Here A Token, There a Token…

Tokenization may not be new, but it is a hot topic in payments, thanks to the introduction of the network tokenization schemes. All of this is pulling merchants in a variety of directions to understand what to support and why and when.

Alex Pezold, Co-founder and CEO of TokenEx, doesn’t think merchants should be locked into any one solution, as flexibility is the key to success in a world of tokenization. He recently shared his thoughts on the matter in a discussion with MPD CEO Karen Webster.

KW: Tokenization has become very much a buzzword, with everybody throwing it around. There are actually two tokenization camps: the security tokens that protect the data at rest once it’s traveled through the point of sale environment on the acquiring side, and the payment tokens on the issuing side that the networks have created to enable payment schemes such as Apple Pay, Android Pay and the like.

On which side of the token universe is TokenEx?

AP: TokenEx is actually on both sides of the fence. We have customers, for example, that are digital wallets, that are using TokenEx and our platform very much like Apple Pay uses Visa, and how MasterCard is applying tokenization to the digital eCommerce marketplace.

But we also have lots of conversations with big players in the retail and eCommerce arena who are fed up with being tied to the existing payments players. They’re fine with having multiple providers for separate services – like fraud prevention, and tokenization, and so on – they just don’t want to be bound to contracts and pricing with any one of them. They want the flexibility to maneuver between different providers.

TokenEx addresses that need, providing tokenization for customers who are tokenizing payment card data, personal identifiable data, and any number of different data sets that present risk for data at rest, as well as architectures for mobile payment platforms that are available.

KW: Who are your customers? Who actually buys the token platform services that you offer?

AP: Think of TokenEx as a layer of abstraction between merchants and service providers and the payment service providers.

Small- and medium-sized businesses tend to buy us for the compliance component; they want to reduce or even eliminate compliance. Larger organizations, such as Fortune 500s, will buy us because they want to get rid of risk. Our customer base ranges from startup eCommerce platforms all the way to Fortune 10 companies.

Our target market, and where we see a tremendous amount of growth right now, is eTailers that have multiple payment acceptance channels. For them, we act not just as a tokenization provider but more of data security platform and a tokenization integrator, regardless of the size of the particular company.

KW: Something you said that I found interesting was that your customers want the flexibility of not having to be tied to a single provider of payment solutions. The flipside of that coin, though, is that having one provider really does simplify things – especially for merchants that otherwise lack the resources and know-how to go to different places for different services.

How do you simplify the conversation with – and the solution for – a merchant that has a lot of other things to worry about?

AP: That’s a great question. I mentioned the term “integrator,” which describes how we view ourselves with respect to tokenization encryption and key management technologies, as opposed to simply a tokenization service provider.

We’ve moved ourselves out of the latter category because it assumes that what every commoditized payment service provider is putting forth today is the tokenization generation engine.

Simplifying the conversation is very easy to do. We ask the merchants, “What are you trying to achieve?” They want to be as many places as they possibly can be to acquire as many transactions, or purchases – whatever the specific metric may be – as possible. The goal for us becomes to get as close as possible to the payment information in that channel, while the merchant maintains whatever service providers it chooses.

If a merchant wants to have an all-in-one provider for fraud solutions, it can do that. But we recommend that the merchant still give itself some flexibility to maneuver – at the very least, keeping its data away from the provider.

We’re integrated with over 30 payment gateways, 4 of the major 7 payment processers, as well as with fraud prevention solutions. We aren’t just providing services; we’re providing a complete solution for customers. And that often includes solutions that help direct them to different providers that best fit their needs for different services.

KW: So you give them the ability to unbundle the tokenization service from other services that their acquirer may offer, and they can take the risk-management piece of that payment capability wherever they like. Is that the pitch?

AP: “Unlimited flexibility” is the pitch.

And when we offer flexibility among any service providers, we include ourselves in that. We don’t require contracts; we will give our customers back their data with 24 to 48 hours; should a customer decide to bring a tokenization capability or an encryption capability in-house, we’ll gladly help them with that transition away from us.

That’s just the way we choose to do business. We want things to be flexible and easy for our customers – no hang ups; no situations where we’re holding data hostage. Business shouldn’t be done that way; it should be very transparent and easy, as to serve the best interests of our customers’ livelihood.

KW: When you talk to merchants about tokenization, do their eyes kind of glaze over because this is yet another thing they have to deal with, on top of EMV migration and mobile integration and – oh, then by the way – conduct their actual business of selling?

 AP: That’s another great question – and the short answer to it is “yes.”

The key to overcoming eyes glazing over, though, is to bring a degree of excitement and actually solve a problem. Instead of just saying, “Sure, we’ve got tokenization, let us know if you want it,” we ask questions of merchants to find out specifically what they are trying to do, and generate a conversation with them.

Much to the credit of our marketing team, the mantra of our sales organization is “education and empowerment.” We want to educate our users; we want to empower them to make the decision.

When we walk into a room to talk to a company’s enterprise architect and eCommerce team, we don’t have just another tokenization conversation. We go through a whiteboard session; we add liveliness and we give them something to be excited about.

KW: The excitement is generated because you give them flexibility, and you minimize PCI scope… But don’t a lot of other people do that, too?

AP: No, not necessarily. And I would say the excitement for these companies actually comes from the creativity and the freshness of having a true integrator working with them, as opposed to just a platform provider.

We tell our clients, “we’re going to connect and we’re going to push your PCI compliance boundary to the furthest edge.” Most payment service providers can’t say that.

If a company is looking to reduce compliance scope and uses a standard service provider, that provider is going to give you a solution – maybe. They’ll perhaps solve an eCommerce problem, but they won’t solve a call center problem, or a mobile problem; they won’t solve batch files or a virtual terminal. Payment card data still has to flow through a merchant’s environment before it can be sent off to the processor, so their entire environment is still in scope.

With TokenEx, we’re actually going beyond that. We’re pushing way out to the boundary and all those different acceptance channels. And that’s what gets companies excited.

KW: The way that tokenization and related activity works within the payments ecosystem seems very fragmented today, with lots of different people doing lots of different things. Do you think that at some point a standard will be established that brings it all together?

AP: I don’t think so; and I would actually submit that that’s an undesirable outcome.

Were tokenization to be standardized, with everyone using it in the same way, that would actually amount to just a recreation of credit cards.

KW: Standardization, though, is what makes credit cards work globally.

AP: Exactly – and the problem with credit cards right now is fraud and security. If somebody steals a credit card, he or she knows that it can be used just about anywhere.

If a token is created that looks like a credit card across every single service provider, then it can, in essence, be used as a credit card. A cross-domain tokenization issue is created.

I think that EMVCo, The Clearing House and PCI are all doing a great job of defining what is acceptable in terms of how tokens should be created for various implementations. The industry was already several years into providing tokenization before any of those three entities actually pushed out any type of guidance.

You don’t want to create that cross-domain issue with tokens, so it’s good that it’s fractionalized because that prevents one token built for one service provider being used with another service provider.

KW: But aren’t the networks solving for that – by separating the payment tokens from the transaction tokens? And then applying a cryptogram to?

They’re not issuing the same token for everything, but they’re creating an underlying standard that everyone can in turn leverage in order to create consistency around the world.

AP: Standardization as it pertains to communication and usage is totally fine. It’s a different case for standardizing token generation because every environment is unique – which segment of the card number is retained, whether alphanumerics are applied, and on and on. For a merchant or service provider that’s already tokenized its entire environment to suddenly be told, “that’s not going to work anymore,” that won’t fly and they’ll just continue to use independent providers.

As far as the way that tokens are utilized and passed around in different ecosystems, I think it’s good to have some kind of guidelines to go by. Not so much with the generation of the actual token.

KW: We’re certainly in early days. But there’s a whole new path being laid out by the networks with their digital enablement services that tokenize on the issuing side, standardizing it, and removing the provisioning burden from issuers in order to get some traction with mobile schemes.

It’s obviously a hot topic, as evident in what you just described.

AP: Love it or hate it, Visa and MasterCard aren’t going anywhere. They’re going to continue developing new ways to retain business. As each tries to design a framework for the digital ecosystem in its own way, neither is exactly playing nice – they’re not meeting in the middle. If there is going to be a standard for communication and usage, those guys will need to get on the same page.

KW: At the end of the day, the goal is ultimately to keep data secure and create confidence in how payments transactions are done.

Turning back to the merchant side, I feel for the merchants who are trying to sort it all out. They have so much coming at them today.

AP: I feel sorry for merchants today. The one voice they have repeatedly telling them that they need to be PCI compliant is from their upstream – their payment service provider, whoever that may be. But that same upstream isn’t providing any guidance for the process.

If I had a penny for every call I’ve had with one of our customers about their payment service provider talking about PCI compliance and how to validate for it, I wouldn’t need to have a tokenization company – I’d be rich!

The reality of the situation is, customers are being told that they need to be PCI compliant and simply directed to a website or given a form. Nine times out of 10, that form is the wrong form – so the customer is immediately out of compliance and at risk. In my experience, payment service providers and upstreams are not giving sufficient guidance in terms of the steps needed in order to achieve compliance.

We have those conversations with customers; we educate them about the details specific to their situations and it alleviates frustration about the process. Merchants ultimately want to have these conversations; it’s just that payment service providers so often treat them as if they’re an annoyance.

KW: Let’s say you’re sitting across the table from a merchant, and the merchant says, “I am bewildered. I have EMV coming at me and I’ve got to figure out what to do there. I’m hearing everyone talking about their respective tokenization services; I have people wanting me to rethink my POS environment and buy new hardware.

“What’s my first step? If I do one thing right now to give me the best possible protection of cardholder data, what should it be?”

AP: That’s actually a really good question. The easiest thing that comes to mind would be for the merchant to get rid of that big glut of credit card data it’s storing in its environment for recurring payments, analytics, customer convenience or the like. A data breach would cost the merchant about $90 per record – so multiply the whole thing by 90. That data needs to go.

Beyond that, I would recommend sitting down with the merchant to map out its data flows and the technologies associated with them. Then we’d talk about the technologies being introduced today that are going to match up with EMV, or PCI, or any of the different things the merchant is trying to do – such as mobile.

From that point, we can discuss a phased strategy for rolling out technologies that, No. 1, are going to make sense for the merchant and that’s comfortable using, and, No. 2, aren’t going to break the merchant’s bank.

KW: And there’s a “No. 3” that takes us back to where we started: a technology that is not going to bind the merchant to a point-in-time technology that might be good for today but might not work as the business evolves.

The fact is that businesses don’t remain static if they’re successful. They grow, they evolve, their needs and goals change. Having the ability to adapt is a pretty important requirement.

AP: I couldn’t have said it better myself. As a business owner, you don’t want to be locked into any one particular thing if you don’t have to be. Doing business with who you want to do business with is actually a luxury these days; it’s no longer a given.

In our experience, being a service provider that actually gives you options is certainly well-received.