How Tokenization Will Transform The “Holy Trinity” Of Payments

 

Customer experience. Security. Ubiquity. These, says Matt Barr, Group Head, US Emerging Payments at MasterCard, make up the “holy trinity” of payments. In a recent interview with MPD CEO Karen Webster, Barr and Shannon Johnson, SVP Head of Checking & Payments, SunTrust offered a behind-the-scenes look at tokenization and how its being used to solve for that trinity. While its has been around for awhile and only recently been made visible thanks to Apple Pay, they offered their views from their perches on how tokenization as whole will transform payments and digital payments as we know it.

 

KW: Let’s make sure we’re all on the same playing field when it comes to the framework of tokenization – it is different. There is the device account number, and then there is the one-time transactional account number that is generated when a transaction is initiated. So set is straight – how do these two things work?

MB: Tokenization and what’s been introduced through the MasterCard Digital Enablement Service is, we think, very transformational. The end-goal as we see it is that tokenization goes as far as saying that the only place you’ll see a traditional PAN in the future is on a plastic card. Every MasterCard transaction through any channel will eventually be conducted through the use of tokens.

What we’re creating is the ability for a device account number to be attached to a smart device. Each of the devices of a consumer’s would have its own unique device account number. So that’s how it will promulgate.

The use of the one-time transaction accounts is really building off of the EMV capability that’s being introduced. EMV is a critical foundation technology in that it does use dynamic codes for transactions as a way to make them more secure. So it’s taking that EMV capability, and complementing it with these device account numbers so that when a transaction occurs you’ve got the combination of those two powerful capabilities to create a unique transaction. If that token is removed from that device, it’s useless to initiate a transaction through any other channel.

If you think about, in an NFC face-to-face context, we’re leveraging back into existing capabilities. Merchants that can accept contactless tap today can accept one of these tokens. It’s been designed to minimize the impact on the ecosystem as much as possible.

 

KW: So you say EMV is critical to this?

MB: They’re complementary capabilities – I wouldn’t say it’s critical. Certainly in the early days with what’s been done with Apple Pay, the devices have the capability to do a magstripe and tap transaction or an EMV and tap transaction. It’s backwards compatible in that sense. But that insight which is a unique identifier per transaction is the common element of it.

 

KW: Let’s talk a little about the process and flow. There still remains a bit of confusion there. Shannon, could you walk us through a transaction and who does what in this process?

SJ: Matt talked about that translation of the PAN to the unique token, which essentially is translated within the token vault at MasterCard back to the PAN, which goes to our processor along with additional information. So when you look at the actual data flow, the only thing that’s different for the issuer is the fact that there’s now an additional data element there that tells us that it was this type of transaction with a unique token. Otherwise, it looks the same versus any other card transaction.

 

KW: What has been the experience so far, given that you do have additional data elements and can make decisions related to whether or not you’re going to authorize that transaction?

SJ: We’re still in the early stages. But relative to our expectations, we knew going into this, based on our mobile banking base, approximately how many customers had these types of devices. We’ve seen very good adoption. It was interesting because even prior to our marketing the fact that we had Apple Pay available, we knew from the launch, from MasterCard and from social media, how many of our customers wanted to put their SunTrust cards into the wallet and were not able to.

We’ve seen great adoption ever since the launch of customers not only loading their SunTrust cards but using them as well. The transaction flow is still relatively light, as it is a percentage of the iPhone 6 and 6+ owners using this now. Our customers have also been very verbal about this particularly in the social media space – they voice the fact that they appreciate that we’ve made this available to them.

 

KW: Do you get a sense that consumers understand that there are additional capabilities with the service that make it more secure? 

SJ: Frankly, I think we’re just at the beginning of that journey in terms of educating consumers, and not just when it comes to Apple Pay, but tokenization more broadly speaking. Between tokenization with EMV, many of the debit issuers will obviously issue and reissue debit EMV cards within 2015, there will be a lot more awareness of the security benefits of both tokenized transactions via mobile or an EMV card. Certainly, consumers are aware of the downsides after all that they want through particular in the last year starting with Target’s data breach.

In terms of understanding how tokenization really works, I don’t believe they’re there. It will be up to the networks, the issuers, to educate our customers as these abilities come.

 

KW: Let’s get back to the mechanics of tokenization and talk about the concept of the network on behalf of services, and how tokens are actually managed. Give us a little context around what it is you do on behalf of the issuer.

MB: There are really two core functions that have been performed. The first step is provisioning – how does that device account number put onto the device, and then secondly what happens through a transaction – how is it unmet back to the issuer for authorization.

The step before that is initial onboarding itself onto our platform, which is an IT project, and from what I’ve observed it takes a bit of time. But as we saw from a pretty near flawless execution, it’s gone very smoothly.

In terms of the provisioning step, once an issuer is connected, they will give us instructions on what VIN ranges they’ll make available to the service. From a consumer’s perspective, when they pick up the device, they can either type in the card details or take a photo to initiate the process. Then, through the platform, we’re passing that request back to the issuer to ask if that customer is in good standing and ask for permission to put the device account number onto the device that’s initiating request. The issuer can either say they’re comfortable with provisioning, or the issuer may decide to assign a one-time use passcode or call the call center. That’s all about guaranteeing the customer is in good standing.

At that point, we have a device account number and a map in the token vault, which says that number is met back to the PAN. When a consumer, through NFC or in-app, initiates a transaction, their token is passed back as a contactless tap and the routing will pass it back to the acquirer, and we will then map it back to the PAN and back to the issuer for authorization. Over time, we’d expect the approval rates for those transaction requests to be pretty high. They will be very secure, fully authenticated transaction requests.

So there are really two parts of it – first the provisioning, or the initial establishing of the relationship between the device account number and the PAN, and secondly, through the transaction, mapping it back to the issuer for authorization through the existing payments process.

 

KW: And do most issuers want you to do that on their behalf?

MB: Certainly, out of the gate, yes. We have had requests for alternative arrangements if other parties want to perform components of that service. That initial mapping needs to be done by us to establish that link and relationship but there are other parties that can play different roles.

SJ: Something I want to emphasize is really important – essentially we brought Apple Pay to life within 60 days. And I think the partnership, working with MasterCard, has opened up the doors to smaller issuers. To have that subject expertise, working side by side with them to have that plug and play option, worked really well for us. We weren’t first to market but a very close second.

 

KW: So obviously with speed to market come other efficiencies. It sounds like it’s very complicated and probably takes a long time and is expensive to create a token vault. In this tokenized, framed environment, who actually owns the data?

MB: Data ownership is exactly the same as it’s always been – in no way has MasterCard gained any new rights to the data crossing the network. We’re careful with how we use the data, and when we use it, it’s done in an anonymous way. Tokenization doesn’t create any changes in that – what we’ve really solved for is security, we haven’t solved for anything different than that other than a great customer experience.

 

KW: What about data accessibility? How does an issuer access the data that the token represents? Does the tokenization process complicate how that data is used on the other side? 

MB: In many ways, what’s been done will enrich the issuers’ data. Shannon talked to the data element being introduced that says this transaction request is being initiated by a specific device. So suddenly, you’ll have that extra overlay. All that information sits back with the issuer as it always has, and in many ways, you create a richer data source because you can start understanding how consumers are using different devices to initiate transactions.

SJ: I agree. The only thing that’s changed is the additional security attributes, but everything else is the same. We’re just moving more data over the same channels.

 

KW: Let’s talk about the tokenized world as you both described it, in the context of the fact that there are many people talking about the many aspects of tokenization. Is this the standard, will it be the standard, how will it know it will become a standard, how long will that take, should it be a standard? Help us understand the process as we evolve it.

MB: If I talk to decisions that have been made and communicated already today, our view is that for it to be successful to scale, it needs to become an industry standard. And that is done with many technologies, be it contactless, secure code or 3D Secure services, EMV – and in that light, we announced in March of this year with Visa and AmEx that we working toward creating a standard for tokenization.

To be successful and to make it easy for all participants to adopt, it needs to become as standardized as possible. That is the only way we can deliver the security and convenience benefits that the industry needs to transition successfully to digital. We know with the migration to EMV in the U.S., that’s going to tighten up face-to-face transactions and will reduce fraud – we know that as we’ve seen it play out in other countries. The risk will then move to the new weakest link – online or digital. Tokenization is therefore critical to help secure those digital channels.

 

KW: What would keep it from becoming a standard?

MB: I guess it’s an EMV co-standard today, but I guess the question is what will stop it from getting to broad adoption. I think what that may be is the real energy and drive to help transition the market towards it. For in-app, for example, if it’s an iOS application, Apple has published an SDK, which allows a merchant to accept Apple Pay with a tokenized transaction request through an application. But that’s only for iOS and doesn’t solve for online e-commerce.

From the MasterCard perspective, we can solve for those use cases within the MasterPass network. Through 2015, we’ll be upgrading the MasterPass acceptance network to ingest a tokenized transaction request. That is going to be how we see out the path towards getting to a fully authenticated secure transaction environment for digital channels.

SJ: In addition to merchant acceptance, the flipside of the coin is consumer adoption. We’ve seen the early adopters embrace it thus far, but as we talked about, in relatively small numbers. Over time, as they learn the benefits of it including security, especially as we talk about tokenization in broader circles and with EMV.

 

KW: I agree with that. So online is such a growing part of the commerce experience, as we’ve seen. It still represents a tiny fraction of overall retail sales but it is growing because of the availability of mobile devices. I’m curious about what you think about the applicability of what you describe as the MasterPass standard online extending to cloud-based POS applications that may be separate from contactless NFC. Do you think that your standards for tokenized framework could support that?

MB: That’s correct. One of our design principles is issuer-centric solutions, as well as flexibility, which can be about how various partners want to take services to market but also in terms of digital use cases that might emerge. NFC is one. Solving for the right customer experience, security and ubiquity is the holy trinity of payments. Consumer choice and merchant choice in terms of experience – that could be using QR codes, sound, Bluetooth, NFC, etc. Our belief is that tokenization in the MasterPass acceptance network is being purposefully designed to work in any of those uses cases across any operating system and across all channels.

There are lots of things we haven’t even heard of yet that need to be considered but we’re trying to factor that into how we evolve our platforms.

 

KW: You can imagine lots of places around the world were there is no device in developing countries but there are transactions happening in the cloud. Why should those transactions have to sacrifice security that comes from a tokenization framework? Sounds like they don’t have to.

MB: Correct. I think if you think about other capabilities coming to market like HCE, and biometrics as well, those start making those use cases attractive and slick and that’s critical.

 

KW: What do you both see in 2015 with respect to tokenization and how it evolves and gets greater adoption? Is it just more people using Apple Pay or are there other things coming that will continue to drive the framework forward?

SJ: Apple Pay is the first iteration and we expect more to come. Not only for devices but also with EMV, talk about secure transactions should be much more visible to consumers in 2015. That’s what I expect to be the end result – a broader dialogue versus the early adopters talking about a functionality.

MB: In 2015, I would expect to see a broadening of adoption of tokenization into various digital players. I’d also expect to see tokenization adopted into issuer-centric solutions in our world both around NFC but also for MasterPass, in-app and online. On the merchant side, what we are already seeing is the interest around in-app payments. It’s the early days but Apple Pay will really help to educate the market on what’s possible. And with the EMV migration, we expect to see contactless adoption spread through the market. I’m expecting we’ll see a broadening and deepening across players and channels, and continued adoption.

But how long will it take? This is a long game. We’re at a very once-in-a-many-generation moment in upgrading the payments network to digital, and certainly the contactless journey will take many years. Like Shannon said, the education of consumers and merchants around the benefits are key in driving adoption. 

 

To listen to the full podcast, click here.