The use of tokens – the concept of a surrogate being used to replace something of value – is nothing new in payments and financial services. But the consumer-driven demand for smart devices, coupled with rapidly changing technologies, has the industry buzzing about what’s next in tokenization – especially when network tokenization, at least for now, seems a bit at cross purposes with tokenization on the acquiring side. MPD CEO Karen Webster moderated a 60-minute digital discussion with seven industry players including Samsung, Verifone, CA Technologies and MasterCard to hash out the profound changes tokenization is bringing to the payments space.
Hardly has there been a topic that has garnered as much attention across the payments ecosystem as tokenization has recently. It’s not a new concept, since tokens have been used to encrypt cardholder information post-authorization for many years. But it’s one that has cast a new light on the role of the various stakeholders across the payments ecosystem with the introduction of network tokenization that replace payments account numbers when payments transactions are initiated. These tokens are presented to merchants for payment, and enabled for payment by a new player – a Token Services Provider – that authorizes the payment. Payments tokens, as some refer to them, are stored in vaults maintained by the TSP – which could be an independent third party or integrated with the card networks.
Seven senior executives from across the payments and commerce landscape, each representing a difference facet of the industry, came together for a one-hour conversation on the evolution of tokens and tokenization. The focus was how this developing technology can be used to facilitate a demand for payments that are both secure and convenient. The conversation was lively, and even spilled over the one-hour mark.
Here a few highlights. To hear the whole rabble-rousing conversation, listen in here.
Tokens Before Tokens Were Cool
Starting with the perspective that the payments industry was all about tokens before tokens became cool, thanks to the introduction of Apple Pay.
“Apple did not invent tokenization, it has been there for a long time. What is now happening is, that its use is now standardized for all payment cards across the world. The stumbling block earlier was making sure a card that is tokenized by one player in the U.S. works in the U.K., and that is what network tokenization brought to us,” said Hitesh Anand, VP of Commerce Enablement and Mobile at Verifone.
Tokens – Everywhere You Want Them To Be?
True enough, everyone agreed. But we have the “battle of the tokens” – tokens on the acquiring side that don’t have anything to do with tokens on the payments and issuing side. Tokens, some believe, need to be ubiquitous – enabling payments to be made anywhere and everywhere – to deliver the promise of payments safety and security. Yet with ubiquity comes many questions and challenges.
“Only when we can deliver these tokens ubiquitously, can we get to a point where we can start changing consumers’ behavior from what they normally use for payments which is swiping or dipping a card, to utilizing their mobile devices to use tokenization for payments. Without that behavior change, it’s going to be very hard for tokenization to take off,” added Will Graylin, CEO of LoopPay and Co-GM of Samsung Pay.
Who Gives A Token?
Customers accepting and using tokenization may be a large hurdle, but opinions differed around how significant consumer behavior really is when it comes to growing the use of tokens. As many of the panelists pointed out, consumers are less likely to understand the concept of tokenization itself. Instead, they remain focused on being able to make payments in a way that is convenient and innovative, but also secure.
A position that Alex Pezold, Co-Founder and CEO at TokenEx — a technology platform that provides tokenization — was passionate about. Sure, security is a key value proposition, but shouldn’t that be the driving force, and not how the industry proposes to create that?
“One of the questions that I have on trying to change consumer behavior with tokenization would be is that the tail wagging the dog? Consumers really don’t care about tokenization, they care about security, they care about the really cool fingerprint that you put on your Apple or Samsung device. Where this really is applicable and where tokenization really matters, at the core of it, is trying to secure and trying to help merchants and service providers with compliance, risk and fraud reduction,” Pezold said.
Verifone’s Anand agreed, but took things a step further. “When we use the word tokenization we are at times guilty ourselves of using it only in the context where the consumer is the focus. There are other contexts where the consumer is not making that choice or decision and we need to make sure that tokenization importance or benefits in those areas are seen as just as valuable as on the issuer side,” Anand added.
The Token Inside
As smartphones continue to flood the market, the panelists debated whether tokenization can keep pace with the growth of mobile. Changing mobile technologies are allowing consumers to do more on their devices than ever before, which may provide an opportunity for tokens to be used in innovative ways.
“The ubiquity of the mobile device allows the customer to bring their own container, as long as the container provider makes sure it’s secure so the customer can pick their own end points and link them all to a funding account they have,” said Doc Vaidhyanathan, VP of Product Management and Digital Payments at CA Technologies.
Vaidhyanathan pointed to the importance of providers identifying whether a particular end point can be provisioned or not, as well as assessing the risks associated with trying to alter a token.
“This allows for a whole lot of customization of that token, as far as when it can be used, where it can be used, for what purpose can it be used. It also provides opportunities for controlling the spend, controlling the fraud, as well as creating new exciting uses for the token,” he added.
Can’t We All Just Get Along?
How do payments and security tokens live together? How does the introduction of payments tokens and mobile payments change what networks, acquirers, issuers and payments services providers do? How will mobile commerce players adapt today?
Despite the variety of opinions on the topic, there was one point of agreement: Tokenization not only provides significant growth in digital payments but also does so in a way that is both consistent and convenient.
“There is a demand from consumers to be able to pay where they want, how they want, when they want, and with whatever card they happen to have. Tokenizing for us is an enablement of all these different payments experiences that are possible and doing it an incredibly secure way, which helps us to create experiences that couldn’t actually be enabled without the arrival of tokenization,” explained Matt Barr, Group Head of MasterCard’s Emerging Payments in the U.S.
“We are seeing leveraging of newer tokens for secure in-app purchases and have heard talks to the future of enabling that same level of security for browser-based eCommerce, which we know we have to secure as EMV arrives in the U.S., so all of these channels must become secure and in a way that has backwards compatibility and is globally interoperable,” Barr said.
According to Barr, there has been encouraging momentum across payment methods, from both a consumer and merchant perspective, and the key enabler in that acceleration has been tokenization.
CA Technologies – Doc Vaidhyanathan, VP of Product Management
“The issue that still remains unaddressed is the new tokenization, introduced with solutions like Apple Pay is the Payment Token (unlike the Acquirer Token used for PCI compliance and Issuer Token used to anonymize transactions). For now the Payment Tokens are generated by the networks only. The rules of engagement have not yet allowed third party token generators to be effective in this space.
Also, for now, Payment Tokens are being generated mainly to be put on Mobile Wallets. This has to be expanded to allow Payment Tokens that can be held and used in any channel. The cardholder currently has no say in what the properties of the token are – the networks have decided that the tokens put on iPhones are only usable for Apple Pay – but there is no fine grain control that the cardholder can exercise. The future has to include the cardholder as an influencer of what the token represents.”
Digital River – Sreemati Lalgudi Seshasayee, Director of Merchant Connect
“I do think that [the] payment industry needs to look at tokenization as part of the whole security architecture and have a holistic approach to tokenization across payment instruments: credit cards, redirects, wallet etc. This is to ensure end-to-end security and in this payment processors like DRWP have the unique opportunity to have a consistent approach for merchant’s sake.
We not only remove the merchant from PCI compliance scope specific to credit card but we also facilitate the simplification of the data privacy regulations by protecting PI information. This could become transitional (move between payment provider with ease) experience for merchant, if there is an industry standard that can be implemented across omnichannel and omni-payment methods.”
TokenEx – Alex Pezold, Co-Founder and CEO
“The issues I see surrounding tokenization that are still unaddressed have everything to do with education and empowerment to use this great technology for compliance reduction and risk reduction. While we’re halfway through the year in 2015, if the only association people are making with tokenization is Apple Pay, then we have a long road ahead of us. If the card brands are using ubiquitous tokenization as a means to drive digital wallet adoption, then we have an even longer road ahead of us, because they apparently don’t get it either.
For example, simply using a tokenization engine like what payment service providers and the card brands provide is not going to reduce PCI scope or risk challenges that merchants and service providers are facing today. Looking at the payments industry, the term “omnichannel” is present for a reason – merchants and service providers alike handle payment card data in any number of different channels. Only addressing one of these channels is not going to solve the problem of getting risky data out of a merchant’s environment.
The payments industry needs further education around tokenization and understanding that it’s not just a solution for payment service providers and the card brands. Tokenization is a solution for any organization handling any sensitive data set, like payment card data, personally identifiable data, or financial account data, who also uses any number of avenues to interact with said data.
Educating merchants and service providers alike in the areas of achieving/maintaining compliance and risk avoidance, and empowering them to use tokenization as a competitive advantage of sorts should be our continued goal and receive the attention it deserves.”
Verifone – Hitesh Anand, VP of Commerce Enablement & Mobile
“Tokenization, while important, is not a security catchall and should be used as part of a multi- layered approach to security that also incorporates end-to-end encryption and secure commerce architecture. Of course, large retailers likely have the resources and support in place to deploy and manage these types of systems. However, smaller merchants on the other hand may not have the necessary bandwidth or technical knowledge to do so on their own. That’s why it’s imperative for smaller merchants to partner with processors and acquirers offering managed payment services — also known as Payment as a Service — that incorporate all of the recommended components of effective multi-layered protection, which of course includes tokenization. Not only does this type of service greatly enhance payment security, it also shifts the burdens and complexity of payment system management away from the merchant, allowing them to focus more on their core business.”
LoopPay – Will Graylin, CEO
“The unaddressed issue to tokenization at this moment is the need for wide acceptance by merchants in the physical and the online environments, across merchants without heavy IT changes to their POS systems and to their remote checkout systems. This problem can be solved in the physical world with innovations like MST that Samsung Pay will be launching to enable existing POS to accept tokenized mobile payments without change.
For online tokenization, TSPs can also innovate by generating a timestamped 3- or 4-digits dynamic cryptogram that is transmitted via the CVV2 field, and use either a Token PAN or original PAN with the EXP Date as a Token Mode Indicator, then authenticating the dynamic CVV2 cryptogram. Together, this provides issuers with scalable tokenization security and consumers with the best user experience to start changing their habits from cash and plastic to mobile authenticated payments.
As you’ll see in the coming years the proliferation of devices will continue to grow and what we call token delivery devices will expand beyond smartphones and into wearables, Internet of things, and even accessories that hang off your keychains. Our job is to make sure that we as a token requestor and a secure container can properly store those tokens and deliver them for the consumers to as many places as possible and as many end points as possible.”