By Ken Musante
Napa Payments and Consulting
Tokenization is what payment providers use to replace primary account numbers (PANs) and other details associated with payment cards with a substitute string or token. Tokenization came about because hacked card data became a currency for thieves. Initially, vendors created their own proprietary token formats; however, with the formation of EMV network tokens, the card networks are seeking a single EMV format to be used universally.
First, some context. By 2023, 80 percent of payments will be digital, according to estimates by Forrester. Assuming these transactions are tokenized, this will result in a more secure transaction and easier check out process, which will obviate the need for a dip or tap.
According to Valuates Reports, https://prn.to/3QOcwQG, the global tokenization market size is projected to reach $2.7 trillion by 2028, up from $1.1 trillion in 2021. This is a cumulative average growth rate of 13 percent. In addition to the enhanced security, the option is growing because of its convenience.
Tokenization allows consumers to fill in details at checkout, and complete payment, with one click. Tokenized transactions are better, faster and easier—and in some instances, less costly.
Tokens are created, stored, ciphered and deciphered inside a token vault. Traditionally, even in a tokenized transaction, the PAN needed to be exposed in order to process the transactions. Point-to-point (PTP) encryption between the card and the processor for the entire transaction was identified as a way to further protect transactions; however, PTP is a tax on all players within the payments ecosystem. It is expensive and difficult to achieve.
Consequently, tokenization is more widely used and with lesser costs. To support a standard with tokenized transactions, The PCI Security Standards Council introduced the EMV Payment Token, which is format-preserving and interoperable with legacy processors and other providers within the payments stream (with the appropriate credentials).
It is important to understand that not all tokens are equivalent. An EMV token, like any token, replaces the PAN. The token is issued in conjunction with the card issuer, who integrates with the token service provider (TSP). For its service, the TSP will charge a fee. This fee will be in addition to the gateway charges. Unlike proprietary (that is, third-party or gateway) tokens, EMV tokens may be ported to a new vendor without the need for deciphering.
Proprietary tokens have another flaw: they must be converted back to the PAN for the card transaction to be completed. Regardless of the vendor, the EMV token need not be converted to the PAN at any point in the transaction. Less this be lost, this is an enormous security advantage.
EMV tokens further bring value in that they may allow the issuer to restrict transactions by domain. For example, they may be allowed only at an ecommerce merchant or only with a specific level of authentication. This further reduces the value of hacked payment information, as a payment token should not be able to be used beyond the environment in which it was intended.
Another benefit afforded merchants utilizing EMV tokens is they may leverage the payment account reference (PAR) as a way to link transactions with the underlying card number. PAR data cannot independently be used to authorize a transaction and, by itself, it is not considered PCI data. This is an enormous benefit, as it allows the use of the PAR for customer identification while maintaining the PAN within the payment ecosystem.
This can help identify and thwart money laundering, for example, even though the customer’s card number is not known. This also enables support for value-added services such as fraud screening and loyalty identification and support, which can be maintained outside of PCI scope.
The PAR can be linked to PAN and successor PANs, which are generated due to card replacements from a loss/stolen event. This allows issuers to to update the PAN outside of a cardholder’s manual intervention or the need for an account updater solution.
Visa recognized the benefit of EMV tokens over proprietary tokens and provided a 10 basis point differential for when an EMV token is employed. This is a significant monetary advantage and will provide acquirers and solution providers that implement EMV tokens a competitive pricing advantage.
This needs to be considered, however, in the context of the transaction size as the token service provider has a fixed tokenization fee. On the other hand, authorization rates (within the United States) should increase, and fraud should be lessened. Adoption outside the United States remains problematic, and coverage within the United States is not universal. Nonetheless, EMV tokens should be considered by merchants and platforms. There are enormous benefits to be had.
As founder of Humboldt Merchant Services, co-founder of Eureka Payments, and a former executive for such payments innovators as WePay, a division of JPMorgan Chase, Ken Musante has experience in all aspects of successful ISO building. He has also served as an expert witness on numerous complex civil and criminal cases in payments, a service he provides, along with consulting on merchant services and platforms, as founder of Napa Payments and Consulting, www.napapaymentsandconsulting.com. Contact him at firstname.lastname@example.org, 707 601 7656 or www.linkedin.com/in/ken-musante-us/.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next