenizationinpayments• CardschemetokenizationandApplePay• Tokenizationissues
3
HistoryofTokens
– TokenDefinition• Tōkən/noun• A thingservingasavisibleortangiblerepresentationofafact,quality,feeling,etc.
• A voucherthatcanbeexchangedforgoodsorservices,typicallyonegivenasagiftorofferedaspartofapromotionaloffer.
4
TokensintheDigitalWorld
– Replacesensitivedataelementstoprotectthemfromexposure
• AnHRnumberinsteadofSSNastheprimaryaccesskeytoanemployeedatabase
• AnAddressIDtoidentifyafulladdress– Havenobusinessmeaning
• Cannotbeusedtoderivetheoriginalvalue• Donothavetochangeastheunderlyingvaluechanges
5
TokenizationIsNot
– Encryption
– EMV
– NFC
– HostCardEmulation(HCE)
6
TokenizationisNOTEncryption
However, tokens are often encrypted
7
Encryption101
8
TokenizationisNOTEMV
– Europay,MasterCard,Visa(EMV)• Foundedin1999todefinethespecificationsofchip‐basedpaymentinstruments
• Presentlysixmemberorganizations– AmericanExpress– Discover– JCB– MasterCard(mergedwithEuropay in2002)– UnionPay– Visa
– EMVnameusedtodescribechip‐basedbankcards– Tappedbymemberstodefinetokenizationstandards
• Version1.0oftokenizationpublishedinMarch2014
9
TokenizationisNOTNFC
– NearFieldCommunications(NFC)• NFCisasetofstandardsforsmartphonesandsimilardevicestoestablishradiocommunicationwitheachoververyshortranges
– Differentimplementations• Embeddedinmobilephone• SIMbased• RemovableSE(SDCard)
– NFCinPayments• NFCchipincludesaSecureElement• Storesinformationinasecuremanner• Itiscontrolledbytelephonecarrier(MNO)orphonemanufacturer
10
TokenizationisNOTHCE
– HostCardEmulation(HCE)• CardnumberstoredinhostratherthanSecureElement
• SolvestheMNOcontrol,provisioningandassociatedexpenseissues
11
PuttingItAllTogether
– Tokenscanbe…• DefinedbytheEMVCo specificationorbyanyproprietarystandardbuthavenothingtodowithstandardsforEMVchipcards
• StoredinNFC’sSecureElementoraHostintheCloud• Canbestoredencryptedorintheclear
– Tokenscanbeexchanged…• BetweendevicesusingNFC,HCE,oranyothertechnology
• Generallyinanencryptedmanner
12
UseofTokensinthePaymentsIndustry
– Tokensreplacebankcardnumbersatdifferentpointsintheprocess
• Tokensreducecardvulnerabilities• TokensreducePCIcomplianceburdens
– Tokenscanbegeneratedinmultipleplaces• MerchantGeneratedTokens• Acquirer/ProcessorsGeneratedTokens• NetworkGeneratedTokens
13
MerchantGeneratedTokens
– Merchantgeneratestokenwhencardnumberisfirstenteredintomerchantsystem
– Tokendatabasebehindfirewallsandpublicaccess(e.g.cc‐motel,Fluffy,CardVault,etc.)
– Allfurtheractivityforcustomeronlyusesthetoken,notthecardnumber
– Tokenisconvertedtoactualcardnumberwhenitistimetoauthorizepayment
14
Acquirer/ProcessorGeneratedTokens
– CardisswipedatPOSandPAN,trackdata,andexpirationdateareencryptedandsenttoprocessordatacenter
– Cardnumberisdecryptedandsenttoissuerforauthorizationandtotokenizationserverfortokenassignment
– Processorreturnsauthorizationandtokentomerchantwhoproceedstostoreonlythetoken
– Settlement,refunds,adjustments,chargebacks,etc.usethetokennumber,notthecardnumber
15
NetworkGeneratedTokens
– SimilartoAcquirer/Processorgeneratedtokensbutthetokenisgenerated,stored,andmaintainedasapaidservicebythecardnetworks
• VisaTokenService• MasterCardDigitalEnablementService• AmericanExpressTokenService
– BasedonastandardpublishedbyEMVCo inMarch2014
16
CardSchemeTokenizationServices
– Visawavingallfeesuntiltheendof2015– Amexhasnotreleasesfeesyet– MasterCardDigitalEnablementServices(DES)
• Issuers– DigitalEnablementServiceLifecycleManagement10¢perPAN
– Digitationfeeof50¢whenprovisioningatokentoadevice
• Acquirers– DigitalEnablementfeeof0.01%forselectCNPtransactions
17
ApplePayTokenization
– Howitworks‐ Registration/Enrollment• ApplePay“app”sendscardnumbertoissuingbankthroughVisaorMasterCard
• Issuingbankapprovescardnumbertobetokenized• VisaorMasterCard“tokenize”thecardnumberandsendstokenbacktoapp
• ApplePay“provisions”(i.e.stores)tokenontoSecureElement(SE)iniPhone“binding”ittoauniquedevice(DAN)
18
ApplePayTokenization
– Howitworks‐ Purchases• Consumer“taps”onPOSdevice(usingTouchIDtoauthenticatetheuser)
• iPhonetransmitsDANtoPOSplusaonetimecodenumber• POSsendsDANtoAcquirerwhosendstoVisaorMasterCard• VisaorMasterCardtranslatetokenbacktotheoriginalcardnumberandsendsittoissuer(afterinsuringthatthetokencamefromthe“proper”device)
• Issuerapprovesordeclinestransactionasnormal
19
TokenizationBenefits
– Reduceattractivenessofmassdatabreaches
– ReducedscopeofPCIDSS
– Increasedsecurityofmobilepayments
– Increasedperceptionofsecuritybyconsumers
20
GeneralTokenizationIssues
– Tokengeneration• Howrandomisrandom?• Cantrue“isolation”beachieved
– Tokenavailability• Databasemanagement
– Availability,backup,andrestore• Interoperability
– Routingdebittransactions– Conflictwithcurrentloyaltyschemes
– Tokensafety• TokenDBprotection
21
VisaandMasterCardTokenizationIssues
– Compatibilitywithexistingservices• VisaTokenService,MasterCardDigitalEnablementService,AmericanExpressTokenService
vs.• FirstDataTransarmour,TSYSGuardianTokenization,BellIDTokenizationManager,etc.
– Compatibilitywithotherstandardschemes• SecureRemotePaymentCouncil• AccreditedStandardsCommitteeX9Inc.• InternationalStandardsOrganization(ISO)
– OperationalIssues• GUIandCustomerService• Recurringpayments• Chargebacks,refunds,andinvestigations
22
TokenizationServicesStrategicIssues
– OpenStandards• TokenizationasanOpenStandard‐ IsEMVCo theright“home”fortokenizationstandards?
– Control• VisaandMasterCardcontrolthedataandaccesstofundingaccount– “Thoseofusthatparticipateinthetokeninfrastructurecanmakedecisionsonwhoyouwanttogiveaccessto,whetheryouwanttochargeforitandthingslikethat.”VisaCEOCharlesScharf,BankofAmericaMerrillLynch2014Banking&FinancialServicesConference
– ConflictWithDurbinRouting• AccountswithdebitcardstokenizedbyVisaandMasterCardcanonlybeaccessedbymerchantsthroughVisaandMasterCard
23
TokenizationSummary
– Tokenizationistheconceptofsubstitutingsensitivedatawithmeaninglessvalues
– Tokenizationisbeingusedbymerchants,acquirers,processors,andnowcardschemestohelpreducevulnerabilitiesofcards
– Visa,MasterCard,andAmexhaveintroducedtokenizationstandardsthatgivesthemcontroloveraccessanddataandwhichwillbeprovidedforafeetoissuersandacquirers
– Anumberofsignificantissuesrelatedtotokenizationhavetobeaddressedandresolvedbythepaymentsindustry
24