WIXLIB

EMV TokenizationNovember 3, 2016

Smart Card AllianceSmart Card Alliance MissionTo stimulate the understanding, adoption, use andwidespread application of smart card technologythrough educational programs, market analysis,advocacy, and industry relations . . . .Mobile CouncilBuilding industry awareness around the business andsecurity impacts of utilizing different technologies fordistributing, storing and using secure credentials onpersonal mobile and tethered wearable devices.Recent Mobile Council Resources EMV and NFC: Complementary Technologies EnablingSecure Contactless Payments Host Card Emulation: An Emerging Architecture forNFC Applications Webinar2Mobile Council

Today’s Webinar Topics and Speakers Introductions Randy Vanderhoof, Smart Card Alliance Introduction & Tokenization Overview Sadiq Mohammed, MasterCard Implementation Considerations for Tokenization Sree Swaminathan, First Data Security Considerations for Tokenization John Sheets, Visa Summary & Conclusions Randy Vanderhoof, Smart Card Alliance Q&A Randy Vanderhoof, Smart Card Alliance3Mobile Council

Introduction & Tokenization OverviewSadiq Mohammed, MasterCard

What Is Tokenization?Tokenization [tō·kən·ə′zā·shən]Tokenization is the process of substituting a sensitive data element with aunique non-sensitive equivalent, referred to as a token, that has noextrinsic or exploitable meaning or value.Token values vary in format and may be cryptographically or noncryptographically generated – varies by type of token, use case andsolutionTokens are generated, stored, mapped/de-mapped within a securecentralized system called a Token Vault.Detokenization is the process of mapping the token back to its originalvalueAn entity providing Tokenization/Detokenization is typically referred to as aToken Service Provider5Mobile Council

Where Does Tokenization Play a Role in Payments?Tokenization is used to replace a consumer card’sPrimary Account Number (PAN) with an alternativevalue called a Token, in order to protect theconsumers account informationCardholderToken Features: A single PAN may be mapped to multipletokens for different use cases Tokens may be merchant, channel ordevice specific and single or multi-use If compromised or stolen, tokens reducethe likelihood of subsequent fraud sincethey have no value outside a specificdevice, merchant or acceptance channel6Mobile en-4PAY

What Are the Different Types of Payment Tokens?CharacteristicsPayment Token TypeAcquirer TokenIssuer TokenEMV Token Created within the closedenvironment of the merchant andacquirer and used to removesensitive account data from themerchant environment Created by the issuer to tiemultiple PANs to the same useraccount. Some of these PANsmay be temporary or for onetime use while some may be toenable a sticker or cardaccessory. Created by token service provideron behalf of the token requestorto substitute for a PAN during theentire transaction process. Thesetokens are typically specific to aparticular device, transaction typeor merchant. Alpha-numeric or numeric charactersof acquirer-desired length/type PAN-formatted number issuedunder an issuer BIN / card range PAN-formatted replacement valuebased on a designated Token BIN orToken Card Range Acquirer, Processor, PaymentServices Provider, Gateway Issuer or Issuer Processor / Agent Payment Network or Issuer/IssuerProcessor or EMVCo enrolled TSP. Merchant to Acquirer only Issuer only Transparent to all participants Usage restricted to controlledpayment interactions between agiven merchant and token serviceprovider May have limits on its usage(frequency, amount, domain) bythe issuer and its vault Offers usage restrictions to giventoken requestors and domain(s) tominimize fraud impacts if data isexposedToken PurposeToken FormatToken ProviderTransparencyUsage Restrictions7Mobile Council

What Is Special About an EMV Payment Token?EMV Payment Tokens look exactly like a regular PAN, pass through thepayment system without any changes, but are processed differently andmay have domain restrictions to protect them from improper usage.EMV Payment Tokens will:8 Not ‘collide’, or conflict, with an actual card issuer assigned PAN Pass basic validation rules of an account number, while reinforcinginteroperability Be mapped and associated with an underlying PAN by the entity thatgenerates it, and issues it to the requestor Be accepted, processed and routed by the entities within the ecosystem(merchants, acquirers, payment processors, payment networks, cardissuers) Be a 13 to 19 digit numerical value that conforms to the accountnumber rules of an ISO message (‘like-to-like’ formatting)Mobile Council

How Does EMV Tokenization Help?An interoperable standards based approach will help enableadoption and facilitate newer models in the existing paymenteco-system GlobalEnables newchannels & formfactorsSecurePayment TokensIndustry standardand ts new participation9

Why Has Tokenization Gained Importance? Increasing security on mobile devices is a key driver Proliferation of devices increases risks with a single PAN Card reissuance and updates have become a major pain point that isaddressed by tokenization The need to support more paths for commerce in a controlled mannerSource: Javelin: The Evolution of Tokenization in aMobile Payments Environment, Dec 201510Mobile CouncilSource: First Annapolis: Study of Mobile Banking &Payments, Third Edition, August 2016

Where Can We See Tokenization in Action?Major Device-based Wallets have all utilized TokenizationApple PayAndroid PaySamsung PayMicrosoft WalletMajor EMV Token Service ProvidersAmex Token Service11Mobile CouncilDiscover Digital XchangeMasterCard DigitalVisa Token Service (VTS)Enablement System (MDES)

Implementation Considerations for TokenizationSree Swaminathan, First Data

Where Does a TSP Fit In the Payments Ecosystem?NewLegacy13Mobile Council

What Is the Role of a Token Service Provider?Key Concepts & Functions:Token Generation/Issuance: The TSP isresponsible for setting up PAN and Tokenranges and generating tokens that does notcollide with existing PANs and that are inaccordance with EMVCo Tokenizationstandards.Token Vault: The generated tokens and theoriginal PANs they map to are stored securelyin a token vault and the mapping is used duringthe detokenization process.ID&V and Token Assurance: The TSP enables aIdentification and Verification Process (e.g. KYC,CVC/AVS verification) to derive a risk score.Accordingly, a token may have an AssuranceValue between 0-99 based on risk profile andstrength of ID&V.Token Domain Restriction: Assigning a token toa specific device, channel, merchant orgeographic location or a combination of theseto restrict the transaction within that domain.Token Lifecycle Management: The process ofcontinually managing the token throughsuspension, deletions, updates, etc.14Mobile Council

How Does a Token Come to Life and Get Used?15Mobile Council

Detailed Token Provisioning fication andVerification3.Tokenization4.EMV Data Prep5.Provision request toTSM6.Provision Credentials tothe Secure Element inthe Device7.ActivationPAN16Mobile Council

Detailed Token Provisioning ification andVerification3.Tokenization4.EMV Data Prep5.Provision Request tothe Cloud6.Provision Limited useCredentials to theDevice7.ActivationPAN17Mobile Council

Token Use During an In-Store TransactionMobileWallet18Mobile Council1.Initiate Payment2.NFC Transaction3.ISO Auth Message4.AuthorizationRequest/Response5.Routing uthResponse7-8. Host Synchronization,Life Cycle Management,Credentials Update(HCE Use case)

Token Use During an In-App Transaction1. Merchant provides Buy options to the consumer for the merchandise2. Consumer taps the Pay button to complete the transaction.3. Payment request sent to Mobile Wallet App4. Merchant App obtains the encrypted transaction payload back fromWallet API and servers5. Merchant App sends the payload to Payment Platform using thePayment Platform API6. Payment Platform decrypts the payload and processes thetransaction7. Payment authorization is processed by the TSP and Issuer8. Auth response is provided back to the user and payment transactionis completedSource example : First Data Payeezy: https://www.payeezy.com19Mobile Council

Token Life Cycle Management20Mobile Council

Stakeholder Considerations for TokenizationIssuers: Ensure Token Service Providers have necessary certifications and approvalsEnsure TSPs have a secure interface and authenticate all TSP requestsUnderstand the alignment with existing card programsCardholder and employee education on tokenizationID&V decisioning and additional security such as step-up authenticationAcquirers/Processors: Tokenized transactions that require new fields and messages to be supportedMay require additional requirements to support cryptograms and dynamic dataEnable new payment channels and domainsMerchants: Ensure POS supports NFC transactionsConsider Wallet provider, Network guidelines for Token transactionsPotential impact to loyalty programs as some consumers may transact with different tokensLoyalty, Marketing and Promotions impact to existing programs in place(PAR field may have to be considered)Understand returns in Tokenized transactionsTSPs : 21Enable Issuers and Token Requestors to request Tokens for multiple channels and domains(NFC –SE/HCE, In-App, Browser Based, Card-on-file, QR, Connected Devices etc.)Provide Token Service APIs, interfaces and customer support to stakeholdersObtain necessary certifications for the industry complianceMaintain Token BINs, PAR support on-behalf of issuersSupport various cryptographic algorithms for Token transaction processingMobile Council

Security Considerations for TokenizationJohn Sheets, Visa

Tokenization vs Encryption – A Common Misunderstanding From a security perspective, Tokenization enhances security in animportantly different way than Encryption Encryption obfuscates data using an encryption algorithm in conjunctionwith keys to protect the data While encryption is excellent to ensure confidentiality of the data encrypted, itonly protects that data while it is encrypted To be used for transaction processing, it is usually the case that the encrypteddata must be decrypted to be used, and then re-encrypted to once again protectthe data Decrypted data is vulnerable to attack In contrast, tokenization replaces sensitive data with alternative data thatis designed such that it cannot be misused Only the linkage between the token and its original data is sensitive That linkage is stored in the Token Vault23Mobile Council

Tokenization Security BenefitsToken security is based on two key conceptsIdentification and Verification (ID&V) Provides trusted binding of a payment token to a PAN, supporting a wide range oftoken business usesToken Domain Controls Restricts use of token to the specific domain for which is was intended Domains can be channel-based, merchant specific, require dynamic data includedwith the token, etc. Not all potential restrictions may be required of each token type E.g., one token domain may be a specific card-on-file merchant, while anothertoken domain may be for chip card transactions with an accompanying cryptogram24Mobile Council

Tokenization – Additional Security BenefitsTokenization provides additional security benefits:Limiting proliferation of PANs As the number of devices and places you frequently shop increase, storing PANs in allthese places increases risk exposure of the accountTokenization addresses this by issuing specific tokens for specific devices and for specificpurposes, thereby eliminating PAN data from a merchant environmentReal time token management 25The ability to delete/suspend a token from a device allows for further protection ofcardholder accounts when devices are lost or stolen.Since different tokens can be assigned to different devices, when one particular device iscompromised, only that device needs to be deactivated and other devices do not getimpacted.Mobile Council