By Jim Daly
An exclusive coterie of card networks runs the business of issuing and managing payment tokens. But that elite club soon may have more members.
Looking for a business with growth opportunities? Look no further, ladies and gentlemen, than at the business of the token service provider.
A sexy business? Definitely not. So-called TSPs, however, play an essential role behind the scenes in making mobile payments work. And with the currently low levels of mobile-payment volumes expected to boom, the growth potential for TSPs seems huge.
On top of that, a recent series of standards and security developments are smoothing out the rugged tokenization landscape, potentially paving new roads for more entrants into a market dominated today by Visa Inc., MasterCard Inc., and American Express Co.
äóìOver time there will be more diversity as tokenization becomes a bigger player in the ecosystem,äó says Carol Juel, chief information officer at Stamford, Conn.-based Synchrony Financial, a private-label and cobranded credit card issuer with 62 million active accounts.
The major networks realize change is coming. In fact, theyäó»ve helped it along, at least indirectly. EMVCo, the network-owned global standards body that administers the Europay-MasterCard-Visa chip card standard and whose responsibilities include tokenization, has created a specification that will enable more companies to become TSPs.
Meanwhile, the PCI Security Standards Council, the body that administers the Payment Card Industry data-security standardäóîthe security rules for merchants, processors, and other entities that handle credit and debit card dataäóîin December released a 92-page set of requirements for TSPs in recognition that the market is poised to receive new participants.
äóìIn the way we developed the standard, we were identifying entities beyond the card networks themselves,äó says Troy Leach, the Wakefield, Mass.-based PCI Counciläó»s chief technology officer. äóìIn a lot of cases, we anticipate entities that will be token service providers, or they would provide a certain function of the TSP requirement.äó
These developments raise questions about who will be in the TSP market and who will control it. After all, this struggle is nothing new in the token business (äóìThe Tug of War Over Tokenization,äó December 2014).
Keepers of the Vault
But firstäóîjust what do TSPs do, and why does anyone beyond the IT guys care?
With tokenization, a random string of numbers replaces a credit or debit cardäó»s 16-digit primary account number (PAN). A PAN is necessary for a criminal intent on committing card fraud, but a token, be it a one-time-use dynamic token, or a static token with an associated cryptogram, is worthless to a fraudster.
Boiled down, a TSP under the EMVCo standard is the entity that maintains a so-called token vault, a warehouse of PANs that enables the generation of tokens and provides associated processing services. The sleepy field of tokenization took on a much higher profile after Apple Inc. unveiled its Apple Pay mobile-payments service, which uses tokenization, in September 2014.
The tokenization transaction flow in a mobile payment is illustrated in a June 2015 report by the Federal Reserve banks of Boston and Atlanta.
The flow starts when a mobile-phone user presents her phone, in this example enabled for near-field communication (NFC) contactless transactions and preloaded with a payment token stored in the phoneäó»s secure element, to the merchantäó»s point-of-sale terminal to make a purchase. The customer uses a fingerprint or passcode to authenticate herself and authorize the transaction.
The NFC-enabled terminal passes the token, cryptogram, and encrypted data to the merchant acquirer or processor acting on the acquireräó»s behalf, which in turn passes them to the appropriate card network doing double duty as a TSP.
The network/TSP accesses its token vault to de-tokenize the PAN and ship it to the issuer whose credit or debit card is backing up the transaction. Upon issuer approval, the network/TSP passes the token and issuer authorization back to the acquirer, which gets them to the POS terminal to complete the transaction.
äóÖA Very Significant Investmentäó»
Itäó»s easy to see why the networks have taken on the mantle of TSP. All traffic coming and going between general-purpose credit and debit card issuers and merchants passes through them.
äóìThis hub concept is pretty important because the networks are pretty well-positioned to play that role,äó says Zilvinas Bareisis, a London-based senior analyst at financial-services research firm Celent. äóìThey sit in the middle.äó
According to Celent, Visa, MasterCard, and AmEx became TSPs in 2014, the year when EMVCo issued its tokenization standard. Riverwoods, Ill.-based Discover Financial Services recently joined them.
All of the networks have come out with varied menus of services for mobile payments and put names on them. Discover calls its mobile platform the Discover Digital Exchange, or DDX.
The platform supports payments on the proprietary Discover network and is being expanded to support third-party issuers, including Discover debit card issuers, says a Discover spokesperson by email. Discover currently is available in Apple Pay and Android Pay, and the company is working with Samsung Electronics Co. Ltd.äó»s Samsung Pay on integration for some time later this year.
äóìThe ecosystem is advancing at a rapid pace, so Discover is constantly working to adapt our services to marketplace shifts and address client needs,äó the spokesperson says.
MasterCardäó»s platform is dubbed the MasterCard Digital Enablement Service, or MDES. The TSP part of the service has issued äóìmillions of active tokens,äó says James Anderson, group executive for Platform Management at Purchase, N.Y.-based MasterCard.
äóìStrategically itäó»s extremely important to us … we did make a very significant investment in building MDES,äó Anderson says.
MDES has two major constituencies, according to Anderson. The first embraces what he calls äóìthe PaysäóäóîApple Pay, Android Pay, Samsung Pay, and the likeäóîand is issuer-oriented because it digitizes cards for use in mobile payments.
The second constituency is merchants, many of whom have card numbers on file for use in dispute resolution and chargebacks, recurring payments, and loyalty programs. MasterCard is working on a service, possibly for release this year, that will tokenize these cards, which Anderson says could lead to higher transaction-approval rates.
An example is where a MasterCard cardholder who, after losing his old one, presents his new card with a new PAN to a merchant that has the old card number.
äóìIf they tokenize, we can ensure that regardless of the real card number, the merchant can continue to transact,äó says Anderson. äóìThereäó»s a real benefit to the merchant.äó
(Visa and AmEx did not respond to Digital Transactionsäó» requests for comment about their TSP and tokenization businesses.)
äóÖOpportunities for Other Folksäó»
The bank card networks are working to build their tokenization businesses by not specifically charging for TSP services, at least for now. But charges canäó»t be ruled out in the future as tokenization volumes increase, and some observers say entities with both issuing and acquiring operations could be charged for so-called on-us transactions.
Still others say the principle of offering more choices to issuers and merchants merits the entry of new TSPs.
äóìWe see opportunities for other folks,äó says Melissa Santora, product strategist in the card services unit of processor Fiserv Inc. äóìWe have the card brands that initiated it … but there could be other people doing it.äó
Asked if Fiserv intends to become a TSP, Santora says, äóìwe are definitely evaluating it.äó
Brookfield, Wis.-based Fiserv has 15,000 financial-institution clients globally. Santoraäó»s unit provides debit and credit card processing services to 3,200 banks and credit unions.
In November, EMVCo introduced a registration process that could increase the number of TSPs. Approved TSPs must meet a number of criteria, including having ownership of or access to a token vault.
äóìThe process ensures the industry has a way of globally tracking which TSPs represent which card issuer,äó Jack Pan, chairperson of the EMVCo board of managers, says via email. äóìIt is important for token requestors to know who the appropriate entity is to request an EMV payment token [from], and that the payment-token system interoperates with the traditional payments systems without conflict.äó
But why would a standards body owned by the card networks expose its owners to more competition? A possible answer is that opening the field seems to be in everybodyäó»s interest, including the networksäó».
äóìItäó»s getting more ubiquity to tokenization, and more security in payments,äó says security-technology analyst Julie Conroy, research director at Boston-based Aite Group LLC. äóìWith all the database breaches, the networks are seeking more longevity by creating more confidence in card payments thatäó»s essential for the system to work.äó
Adds Dave Fortney, executive vice president of product development and management at The Clearing House Payments Co. LLC: äóìI think the networks, wearing their network hat, would think itäó»s a good thing to have higher-security token options to encourage the spread of tokenization.äó
Pan of EMVCo says the registration specifications äóìare designed to be flexible to meet regional and local market needs.äó But he says EMVCo is a technical body and does not mandate how its specs are implemented, so he declined to comment on their commercial impact.
While EMVCoäó»s new registration code contains three digits, theoretically opening the field up to 1,000 TSPs, analysts believe the number of market entrants will be far fewer. Anybody playing the TSP game will need the computing power to tokenize and de-tokenize many thousands of PANs quickly.
äóìItäó»s got to be done frequently and at scale,äó notes Celentäó»s Bareisis.
EMVCo would not say if or how many entities have applied for or been approved to become TSPs under the new process, instead referring Digital Transactions to its Web site. As of mid-February, the site showed no approved registrations.
A äóÖRule-the-Worldäó» Approach
Itäó»s clear that most if not all future TSPs will be big, familiar firms, such as, possibly, Fiserv or Synchrony. Another candidate is The Clearing House, which is owned by about two dozen of the nationäó»s largest banks and operates one of only two automated clearing house network switches in the U.S. (The Federal Reserve operates the other one).
In fact, TCH has already applied to become a TSP, says Fortney. The company first announced its tokenization initiative, now called Secure Token Exchange, as a pilot project back in 2013.
äóìOur platform is ready and itäó»s been ready,äó he says. äóìThe bottom lineäóîsomething as important as tokenization, itäó»s really important that the market has options.äó
But with current mobile-payments volumes low, TCH is looking to tap into a growth market rather than take business from incumbents.
äóìWhat we continue to do is be engaged with the card networks,äó Fortney says. äóìI donäó»t want to position this as the The Clearing House vs. the networks.äó
Other candidates might include major card processors such as Total System Services Inc. (TSYS), and First Data Corp., the biggest one of all. First Data already has served as a provisioner of card credentials for mobile payments (äóìThe Changing Role of the Trusted Service Manager,äó July, 2013), and it also offers TransArmor, a widely used security service for merchants that uses data encryption and tokenization.
Whatäó»s more, First Data, the top merchant processor, recently opened up its huge merchant portfolio to PayPal Holdings Inc., the mobile-payments leader, ending what had amounted to a three-year embargo on PayPal and its point-of-sale ambitions.
Consultant Steve Mott, principal of BetterBuyDesign in Stamford, Conn., says that development äóìis pregnant with implicationsäó for tokenization. (First Data declined comment.)
äóìIf you put all the pieces together … youäó»ll see an alternative to the MasterCard/Visa rule-the-world approach,äó says Mott, a consistent critic of what he views as the bank card networksäó» dominance of mobile payments.
Synchrony, formerly the card-processing unit in General Electric Co.äó»s huge finance subsidiary GE Capital, sees all kinds of opportunities with tokenization starting from its base in private-label cards.
Itäó»s created a TSP for small retailers and built a proprietary wallet for two retail clients, says Juel, who asserts that äóìretailer voices havenäó»t been incorporatedäó into the mobile-payments discussion, at least until recently. Synchrony also provides TSP services for Samsung Pay.
äóìWe see that thereäó»s much changingäóîyou have to be in all the channels,äó says Juel. äóìWe want our cards to be in all the wallets. We see it in a way that providers [and] banks donäó»t, handset providers donäó»t.äó
äóÖRipe for Competitionäó»
MasterCardäó»s Anderson believes itäó»s likely the TSP field will soon have more players, but says MasterCard will work hard in the fast-changing environment.
äóìWeäó»re aware through conversations of a number of players who have plans in that area,äó he says. äóìWe donäó»t take anything for granted. We have to compete for our issuersäó» business, and the digital players have to see the value.äó
While the TSP club is poised to expand, the club still will be abiding by rules set by the network-controlled EMVCo. But with mobile payments and security technology evolving rapidly, the new club members hold more hope that theyäó»ll have greater input setting the rules, and keeping prices competitive.
äóìThereäó»s potential new entrants into the market; that will drive the price down,äó says Synchronyäó»s Juel. äóìThis is an area thatäó»s ripe for competition.äó
ξ
How the PCI Rules Affect Token Service Providers
The use of tokens for mobile payments is a booming business, and the PCI Security Standards Council thinks it needs some direction for protecting the cardholder data consumers entrust to mobile-payment services.
In December, the Wakefield, Mass.-based PCI Council released a 92-page document titled, äóìAdditional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens), Version 1.0.äó The new requirements supplement whatäó»s already in the Payment Card Industry data-security standard (PCI DSS), the main set of security rules for card-accepting merchants and processors, and other PCI Council documents addressing security practices involving tokenization.
EMVCo, the standards body that oversees the EMV chip card standard, has issued a specification that will enable more companies to become token service providers, which generate and mange payment tokens. The EMVCo spec defines technical requirements for handling payment-token requests, and the provisioning and processing of such tokens.
In addition, TSP functions can be divvied up, which means more companies will be involved. At the moment, however, probably only about a dozen companies would be directly affected by the new TSP requirements, according to Troy Leach, the PCI Counciläó»s chief technology officer.
The PCI Council says it consulted with EMVCo so that its TSP requirements work with EMVCoäó»s standard, the goal being to protect the computer and communications environments in which TSPs operate.
There are various types of tokens, but the new PCI rules apply to only a certain kindäóîthe so-called payment token created by an EMVCo-registered TSP, issued to a cardholder in lieu of a primary account number (PAN), and presented to the merchant when the cardholder makes a purchase. An example would be a consumer using an iPhone 6 enabled for the Apple Pay service to buy lunch at McDonaldäó»s.
The rules do not apply to two other types of tokens not generated by TSPs. One is the äóìacquirer tokenäó created by a merchant acquirer, the merchant itself, or a processor. Acquirer tokens are proprietary tools typically used for card-on-file purposes, such as dispute resolution and chargebacks, recurring payments, and loyalty programs.
äóìWe recognized that some organizations have already invested in taking the PAN and creating acquirer tokens,äó says Leach. äóìThe TSP is really for the focus on mobile, so we can successfully and securely have mobile-payment transactions. The security eliminates the value that would be on the phone.äó
The second is the äóìissuer token,äó which, as the name suggests, comes from the card issuer and functions as a virtual card number used for specific consumer and commercial card purposes. Issuer tokens resemble PANs, so much so that acquirers and merchants may not even realize theyäó»re dealing with a token, according to a PCI Council document.
ξ
Playing Matchmaker With Tokens
A new data element for transaction messages is getting a lot of attention in payments circles. Itäó»s the so-called Payment Account Reference, or PAR, and itäó»s meant to associate all the payment tokens linked to a single credit or debit card primary account number, or PAN. But implementing PAR could be time-consuming and costly.
Payments executives and researchers say PAR, or at least something like it, is needed to address a growing problem: tokens that canäó»t find the correct underlying PAN, thereby limiting the ability of merchants and merchant acquirers to perform some important functions for which they need PANs. Think of a brood of ducklings separated from their hen and thus more vulnerable to predators.
EMVCo, the global standards body overseeing EMV chip card payments, is in charge of PAR development. EMVCo first floated its PAR proposal last May, and in January published a specification bulletin with numerous changes.
Merchants and merchant acquirers often use full PANs for a number of pre- or post-authorization purposes, including returns and chargebacks, loyalty programs, and regulatory compliance. But in tokenized payment transactions, merchants and acquirers may not have access to a full PAN. Yet payment tokens associated with such a single PAN can multiply as the cardholder makes more transactions and uses multiple form factors, say a smart phone and plastic cards, associated with a single PAN.
äóìWhen a transaction is initiated with an EMV payment token, the functionality of these applications can be impacted since the full PAN may not be available to merchants, acquirers, and payment processors,äó a recent EMVCo document says.
äóìAll of a sudden, you lose visibility into your customersäó» activity,äó says payment-security analyst Julie Conroy, research director at Aite Group LLC. äóìThe introduction of the PAR is really important to filling that gap.äó
The current PAR spec calls for a 29-character value that could not be reverse-engineered to reveal the payment token or PAN. A PAR could only be used for completing transaction reversals, risk analysis, completing non-payment operations such as loyalty-program support, and complying with regulatory requirements such as anti-money-laundering rules, according to EMVCo.
PARs would be generated by token service providersäóîa role currently played in U.S. general-purpose card payments only by Visa, MasterCard, American Express, and Discoveräóîbut playing key supporting roles are acquirers, issuers, and processors.
Passing around a new data field, however, is something easier said than done. Conroy says implementing PAR is äóìhugeäóîa really big task if you think about all of the entities that are going to have to alter their authorization message.äó She estimates implementation could take 18 to 24 months.
Dave Fortney, executive vice president at New York City-based The Clearing House Payments Co. L.L.C., says The Clearing House strongly supports the PAR concept, but he too agrees it will take time to put into place. äóìSomething this big probably will take many years to implement,äó he says.