Opening up the Club

An exclusive coterie of card networks runs the business of issuing and managing payment tokens. But that elite club soon may have more members.

Looking for a business with growth opportunities? Look no further, ladies and gentlemen, than at the business of the token service provider.

A sexy business? Definitely not. So-called TSPs, however, play an essential role behind the scenes in making mobile payments work. And with the currently low levels of mobile-payment volumes expected to boom, the growth potential for TSPs seems huge.

On top of that, a recent series of standards and security developments are smoothing out the rugged tokenization landscape, potentially paving new roads for more entrants into a market dominated today by Visa Inc., MasterCard Inc., and American Express Co.

“Over time there will be more diversity as tokenization becomes a bigger player in the ecosystem,” says Carol Juel, chief information officer at Stamford, Conn.-based Synchrony Financial, a private-label and cobranded credit card issuer with 62 million active accounts.

The major networks realize change is coming. In fact, they’ve helped it along, at least indirectly. EMVCo, the network-owned global standards body that administers the Europay-MasterCard-Visa chip card standard and whose responsibilities include tokenization, has created a specification that will enable more companies to become TSPs.

Meanwhile, the PCI Security Standards Council, the body that administers the Payment Card Industry data-security standard—the security rules for merchants, processors, and other entities that handle credit and debit card data—in December released a 92-page set of requirements for TSPs in recognition that the market is poised to receive new participants.

“In the way we developed the standard, we were identifying entities beyond the card networks themselves,” says Troy Leach, the Wakefield, Mass.-based PCI Council’s chief technology officer. “In a lot of cases, we anticipate entities that will be token service providers, or they would provide a certain function of the TSP requirement.”

These developments raise questions about who will be in the TSP market and who will control it. After all, this struggle is nothing new in the token business (“The Tug of War Over Tokenization,” December 2014).

Keepers of the Vault

But first—just what do TSPs do, and why does anyone beyond the IT guys care?

With tokenization, a random string of numbers replaces a credit or debit card’s 16-digit primary account number (PAN). A PAN is necessary for a criminal intent on committing card fraud, but a token, be it a one-time-use dynamic token, or a static token with an associated cryptogram, is worthless to a fraudster.

Boiled down, a TSP under the EMVCo standard is the entity that maintains a so-called token vault, a warehouse of PANs that enables the generation of tokens and provides associated processing services. The sleepy field of tokenization took on a much higher profile after Apple Inc. unveiled its Apple Pay mobile-payments service, which uses tokenization, in September 2014.

The tokenization transaction flow in a mobile payment is illustrated in a June 2015 report by the Federal Reserve banks of Boston and Atlanta.

The flow starts when a mobile-phone user presents her phone, in this example enabled for near-field communication (NFC) contactless transactions and preloaded with a payment token stored in the phone’s secure element, to the merchant’s point-of-sale terminal to make a purchase. The customer uses a fingerprint or passcode to authenticate herself and authorize the transaction.

The NFC-enabled terminal passes the token, cryptogram, and encrypted data to the merchant acquirer or processor acting on the acquirer’s behalf, which in turn passes them to the appropriate card network doing double duty as a TSP.

The network/TSP accesses its token vault to de-tokenize the PAN and ship it to the issuer whose credit or debit card is backing up the transaction. Upon issuer approval, the network/TSP passes the token and issuer authorization back to the acquirer, which gets them to the POS terminal to complete the transaction.

‘A Very Significant Investment’

It’s easy to see why the networks have taken on the mantle of TSP. All traffic coming and going between general-purpose credit and debit card issuers and merchants passes through them.

“This hub concept is pretty important because the networks are pretty well-positioned to play that role,” says Zilvinas Bareisis, a London-based senior analyst at financial-services research firm Celent. “They sit in the middle.”

According to Celent, Visa, MasterCard, and AmEx became TSPs in 2014, the year when EMVCo issued its tokenization standard. Riverwoods, Ill.-based Discover Financial Services recently joined them.

All of the networks have come out with varied menus of services for mobile payments and put names on them. Discover calls its mobile platform the Discover Digital Exchange, or DDX.

The platform supports payments on the proprietary Discover network and is being expanded to support third-party issuers, including Discover debit card issuers, says a Discover spokesperson by email. Discover currently is available in Apple Pay and Android Pay, and the company is working with Samsung Electronics Co. Ltd.’s Samsung Pay on integration for some time later this year.

“The ecosystem is advancing at a rapid pace, so Discover is constantly working to adapt our services to marketplace shifts and address client needs,” the spokesperson says.

MasterCard’s platform is dubbed the MasterCard Digital Enablement Service, or MDES. The TSP part of the service has issued “millions of active tokens,” says James Anderson, group executive for Platform Management at Purchase, N.Y.-based MasterCard.

“Strategically it’s extremely important to us … we did make a very significant investment in building MDES,” Anderson says.

MDES has two major constituencies, according to Anderson. The first embraces what he calls “the Pays”—Apple Pay, Android Pay, Samsung Pay, and the like—and is issuer-oriented because it digitizes cards for use in mobile payments.

The second constituency is merchants, many of whom have card numbers on file for use in dispute resolution and chargebacks, recurring payments, and loyalty programs. MasterCard is working on a service, possibly for release this year, that will tokenize these cards, which Anderson says could lead to higher transaction-approval rates.

An example is where a MasterCard cardholder who, after losing his old one, presents his new card with a new PAN to a merchant that has the old card number.

“If they tokenize, we can ensure that regardless of the real card number, the merchant can continue to transact,” says Anderson. “There’s a real benefit to the merchant.”

(Visa and AmEx did not respond to Digital Transactions’ requests for comment about their TSP and tokenization businesses.)

‘Opportunities for Other Folks’

The bank card networks are working to build their tokenization businesses by not specifically charging for TSP services, at least for now. But charges can’t be ruled out in the future as tokenization volumes increase, and some observers say entities with both issuing and acquiring operations could be charged for so-called on-us transactions.

Still others say the principle of offering more choices to issuers and merchants merits the entry of new TSPs.

“We see opportunities for other folks,” says Melissa Santora, product strategist in the card services unit of processor Fiserv Inc. “We have the card brands that initiated it … but there could be other people doing it.”

Asked if Fiserv intends to become a TSP, Santora says, “we are definitely evaluating it.”

Brookfield, Wis.-based Fiserv has 15,000 financial-institution clients globally. Santora’s unit provides debit and credit card processing services to 3,200 banks and credit unions.

In November, EMVCo introduced a registration process that could increase the number of TSPs. Approved TSPs must meet a number of criteria, including having ownership of or access to a token vault.

“The process ensures the industry has a way of globally tracking which TSPs represent which card issuer,” Jack Pan, chairperson of the EMVCo board of managers, says via email. “It is important for token requestors to know who the appropriate entity is to request an EMV payment token [from], and that the payment-token system interoperates with the traditional payments systems without conflict.”

But why would a standards body owned by the card networks expose its owners to more competition? A possible answer is that opening the field seems to be in everybody’s interest, including the networks’.

“It’s getting more ubiquity to tokenization, and more security in payments,” says security-technology analyst Julie Conroy, research director at Boston-based Aite Group LLC. “With all the database breaches, the networks are seeking more longevity by creating more confidence in card payments that’s essential for the system to work.”

Adds Dave Fortney, executive vice president of product development and management at The Clearing House Payments Co. LLC: “I think the networks, wearing their network hat, would think it’s a good thing to have higher-security token options to encourage the spread of tokenization.”

Pan of EMVCo says the registration specifications “are designed to be flexible to meet regional and local market needs.” But he says EMVCo is a technical body and does not mandate how its specs are implemented, so he declined to comment on their commercial impact.

While EMVCo’s new registration code contains three digits, theoretically opening the field up to 1,000 TSPs, analysts believe the number of market entrants will be far fewer. Anybody playing the TSP game will need the computing power to tokenize and de-tokenize many thousands of PANs quickly.

“It’s got to be done frequently and at scale,” notes Celent’s Bareisis.

EMVCo would not say if or how many entities have applied for or been approved to become TSPs under the new process, instead referring Digital Transactions to its Web site. As of mid-February, the site showed no approved registrations.

A ‘Rule-the-World’ Approach

It’s clear that most if not all future TSPs will be big, familiar firms, such as, possibly, Fiserv or Synchrony. Another candidate is The Clearing House, which is owned by about two dozen of the nation’s largest banks and operates one of only two automated clearing house network switches in the U.S. (The Federal Reserve operates the other one).

In fact, TCH has already applied to become a TSP, says Fortney. The company first announced its tokenization initiative, now called Secure Token Exchange, as a pilot project back in 2013.

“Our platform is ready and it’s been ready,” he says. “The bottom line—something as important as tokenization, it’s really important that the market has options.”

But with current mobile-payments volumes low, TCH is looking to tap into a growth market rather than take business from incumbents.

“What we continue to do is be engaged with the card networks,” Fortney says. “I don’t want to position this as the The Clearing House vs. the networks.”

Other candidates might include major card processors such as Total System Services Inc. (TSYS), and First Data Corp., the biggest one of all. First Data already has served as a provisioner of card credentials for mobile payments (“The Changing Role of the Trusted Service Manager,” July, 2013), and it also offers TransArmor, a widely used security service for merchants that uses data encryption and tokenization.

What’s more, First Data, the top merchant processor, recently opened up its huge merchant portfolio to PayPal Holdings Inc., the mobile-payments leader, ending what had amounted to a three-year embargo on PayPal and its point-of-sale ambitions.

Consultant Steve Mott, principal of BetterBuyDesign in Stamford, Conn., says that development “is pregnant with implications” for tokenization. (First Data declined comment.)

“If you put all the pieces together … you’ll see an alternative to the MasterCard/Visa rule-the-world approach,” says Mott, a consistent critic of what he views as the bank card networks’ dominance of mobile payments.

Synchrony, formerly the card-processing unit in General Electric Co.’s huge finance subsidiary GE Capital, sees all kinds of opportunities with tokenization starting from its base in private-label cards.

It’s created a TSP for small retailers and built a proprietary wallet for two retail clients, says Juel, who asserts that “retailer voices haven’t been incorporated” into the mobile-payments discussion, at least until recently. Synchrony also provides TSP services for Samsung Pay.

“We see that there’s much changing—you have to be in all the channels,” says Juel. “We want our cards to be in all the wallets. We see it in a way that providers [and] banks don’t, handset providers don’t.”

‘Ripe for Competition’

MasterCard’s Anderson believes it’s likely the TSP field will soon have more players, but says MasterCard will work hard in the fast-changing environment.

“We’re aware through conversations of a number of players who have plans in that area,” he says. “We don’t take anything for granted. We have to compete for our issuers’ business, and the digital players have to see the value.”

While the TSP club is poised to expand, the club still will be abiding by rules set by the network-controlled EMVCo. But with mobile payments and security technology evolving rapidly, the new club members hold more hope that they’ll have greater input setting the rules, and keeping prices competitive.

“There’s potential new entrants into the market; that will drive the price down,” says Synchrony’s Juel. “This is an area that’s ripe for competition.”

 

How the PCI Rules Affect Token Service Providers

The use of tokens for mobile payments is a booming business, and the PCI Security Standards Council thinks it needs some direction for protecting the cardholder data consumers entrust to mobile-payment services.

In December, the Wakefield, Mass.-based PCI Council released a 92-page document titled, “Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens), Version 1.0.” The new requirements supplement what’s already in the Payment Card Industry data-security standard (PCI DSS), the main set of security rules for card-accepting merchants and processors, and other PCI Council documents addressing security practices involving tokenization.

EMVCo, the standards body that oversees the EMV chip card standard, has issued a specification that will enable more companies to become token service providers, which generate and mange payment tokens. The EMVCo spec defines technical requirements for handling payment-token requests, and the provisioning and processing of such tokens.

In addition, TSP functions can be divvied up, which means more companies will be involved. At the moment, however, probably only about a dozen companies would be directly affected by the new TSP requirements, according to Troy Leach, the PCI Council’s chief technology officer.

The PCI Council says it consulted with EMVCo so that its TSP requirements work with EMVCo’s standard, the goal being to protect the computer and communications environments in which TSPs operate.

There are various types of tokens, but the new PCI rules apply to only a certain kind—the so-called payment token created by an EMVCo-registered TSP, issued to a cardholder in lieu of a primary account number (PAN), and presented to the merchant when the cardholder makes a purchase. An example would be a consumer using an iPhone 6 enabled for the Apple Pay service to buy lunch at McDonald’s.

The rules do not apply to two other types of tokens not generated by TSPs. One is the “acquirer token” created by a merchant acquirer, the merchant itself, or a processor. Acquirer tokens are proprietary tools typically used for card-on-file purposes, such as dispute resolution and chargebacks, recurring payments, and loyalty programs.

“We recognized that some organizations have already invested in taking the PAN and creating acquirer tokens,” says Leach. “The TSP is really for the focus on mobile, so we can successfully and securely have mobile-payment transactions. The security eliminates the value that would be on the phone.”

The second is the “issuer token,” which, as the name suggests, comes from the card issuer and functions as a virtual card number used for specific consumer and commercial card purposes. Issuer tokens resemble PANs, so much so that acquirers and merchants may not even realize they’re dealing with a token, according to a PCI Council document.

 

Playing Matchmaker With Tokens

A new data element for transaction messages is getting a lot of attention in payments circles. It’s the so-called Payment Account Reference, or PAR, and it’s meant to associate all the payment tokens linked to a single credit or debit card primary account number, or PAN. But implementing PAR could be time-consuming and costly.

Payments executives and researchers say PAR, or at least something like it, is needed to address a growing problem: tokens that can’t find the correct underlying PAN, thereby limiting the ability of merchants and merchant acquirers to perform some important functions for which they need PANs. Think of a brood of ducklings separated from their hen and thus more vulnerable to predators.

EMVCo, the global standards body overseeing EMV chip card payments, is in charge of PAR development. EMVCo first floated its PAR proposal last May, and in January published a specification bulletin with numerous changes.

Merchants and merchant acquirers often use full PANs for a number of pre- or post-authorization purposes, including returns and chargebacks, loyalty programs, and regulatory compliance. But in tokenized payment transactions, merchants and acquirers may not have access to a full PAN. Yet payment tokens associated with such a single PAN can multiply as the cardholder makes more transactions and uses multiple form factors, say a smart phone and plastic cards, associated with a single PAN.

“When a transaction is initiated with an EMV payment token, the functionality of these applications can be impacted since the full PAN may not be available to merchants, acquirers, and payment processors,” a recent EMVCo document says.

“All of a sudden, you lose visibility into your customers’ activity,” says payment-security analyst Julie Conroy, research director at Aite Group LLC. “The introduction of the PAR is really important to filling that gap.”

The current PAR spec calls for a 29-character value that could not be reverse-engineered to reveal the payment token or PAN. A PAR could only be used for completing transaction reversals, risk analysis, completing non-payment operations such as loyalty-program support, and complying with regulatory requirements such as anti-money-laundering rules, according to EMVCo.

PARs would be generated by token service providers—a role currently played in U.S. general-purpose card payments only by Visa, MasterCard, American Express, and Discover—but playing key supporting roles are acquirers, issuers, and processors.

Passing around a new data field, however, is something easier said than done. Conroy says implementing PAR is “huge—a really big task if you think about all of the entities that are going to have to alter their authorization message.” She estimates implementation could take 18 to 24 months.

Dave Fortney, executive vice president at New York City-based The Clearing House Payments Co. L.L.C., says The Clearing House strongly supports the PAR concept, but he too agrees it will take time to put into place. “Something this big probably will take many years to implement,” he says.

n