There are three things that consumers, merchants, issuers and card networks all want from a payments experience: that it be secure, that it be easy to use and that it be available to consumers at all of the places they want to shop. The payments ecosystem has spent the last five decades building, supporting and evolving an infrastructure to deliver on that promise. The payments form factor over that period of time has been primarily a plastic card, some of which had mag stripes (US, China), some of which had embedded EMV cryptology (Europe, LATAM, Canada) and some of which had contactless capabilities (Europe, Asia, US).
Then a funny thing happened in 2007.
Apple introduced the iPhone.
The iPhone set in motion a wave of innovation that mashed up the power of a mobile device connected to the internet, apps and an inspired ecosystem to transform the relationship between brands and their customers. Payments and commerce became a natural use case for this innovation and the prospect of commerce anytime, anywhere began to take shape.
Apple, and smartphones more generally, have helped to reinvent the consumer’s shopping and buying experience by making it easy for them to use the devices they love to buy the stuff they love from the merchants they have (or want to have) a relationship with.
Now, seven years later, Apple and smartphones, have introduced the first commercial application of another mobile commerce innovation – one that has the potential to reinvent that experience once again.
But this time, that innovation isn’t an app or even a device. It’s something much more subtle yet potentially much more powerful.
“‘Token’ is a very broad term, like ‘Wallet,’ that is often used by different people to describe many completely different things. A lot of times when an acquirer says to a merchant ‘we’ll hold all card information & give you a reference number’ that’s also often referred to as a token. People think it’s a reference number as opposed to a highly-secure, fully functional, and unique device-based account number, like the ‘tokens’ we have deployed with Apple Pay.”
That’s MasterCard’s Chief Emerging Payments Officer Ed McLaughlin, who stopped by to talk tokens and digital identity with MPD CEO Karen Webster.
McLaughlin is a great fan of tokenization, and believes that the way most people talk about tokens today misses the huge part it will play in redefining how commerce as we know it, happens worldwide. And he would know, since for the last two years McLaughlin and his team have probably thought more about tokens than almost anyone else on the planet as they developed something they refer to as the MasterCard Digital Enablement System (MDES).
Tokens and tokenization, McLaughlin believes, are much more than simply “the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.”
A token in MasterCard’s hands is most fundamentally a unique digital credential – an encrypted card number associated the MasterCard PAN – that is bound to a particular device. Each device that a consumer has will have a different tokenized credential – called a device account number. The provisioning of that device credential is a one-time set up that can only happen once an issuer authorizes that the consumer is in good standing and that it is an account that they wish to have provisioned to a device.
When transacting, MDES allows that device account token to be further secured by generating a unique, one-time security code for each transaction that is further secured with an EMV key. That security code, along with the device account number, is then passed to the acquirer, creating a unique one-time account number for the transaction. The transaction is then processed thru the rest of the existing authorizing infrastructure for approval.
What McLaughlin says makes this process incredibly unique and secure is that it creates a base layer of security so that a transaction can’t happen unless a key-generated cryptogram is combined with a device specific token. In the case of Apple Pay, this digital credential enablement works in concert with Apple’s TouchID, adding an additional layer of security by not allowing the token itself to be issued until either a biometric authentication has been verified, or a passcode has been entered.
“With our digital enablement system, we provide a unique account number for the device that’s bound to that device. We can control how it’s being used once the issuer has authorized that they wish that consumer and that device to have a token, to block illegitimate use of the account. Secondly, when that number is provisioned and put into the device, every transaction that is done with that device has a one-time code that is generated, securely,” McLaughlin told Webster.
Tokens, understood this way, create something that it becomes hard to use fraudulently. It’s just not possible, for example, to strip off a device’s token and use it on a website in the way one could hack a credit card number and commit fraud. But, fraud created by lost or stolen cards becomes much easier – and less costly – for issuers to manage. Device-specific tokens mean that device-specific account numbers can be re-enabled without having to shut off all access to every device that may have that account number stored.
“We can also say that if for whatever reason the device needs to be cut off, or changed, we don’t have to touch every place you’ve stored the number, just the specific token in the device,” McLaughlin explained.
When asked whether MDES carves out a new role and new place in the ecosystem for MasterCard, McLaughlin told Webster that this is just a natural extension of existing MasterCard services to new devices.
“We’ve always provided these types of services. We do it with EMV card validation today. It’s just an extension into the device world,” McLaughlin told Webster, explaining that though what they have done here may sound very different, it’s actually just a natural extension of infrastructure they’ve already built for EMV.
Past the Apple-specific part of the transaction (the bio-authentication), all MDES transaction works as though one were using an EMV card. The information flows in from the terminal, the cryptogram is generated and validated based on the key, and the transaction is pushed with a unique number.
“That then flows into the normal acquiring system, and works with all of the infrastructure and investments in place. Acquirers are already ready for it provided they are ready for EMV – it’s an EMV-based contactless transaction,“ McLaughlin clarified.
McLaughlin emphasized that the system also preserves the central role of the issuer, by making them the end point in the enablement end of the transaction.
“The final point is the tokens are authorized, released, and placed with and by the authorization of the issuer who has control of the account. That gives [them] that great closed loop – the thing that goes in the device is a secret that only the issuer knows so when it arrives back to them through the traditional channels, they know the card is the card and the customer is the customer, and it’s being used appropriately.”
While Monday’s Apple Pay launch may take up a good deal of the media attention, the launch of MDES should catch the eye of anyone interested in the shape of things to come in payments – both in the U.S and around the globe. And even though MDES enables a payment service like Apple Pay, to work anywhere that MasterCard contactless works, which is currently more than 2.5M merchant locations in 60-plus countries, MasterCard has a bigger vision for MDES as the power behind the protocol for a variety of use cases going forward.
“Apple Pay is the first program to take advantage of this infrastructure. That’s foundational, just like when we started putting the plastic infrastructure in place.”
One of the areas that was noticeably absent from Apple Pay’s launch was the browser based mobile shopping experience. When Webster asked McLaughlin about browser-based shopping as a use case, pointing out the large percentage of online shopping that happens outside of apps, McLaughlin said that MDES will function with online purchases as well. McLaughlin asserts that it ultimately doesn’t matter if the purchase is coming in a store, through an app or on a browser—at the end of the day it is all about creating, flawlessly, the same experience. This same process, for example, is what underpins the use of MasterPass.
“For me, whether I’m tapping, pushing through an app, delivering it in a browser, it really is just the way you secure and deliver that MasterCard transaction.”
Clearly, making transacting via the mobile device more secure is a huge driver of the interest in tokenization, a topic made even more prominent given the attention now paid to secure POS transacting in the face of the many breaches and cyber-attacks.
But McLaughlin believes that’s merely the starting point.
Tokens as digitized, secure device specific credentials can accelerate the delivery of embedded commerce in any device that connects to the internet. McLaughlin pointed to the incredible consumer convenience that comes from eliminating the need to enter and then store card and consumer credentials across multiple web sites or apps, relying instead on a protocol that does all of the work in the background. He likened tokens as digitized credentials to IP addresses and web sites – a global standard that not only creates interoperability across devices and merchants but one that removes friction from the consumer and merchant experience.
“Some of the stats we’ve seen is that there are about 27 apps that a typical user has, and about half of them might be used for commerce. Instead of having 10 different places where consumer credentials may be, consumers have the convenience and security of simply leveraging the mobile phone operating system.”
MasterCard has made a bet, namely that digital credentials are the future of keeping cardholder and transaction data safe, while removing the friction associated with moving from a plastic-enabled to a digital-enabled commerce world.
“The device doesn’t define the payment system, it’s the payment system that make the devices that much more useful and interesting. Devices themselves can help make transactions more secure than what can be done with plastic,” he said.
McLaughlin believes strongly that MDES and its token framework is what the digital world needs to accelerate the adoption of mobile and digital commerce. But he also recognizes that the industry is in the very early days of what will be an exciting new commerce future. McLaughlin acknowledged that tokens have to “work well before they can work better,” recognizing the important role that the network plays in actually getting a global, interoperable standard in place and what McLaughlin said is what motivated MasterCard to contribute its base of proprietary technologies to the effort in the first place.
“It’s the right architecture for moving to a world beyond plastic, where every device is a commerce device. This is enabling the framework for that,” McLaughlin explained.
McLaughlin further remarked that MasterCard will “compete like crazy” to ignite an ecosystem that can leverage the digital enablement system and MasterCard assets that are already in place. If MasterCard believes that tokens are the onramp for a digital world that embeds commerce in any device capable of enabling it, it wants to be the one to blaze that path, worldwide.
“With MDES we will be able to place secure tokens or credential in any number of devices or programs that the issuer chooses to participate in and that consumers want, giving consumers the ability to try out commerce in various environments and tie it all back together to the MasterCard account, making sure they get the guarantees and rewards they enjoy from using their MasterCard, and for merchants, enabling it to work with systems they have in place. Apple Pay is a catalyst, and is the implementation that allows people to visualize and understand a lot of what we’ve been talking about,” McLaughlin told Webster.
Or at least start to visualize it.
From the sounds of it, there’ll be a lot more to see and soon.