Rambus CTO On Tokenization, Part Deux

Visa Rambus tokenization

The latest iteration of EMVCo’s Payment Tokenization Specification has the potential to change the way we shop – even as it changes the way that consumer information is exchanged between cardholders, issuers and merchants.  Goodbye to static tokens and hello to a dynamic range of possibilities in eCommerce and beyond, as Rambus’ CTO Chakib Bouda tells Karen Webster in the latest Topic TBD.

Tokens are nothing new. PCI tokens, encrypted card credentials held in vaults by processors, have been part of payments for years.

But version 2.0 of the EMVCo’s Payment Tokenization Specification, announced last month, is out to change that. Call it an upgrade, perhaps, as it focuses on eCommerce and is geared toward reducing fraud associated with primary account numbers (PANs), Rambus’ CTO Chakib Bouda explained in the latest Topic TBD.

Today, he told PYMNTS’ Karen Webster, consumers who sign up for an account online are prompted to register their card credentials: account number, expiry and CVV. That credit card information goes to a database, where the data is encrypted and stored as PCI tokens. In that case, the one generating the token is not the payment scheme or the issuer, but the party who has requested the credentials, said Bouda.

But the latest version of tokenization, Bouda emphasized, is linked to the changes in how consumers are using digital wallets, devices and channels to conduct commerce – an ecosystem that has widened significantly in the three years since EMVCo’s original framework was released.

Today, he noted, “if you use your OEM wallet” such as those offered by Apple, Google and Samsung – tapping it against an EMV or NFC-enabled terminal to conduct a transaction – “the merchant doesn’t know how to link that token to a primary account number.”

In essence, said Bouda, and moving forward, online PCI tokens will take a backseat online to payment tokens and PARs, a payment account reference that helps to link the payment token to a primary account number. Payment tokens are issued by TSPs – the card schemes – at the request of a token requestor, such as an issuer, merchant or digital wallet.

“The PAR itself is actually a number,” said Bouda, who also noted that 2.0 sets rules for BIN controllers (such as an ISO IIN card issuer) governing implementation of those PARs. Bouda also stated that each time a token is requested from a merchant or from a (digital) wallet, the issuer needs to authenticate the user (through a process known as IDNV, or identity and verification). The method of authentication is important, he said, as using only a card number to authenticate this data offers a low level of assurance. If the issuer sends a one-time password for using the mobile banking app to authenticate, “that’s a really high level of assurance,” said Bouda.

Bouda believes that existing PCI tokens (numbering in the billions, as Webster noted) “will vanish” over time, as legacy systems are adapted to requests for the card schemes to request tokens.

Beyond the mechanics, the conversation turned to use cases – after all, what good is a technological advance without adoption and, well, easing the everyday lives of consumers and the companies that serve them?

Here’s an example of the complexity that underlies the battle of the PCI and payment tokens today.

Imagine using your card one day at a physical store to pay for something and you have a loyalty program linked to that card on file. The next day, you walk into that same store and use a digital wallet with that same card provisioned in it. But since the digital wallet uses a payment token that is not known to the merchant, and you are using your phone and digital wallet, there is no link to the card on file’s token.

Thus, to smooth all the leaps and bounds that data must make to smooth this transaction, said Bouda, the PAR is introduced so that regardless of what phone, or card, or even iPad that you are using, “everything is linked to that particular number, which is the PAR.” In eCommerce, then – and in a traditional process where, say, PayPal actually stores cardholder data and uses a PCI token – a pain point is reduced, as a user does not have to resort to entering his or her card information time and again.

Each stop within the payments ecosystem is thus able to communicate with the other using common definitions and terminologies. Perhaps this is less revolution than evolution, but the process is indeed smoother – and limits can be set that detail minimum and maximum amounts to be spent per transaction or by merchants, to name just a few configurations. And, as both Webster and Bouda noted, loyalty rewards programs can be utilized more effectively.

Envision, then, a near term future where consumers – armed with tokens specific to them – can walk into stores, far flung across merchants. Using Bluetooth or Wi-Fi, those merchants know you are in store – “you know, due to that token, which loyalty program and how many points you have,” said Bouda – a streamlined experience that leads to truly stronger relationships between customers and retailers.