Tokenization is on everyone’s radar. Amid a sea change in commerce – done through mobile means and across connected devices, in store, online or an amalgamation of the two – merchants should brace for a tidal wave of tokens, billions of them issued and billions more to come. That’s the focus of a blog post this morning (Aug. 31) that debuted from Nitin Prabhu, PayPal’s senior director of issuance, tokenization and loyalty platform.
The nomenclature may give merchants pause, the complexity of adopting and adapting to new technology may give them agita – yet nonetheless, tokenization has benefits for all players in the commerce ecosystem, spanning security, speedier payments and even a richer consumer experience.
And yet, for the merchant, complexity reigns in token management. There are a lot of them out there, as we noted, whether single use or multi-use. There are reversible tokens and irreversible ones.
The overarching theme is one of protecting primary account numbers (PANs) from being compromised – or being visible at all.
Looking in the Rearview Mirror
The concept is not new, said Prabhu, who noted in a discussion focused on network tokens that the genesis of the general principles in theory and in practice can be traced back decades. Squint a bit and you may see your way clear back to the mid 1990s, when in 1995, Bank of America and Citibank joined forces to create a one-time use credit card. In 1998, he added, PayPal opted for the option of using an ID and password instead of the card number, so to speak.
“There have been multiple variants of tokenization,” Prabhu told Webster. “But this is the first time that we think networks and the [commerce] ecosystem are adopting it,” especially as mobile devices and IoT take root. Against that backdrop, he said, “tokenization is more and more relevant.”
Against a changing landscape of commerce, he said, PayPal has been embracing and advocating those network tokens, and as part of the EMVCo framework has provided a simple API interface that allows firms to tap into the benefits of tokenization while integrating into its payment platform.
That interface – and the concept of network tokenization itself – works across mobile payments, mobile devices, in-store settings or online, browser-based and secure remote commerce.
By way of example, Prabhu pointed to the fact that “when you look at any of the digital wallets,” when PayPal is linked with Google's and Samsung’s offerings, through tokenization “it’s not your actual card number [tied to the wallet], but a surrogate number.”
He noted that now, merchants need not accept card numbers, but can instead accept tokens and process them. “So this makes the entire ecosystem more secure."
There’s value in having one standard across the online and offline channels, Webster and Prabhu agreed, where the lines between digital and physical conduits are blurring.
And yet, at least for now, inefficiencies reign. Merchants are sitting awash in tokens on file, with the impetus on figuring out how to work with the new framework (i.e., the aforementioned EMVCo framework). The merchants, stated Prabhu, are grappling with the daunting tasks and costs of integration, weighing the eventual ROI and immediate security benefits of tokenization against the upfront commitments in terms of time and capital.
That is where Braintree (a PayPal company) comes in, said Prabhu, who stated that “what we are doing on behalf of the merchant is connecting to all of these networks and creating a very simple single interface API.”
The token management leverages existing relationships between the merchant and Braintree, said the executive, “so you give us the card number or the token, we will store it in a vault, we will process it and we will manage all the complexities.”
Think of his firm, said Prabhu, as a token gateway to the networks across, say, Visa, Mastercard, American Express, Discover and others.
Improving the Ecosystem
The token gateway relationship is helpful for merchants, discussed Webster and Prabhu, as they benefit from the access to all the customer data that these tokens provide, linked as they are to loyalty programs and other conduits to sticky relationships.
“The merchants do not have to do anything different,” said Prabhu, adding that “on the contrary, they get much more enhanced information they can use.” In a pair of examples, he said that the EMVCo framework features what is known as a “payment account reference.” That reference stays the same even if one’s card gets replaced. Get a card, lose a card, replace a card. The problem for the merchant is that when a card gets replaced, they can lose the historical context of that consumer. In this new context, the account remains the same, and it is non-PCI data.
Also, for merchants who work across multiple brands, Prabhu said, the data flow and token flow are seamless. That can also help cut down on fraud, much in the way that EMV did with cards themselves, as merchants can see if, say, someone is trying to make a transaction in Eastern Europe with credentials that are more commonly tied to Boston. In essence, said Prabhu, merchants “can make a much more informed decision about a transaction.”
For the consumer, the ecosystem becomes a bit more streamlined, too. The token updates with the merchant in real time – so no more naming and “renaming” cards in digital wallets as they are accumulated (c’mon, you named your Bank of America card and then named the new one “new Bank of America card,” didn’t you?). Drop-down menus will only show, as Prabhu termed them, “the most relevant and freshest cards,” and updates across merchants is not needed.
That’s especially helpful in mobile, where the screen size is limited, he said.
In the end, he said, there's an opportunity for merchants to simplify how they navigate the coming wave of tokenization and tokens that are coming their way, by delegating the responsibility of integrating with and managing existing tokens and connecting them with new tokens to PayPal/Braintree.