The new pricing schedule for token fees released by MasterCard in August initially was met with questions and consternation by outside observers. What exactly are these new tokenization fees? When and how would they be used? Are existing token providers going to be charged new fees? Why is MasterCard adding 1 bps to cardholder not present transactions and, by the way, what exactly qualifies as a cardholder not present transaction? Visa was conspicuously quiet and wouldn’t comment on their intended pricing, but assumptions were that they would likely follow suit – but for what, and when?
Obviously, the picture became much clearer with the official unveiling of Apple Pay. The networks developed a tokenization standard that will be utilized in a broad commercial basis with the launch of Apple Pay in October. Replacing the actual cardholder account number (PAN) with a token significantly reduces the risk of fraud since no one involved in processing the transaction ever gains access to the actual card number, except the issuer. It’s the goal that many of us at PYMNTS have been advocating for the past several months, if not years, as the ideal solution to combat fraud as channel convergence becomes a constant reality, not something in the distant future.
But someone, somewhere, has to “create” this token. Someone has to determine where and how this token can be used. Can it be used everywhere? For any kind of purchase? On any device? For any amount? Can I buy a diamond ring with it? How about a first class ticket to Moscow?
In addition, is this token static? Hopefully not, or else it is basically as dangerous as the card number itself. If it’s dynamic, what is the additional authentication or process used to make it so? Is it single-use or a combination of static and dynamic data?
The list of ways to make it truly secure can become mind numbing in a hurry.
But these questions aren’t new. The usage of tokens isn’t new either. Tokens have been embraced for quite a while by some of the leading gateway providers in the digital environment as the best way to prevent fraud.
LevelUp, has long used tokens as the method of exchanging payment data between Braintree, their payment gateway, and the merchant. Uber also uses tokens, as does TaskRabbit through Stripe. And Paydiant, the provider for MCX, has received a patent using a unique tokenization approach.
Also, more than a decade ago, issuers used a form of tokenization through single-use account numbers – numbers generated for a specific purpose and transaction, generally commercial card usage – to create greater control and minimize fraud.
So what’s the big deal now? MasterCard has been involved with “tokens” for years in the commercial and consumer card space. Have they just decided to print money by creating a new revenue stream from digital and mobile transaction volume growth? Are they taking advantage of those who will need to use these tokens in the fight against fraud? Well, maybe, but I think it’s a little more complex than just seizing a new opportunity.
First, let’s rewind the clock about three years. The networks faced a pretty nasty situation called the Durbin Amendment. The impact of interchange fee reduction primarily affects the issuing banks, but there were, and still are, secondary impacts on the networks. Components of the amendment related to dual brand requirements and routing choice, which effectively eliminated sole provider status, caused financial impacts as each network went to bat to save or capture market share. In the midst of pricing changes, negotiations, renegotiations, and ongoing negotiations, financial institutions had a hard look at the networks and asked – “What have you done for me lately? As in, maybe the last 5 years?”
The networks were also facing formidable competitors and threats to their business model. PayPal was a “frenemy”. While they provided significant volume, they had effectively built a fifth network and continued to grow at record levels. Facebook and Google were building payment schemes. The MNOs were planning to launch ISIS after initially threatening to build their own payment rails. Globally, regulation of interchange continued, regulating debit as well as cross-border transactions in Europe. In the U.S., the conversational buzz became “credit interchange regulation is next”. And, if you thought Durbin created a torrent of negotiations and scramble for market share, credit interchange regulation would make that look like child’s play.
So despite Visa and MasterCard being entrenched players with huge market shares, project into the future perhaps 10 to 20 years, and maybe sources of robust revenue for the networks could be a little questionable at best, or at worst, severely under attack.
Neither Visa nor MasterCard sat on their laurels. Visa started expanding into core aspects of the ecosystem many years ago through the acquisitions of Cybersource and Fundamo as well as their continued growth of DPS. But they both have another key asset that virtually no other entity in the payments space can touch: data.
Monetizing data for networks is tricky. Issuers “own” the rich behavioral information that gives insight about how consumers pay. Merchants “own” detailed transaction-level information that reveals exactly what, when and where we decided to buy those overpriced red shoes. But networks have access to transactional information across all merchants, issuers and cardholders. This is powerful.
Access to all of the data is especially powerful since it takes a huge amount to understand certain trends and insights given the fragmentation of the U.S. commerce environment. Lots of data is needed to spot potential fraud at one particular merchant, even a large one, which requires access to information across issuers. The same applies to channel usage. The more data available, the quicker new patterns of fraud might appear in mobile channels, for example.
This brings us back full circle to tokens. Tokens provide new bridges of opportunity between data, security, revenue and the entities who sit squarely in the middle of the transaction – the networks.
If we go back to how tokens were primarily used, for example in the case of Uber, the “token” was passed between the merchant and the gateway. The “new” standard, which has been developed with EMVCo. by the networks, flows throughout the transaction. When a consumer decides they want to use Apple Pay, for example, a token is created for their card number and stored on the secure element. This is used in conjunction with a dynamic code for purchasing.
Since the token is needed on both sides of the transaction (merchant and issuer), having the network both create the token, as well as decrypt and pass the token during the transaction, makes a lot of sense. Now it’s not a requirement that either Visa or MasterCard create and manage the tokens; issuers can do this as well. It’s merely a service the networks can provide, and they are in a key position to do it.
No one wants just any entity to jump into the game and create tokens. This requires extremely high levels of security and reliability. The provider is holding all of the “keys” between the “real” account number and the fake one (e.g. the token). They have the potential of holding millions of card numbers and credentials, which must be accessible instantaneously from any channel, and, hopefully during those critical days and weeks of the holiday season. So what companies and brands are known and trusted by consumers as secure? That would be the networks. Who has invested millions in redundancy to keep transactions flowing during the peak volume minutes of the year? That would be the networks.
What makes this even more interesting is that tokens can be used for so much more. Yes, the priority is to focus on plugging the gaping security hole in digital and mobile transactions. Tokens clearly do this. But you can use a token for anything. Tokenize a rewards program or customer loyalty numbers. Create single-use tokens for high transaction purchase amounts. Use tokens instead of prescription numbers for sensitive orders between physicians and pharmacists. As we dream about the internet of things, the potential seems limitless. There are potentially hundreds of uses.
Point being – if an entity becomes proficient in the creation and management of tokens, especially those that are eventually tied to a payment, they can probably monetize it in a multitude of ways for the foreseeable future. That’s the real opportunity. And the networks sit right in the middle of it.
So when and how to capitalize on it? In this fledgling, fickle world of mobile, how do leading players charge for tokens and when? Now, that’s the real question.
Trying to earn basis points here or there, even if small, is likely to make enemies from whomever you are charging the fee, in my opinion. To ignite the ecosystem and ultimately reduce the likelihood of fraud on mobile devices, which I think is the point of this specific application, you need to encourage usage. Even using interchange as a “stick” at this point in time seems a bit tricky.
On the other hand, charging fees for services provided, such as creating a token, managing the token, decrypting, etc., certainly makes sense. These are value added services. The question is “when and how”? While there is no right or wrong answer, this is a new space and multiple entities will want to compete to provide the service. We’ve already seen evidence of this. Both First Data and TSYS announced support for provisioning tokens for their issuers, in addition to providing solutions for their merchant clients. The very large issuers will likely want to control the process as much as possible, making it tough to convince them otherwise.
My vote would be to just let the ecosystem evolve. Get customers on board, position well and become the trusted service provider. There are multiple avenues that can be monetized in the long run. After tokens start being used, grow in volume, and create new uses it might be easier to introduce a fee for service, rather than risk a price war right out of the gate.
The entire ecosystem wins through mass adoption of a token standard for mobile and digital transactions. I understand that those who have invested time and energy to create the process should be compensated, but it’s useless if they don’t get the volume. If processors become the “go to” providers, or enough issuers decide to invest and control the process themselves, then the networks have missed a big opportunity.
Visa seems to be taking the deferred pricing approach based on recent comments by Bill Gadja. He claims Visa is deferring fees for tokenization until the end of 2015. Part of the reason is to understand how the market and other uses evolve. It would also seem it’s an easy way to get issuers to say “yes, you do it – get it done”. MasterCard decided differently. They are charging a fee from the beginning.
It is unusual that the two most powerful networks took decidedly different approaches with regards to pricing the service. This highlights the great moment of transition we are in with regards to mobile. The exact direction is still evolving and unclear, even to those who have the best seat at the table. What will it take to really accelerate use of this new standard? Who is likely to emerge as a highly trusted provider, perhaps not only for payment credentials, but other uses as well. Will tokens become the next big business opportunity for the networks?
Perhaps. But there are a many other entities capable of providing this service. Positioning appropriately, creating global capabilities and establishing insightful pricing will become critical considerations moving forward.