“Tokenization is a step towards the realization of a payment becoming embedded within a user experience,” says Paul Bridgewater, TSYS Group Executive, Global Product & Innovation. Now that Apple Pay has officially been announced, the pressure is on everyone in the ecosystem to think differently. MPD CEO Karen Webster recently caught up with Bridgewater, this time to discuss why innovators have to think in reverse in order to move innovation forward, and why Apple Pay is the perfect trigger for making that happen and the role that tokens will play in making that happen.
KW: Tokenization has become a buzzword, and just like any buzzword, people don’t always understand what it means and its implications. What’s your perspective of how the Apple announcement has changed the conversations you’re having with merchants and issuers and innovators about tokenization?
PB: Speaking from the merchant side first, the question has really been what should they do with NFC? NFC is around a $40-60 upgrade to a POS terminal. When you’ve got 1-2 terminals, that’s a pretty straightforward decision to make. When you’ve got 400-500 terminals, that becomes quite a big item to expense. That has now been answered, though. We’ve seen retailers coming out of their coma and heading toward NFC, and the Apple Pay announcement has helped make that decision for retailers. I would be incredibly surprised if retailers weren’t automatically agreeing to the NFC capability when they purchase new hardware for their EMV terminal refresh.
KW: I still think that if Apple Pay is thinking about ignition, it needs to do more than rely on NFC. It’s going to take a long time for that to work its way thru the merchant system – sort of like the big snake swallowing the gigantic elephant. There are other things that need to happen in the cloud, leveraging technology infrastructure and standards that relate to tokenization in a big way. Agree?
PB: You’ve got to believe that Apple’s next generation iPad would include NFC acceptance. If you look at the inertia happening within smaller to mid-sized retailers around the adoption of POS technology on the iPad platform, as that continues to gain momentum, an iPad with the ability to accept NFC transaction has to be a natural way to ignite acceptance at everyday retailers.
KW: I agree, especially when mashed up with iBeacons. I can see Apple doing a nice little bundle for merchants including an iPad that enables NFC and Apple Pay, and also beacons. But mPOS is a crazy space, with 134 companies all of whom won’t be survivors. You need scale, more than just the ability to accept a card as a proposition to be sticky and have longevity.
PB: On the retailer side, that’s where my thoughts are around the continued adoption of NFC. I also think this has got to be the ignition point for SoftCard, the ex-ISIS. I think that although Apple Pay solves the problem with Apple devices, if you look at the market share of Apple versus Android OS providers, you have to believe that SoftCard is moving into a much better place of NFC adoption.
KW: I have a different POV on that – I think they’re still in trouble because they are so wrapped around the Telco model. I think what’s interesting though is that the objection to SoftCard has been the man in the middle being the Telco. Now, you still have the man in the middle but its Apple, and people seem fine with that. I do agree on one point – there will be intense competition to own the Android ecosystem, and you have to have a particular combination of skills, expertise and ownership of hardware and software to make that happen.
PB: I think the Telcos need to get over the fact that the secure element in the device isn’t the crown jewel. They need to start to think about what makes a great user experience, making consumers want to put the device in their pocket.
On the issuing side of tokenization, you’ve got to believe that if an issuer wants to enable cardholders to transact in a customer-not-present environment, they must have support for tokenization. That’s pretty clear. Where EMV is the secure answer to customer-present transactions, tokenization is going to be the secure standard for customer-not-present. So issuers, from my perspective, need to support tokenization in their processing environments.
KW: But isn’t the MO for Apple Pay to have a tokenized exchange regardless of where consumers are interacting? There’s the secure token within the phone, and in that secure element, transactions are initiated, and through the issuance of a tokenized transaction, that transaction is incapable of being hacked in anyway. Is that right?
PB: Yes, in a way. The token is the data point that is transferred or used for that transaction to be enabled. But thinking broader than just Apple Pay, as tokenization impacts our industry, what Apple Pay is doing is utilizing that same CNP tokenization solution for customer-present transactions as an alternative to an EMV transaction.
KW: I think that’s a very powerful concept. But, what’s interesting is the ability to have multiple layers of security. Remember, what Tim Cook said about Apple Pay is that your identity as a consumer lives in a secure element and is completely tokenized. No one can get the keys to this, and if they did, they wouldn’t be able to do anything with it. That seems like a good deal for consumers, right?
PB: Yes, but I’m not sure about the dynamic card number and CVV – we know that the token is linked to a device in the form of Apple Pay. If I have three iPhones, each of them will have a separate token linked back to a single PAN and kept within a secure element. That token is transmitted in an encrypted form through the token service into the issuer, where transactions happen as normal. What it does is eliminates or reduces greatly the value in a breach attack at a retailer. The data that the retailer has and is using to transact is not the clear text account number that the account on file is linked to.
KW: Now that there’s movement around a tokenization standard, which is a great development for the industry, who manages the process? I know the networks have that ability, and I’m sure the banks do or will want to as well, but where do you see this tokenization ecosystem evolving and what’s the role that TSYS plays in enabling it all?
PB: The management of the tokens, the risk management, the ability for token requesters, or the retailers, to request tokens that are linked to an account number, all of that control is with the issuer. For example, Amazon as a retailer would be a token requester – instead of a consumer going into Amazon and putting the card number in, if a consumer wanted to sign up with Amazon, they could provide Amazon with their card details and it would request a token to be linked to their account. Amazon could do that for the online experience and from the mobile app.
But the issuer has control around how the tokenization service is used on top of their portfolio. What TSYS does is embed all of that token management control into the existing customer service solutions and cardholder service solutions and risk management solutions that we already provide to issuers as part of our partnership with them.
Essentially, from an issuer perspective, this is just another capability that they can now enable and manage on behalf of their cardholder if they want to enable their cardholder to request tokens. But the way I see it emerging is that every interaction with a retailer that a consumer has will essentially have its own token.
KW: Wow, that’s a lot of tokens to manage.
PB: Yes it is, and it also brings in a whole new dynamic around analysis and security. Now you know what transactions are coming from which devices, and what types of shopping experiences. Now you have another level of granular data around shopping habits, behavior, and profiles of the consumer, and more importantly, the first use case for it will be fraud mitigation. So, for example, Karen Webster shopping on eBay may have a different fraud risk profile than Karen Webster shopping on Nordstrom online site.
The tokenization service enables you to provide a fraud profile on a primary account number based upon what type of requester is requesting for a token. It does give more control to the issuer with this additional layer of fraud management for an individual cardholder.
KW: So where do the networks come into play? I thought they were managing the token process at least for the banks that didn’t want to do it.
PB: So there is an “on behalf of” service, an OBO service, that’s provided by the card brands for the management of the tokens via portals. If you haven’t interfaced to the APIs and services for the tokenization service and embedded that into your card management system, you can go on to the Visa or MasterCard portals and manage the tokens that way. It’s a service where you can manage the tokenization solution with, versus it being embedded into the card management system. This is basically a stepping stone for issuers – otherwise you have to get every issuer out there to interface and do development work. The OBO service eliminated the development requirement from day one, but ultimately, as this builds out, I would think that every issuer would have tokenization embedded into the core technology that they use. The integration isn’t difficult, but it’s just time-consuming.
KW: If we now have these tokens and a Apple phone that has a unique device account number linked to a card, it’s less likely to be hacked. But couldn’t a token requester be my refrigerator or my car? Isn’t this a way for the internet of things to come to life, because you’ve taken the friction out of the process and made it secure?
PB: That’s right, and I’ve been a big believer in sensor technology becoming more important to our industry as that technology develops. I believe that at some point every tangible product or item that we carry or own will be able to communicate with something. Tokenization is definitely a step towards the realization of a payment becoming embedded within a user experience, versus an actual event as part of a commerce transaction. That certainly paves the way to a whole new opportunity to innovate in the payments industry.
And, like I said before, that’s why I see TSYS becoming the “Intel” of payments. Our ability to enable our clients on the retailer and on the issuer side to embed the payment capability will be critical as our industry innovates around the new opportunity. We’re sitting right in the middle of an ecosystem where payments essentially will become transparent.
I think Apple Pay is an important early step, but tokenization as a whole is thecritical component that will help us change the way our industry integrates into commerce. Payments will become more attached to a commerce experience than ever before.
KW: This is complicated stuff and it’s coming at issuers at a point in time when they have a lot of other things to think about. It’s nice in many ways that Apple Pay has seemed to set a direction, and now we can compete and get focused on how to leverage those standards for the benefit of merchants and issuers.
PB: It’s also forcing people to think differently. In this industry today, you can’t think of it as a technology play – you have to think of the end user experience, and get the technology to support that. If you can think in reverse like that, that opens a whole new world around payments, and TSYS is in the middle of all of it.
Group Executive, Global Product & Innovation, TSYS
Paul Bridgewater, a veteran of the payments and financial services industry, was named Group Executive of Global Product at TSYS in 2011. Prior to joining TSYS, Bridgewater served as senior vice president, payments, of Digital River, Inc., in Eden Prairie, Minnesota, where he managed all aspects of its multi-million dollar internal payment services business unit. Bridgewater’s additional responsibilities at Digital River included product management and roadmap execution, third-party payment vendor relationships, payment services strategy, and real-time fraud and risk mitigation for its external payment services business. Bridgewater also has extensive international payments experience, having worked extensively with Citibank International, NatWest Bank, PLC, and Anker Data Systems.