René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... ·...
Transcript of René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... ·...
![Page 1: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/1.jpg)
Webinar‐ Tokenization101RenéM.Pelegero
RetailPaymentsGlobalConsultingGroupL.L.CDecember15th,2014
![Page 2: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/2.jpg)
2
WebinarOverview
– Adescriptionoftokenizationandhowthetechnologyisbeingemployedinthepaymentsspace
– Agenda• Whatistokenization?• WhatisNOTtokenization?• Tokenizationinpayments• CardschemetokenizationandApplePay• Tokenizationissues
![Page 3: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/3.jpg)
3
HistoryofTokens
– TokenDefinition• Tōkən/noun• A thingservingasavisibleortangiblerepresentationofafact,quality,feeling,etc.
• A voucherthatcanbeexchangedforgoodsorservices,typicallyonegivenasagiftorofferedaspartofapromotionaloffer.
![Page 4: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/4.jpg)
4
TokensintheDigitalWorld
– Replacesensitivedataelementstoprotectthemfromexposure
• AnHRnumberinsteadofSSNastheprimaryaccesskeytoanemployeedatabase
• AnAddressIDtoidentifyafulladdress– Havenobusinessmeaning
• Cannotbeusedtoderivetheoriginalvalue• Donothavetochangeastheunderlyingvaluechanges
![Page 5: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/5.jpg)
5
TokenizationIsNot
– Encryption
– EMV
– NFC
– HostCardEmulation(HCE)
![Page 6: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/6.jpg)
6
TokenizationisNOTEncryption
However, tokens are often encrypted
![Page 7: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/7.jpg)
7
Encryption101
![Page 8: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/8.jpg)
8
TokenizationisNOTEMV
– Europay,MasterCard,Visa(EMV)• Foundedin1999todefinethespecificationsofchip‐basedpaymentinstruments
• Presentlysixmemberorganizations– AmericanExpress– Discover– JCB– MasterCard(mergedwithEuropay in2002)– UnionPay– Visa
– EMVnameusedtodescribechip‐basedbankcards– Tappedbymemberstodefinetokenizationstandards
• Version1.0oftokenizationpublishedinMarch2014
![Page 9: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/9.jpg)
9
TokenizationisNOTNFC
– NearFieldCommunications(NFC)• NFCisasetofstandardsforsmartphonesandsimilardevicestoestablishradiocommunicationwitheachoververyshortranges
– Differentimplementations• Embeddedinmobilephone• SIMbased• RemovableSE(SDCard)
– NFCinPayments• NFCchipincludesaSecureElement• Storesinformationinasecuremanner• Itiscontrolledbytelephonecarrier(MNO)orphonemanufacturer
![Page 10: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/10.jpg)
10
TokenizationisNOTHCE
– HostCardEmulation(HCE)• CardnumberstoredinhostratherthanSecureElement
• SolvestheMNOcontrol,provisioningandassociatedexpenseissues
![Page 11: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/11.jpg)
11
PuttingItAllTogether
– Tokenscanbe…• DefinedbytheEMVCo specificationorbyanyproprietarystandardbuthavenothingtodowithstandardsforEMVchipcards
• StoredinNFC’sSecureElementoraHostintheCloud• Canbestoredencryptedorintheclear
– Tokenscanbeexchanged…• BetweendevicesusingNFC,HCE,oranyothertechnology
• Generallyinanencryptedmanner
![Page 12: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/12.jpg)
12
UseofTokensinthePaymentsIndustry
– Tokensreplacebankcardnumbersatdifferentpointsintheprocess
• Tokensreducecardvulnerabilities• TokensreducePCIcomplianceburdens
– Tokenscanbegeneratedinmultipleplaces• MerchantGeneratedTokens• Acquirer/ProcessorsGeneratedTokens• NetworkGeneratedTokens
![Page 13: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/13.jpg)
13
MerchantGeneratedTokens
– Merchantgeneratestokenwhencardnumberisfirstenteredintomerchantsystem
– Tokendatabasebehindfirewallsandpublicaccess(e.g.cc‐motel,Fluffy,CardVault,etc.)
– Allfurtheractivityforcustomeronlyusesthetoken,notthecardnumber
– Tokenisconvertedtoactualcardnumberwhenitistimetoauthorizepayment
![Page 14: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/14.jpg)
14
Acquirer/ProcessorGeneratedTokens
– CardisswipedatPOSandPAN,trackdata,andexpirationdateareencryptedandsenttoprocessordatacenter
– Cardnumberisdecryptedandsenttoissuerforauthorizationandtotokenizationserverfortokenassignment
– Processorreturnsauthorizationandtokentomerchantwhoproceedstostoreonlythetoken
– Settlement,refunds,adjustments,chargebacks,etc.usethetokennumber,notthecardnumber
![Page 15: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/15.jpg)
15
NetworkGeneratedTokens
– SimilartoAcquirer/Processorgeneratedtokensbutthetokenisgenerated,stored,andmaintainedasapaidservicebythecardnetworks
• VisaTokenService• MasterCardDigitalEnablementService• AmericanExpressTokenService
– BasedonastandardpublishedbyEMVCo inMarch2014
![Page 16: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/16.jpg)
16
CardSchemeTokenizationServices
– Visawavingallfeesuntiltheendof2015– Amexhasnotreleasesfeesyet– MasterCardDigitalEnablementServices(DES)
• Issuers– DigitalEnablementServiceLifecycleManagement10¢perPAN
– Digitationfeeof50¢whenprovisioningatokentoadevice
• Acquirers– DigitalEnablementfeeof0.01%forselectCNPtransactions
![Page 17: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/17.jpg)
17
ApplePayTokenization
– Howitworks‐ Registration/Enrollment• ApplePay“app”sendscardnumbertoissuingbankthroughVisaorMasterCard
• Issuingbankapprovescardnumbertobetokenized• VisaorMasterCard“tokenize”thecardnumberandsendstokenbacktoapp
• ApplePay“provisions”(i.e.stores)tokenontoSecureElement(SE)iniPhone“binding”ittoauniquedevice(DAN)
![Page 18: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/18.jpg)
18
ApplePayTokenization
– Howitworks‐ Purchases• Consumer“taps”onPOSdevice(usingTouchIDtoauthenticatetheuser)
• iPhonetransmitsDANtoPOSplusaonetimecodenumber• POSsendsDANtoAcquirerwhosendstoVisaorMasterCard• VisaorMasterCardtranslatetokenbacktotheoriginalcardnumberandsendsittoissuer(afterinsuringthatthetokencamefromthe“proper”device)
• Issuerapprovesordeclinestransactionasnormal
![Page 19: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/19.jpg)
19
TokenizationBenefits
– Reduceattractivenessofmassdatabreaches
– ReducedscopeofPCIDSS
– Increasedsecurityofmobilepayments
– Increasedperceptionofsecuritybyconsumers
![Page 20: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/20.jpg)
20
GeneralTokenizationIssues
– Tokengeneration• Howrandomisrandom?• Cantrue“isolation”beachieved
– Tokenavailability• Databasemanagement
– Availability,backup,andrestore• Interoperability
– Routingdebittransactions– Conflictwithcurrentloyaltyschemes
– Tokensafety• TokenDBprotection
![Page 21: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/21.jpg)
21
VisaandMasterCardTokenizationIssues
– Compatibilitywithexistingservices• VisaTokenService,MasterCardDigitalEnablementService,AmericanExpressTokenService
vs.• FirstDataTransarmour,TSYSGuardianTokenization,BellIDTokenizationManager,etc.
– Compatibilitywithotherstandardschemes• SecureRemotePaymentCouncil• AccreditedStandardsCommitteeX9Inc.• InternationalStandardsOrganization(ISO)
– OperationalIssues• GUIandCustomerService• Recurringpayments• Chargebacks,refunds,andinvestigations
![Page 22: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/22.jpg)
22
TokenizationServicesStrategicIssues
– OpenStandards• TokenizationasanOpenStandard‐ IsEMVCo theright“home”fortokenizationstandards?
– Control• VisaandMasterCardcontrolthedataandaccesstofundingaccount– “Thoseofusthatparticipateinthetokeninfrastructurecanmakedecisionsonwhoyouwanttogiveaccessto,whetheryouwanttochargeforitandthingslikethat.”VisaCEOCharlesScharf,BankofAmericaMerrillLynch2014Banking&FinancialServicesConference
– ConflictWithDurbinRouting• AccountswithdebitcardstokenizedbyVisaandMasterCardcanonlybeaccessedbymerchantsthroughVisaandMasterCard
![Page 23: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/23.jpg)
23
TokenizationSummary
– Tokenizationistheconceptofsubstitutingsensitivedatawithmeaninglessvalues
– Tokenizationisbeingusedbymerchants,acquirers,processors,andnowcardschemestohelpreducevulnerabilitiesofcards
– Visa,MasterCard,andAmexhaveintroducedtokenizationstandardsthatgivesthemcontroloveraccessanddataandwhichwillbeprovidedforafeetoissuersandacquirers
– Anumberofsignificantissuesrelatedtotokenizationhavetobeaddressedandresolvedbythepaymentsindustry
![Page 24: René M. Pelegero Retail Payments Global Consulting Group L.L › docs › default... · 2014-12-15 · Webinar ‐Tokenization 101 René M. Pelegero Retail Payments Global Consulting](https://reader036.fdocuments.us/reader036/viewer/2022081404/5f03db107e708231d40b1973/html5/thumbnails/24.jpg)
24