Choosing the right tokenization scheme
In the wake of recent well-publicized data breaches, the financial services industry is looking at tokenization as a means of improving the security around payments. In a previous article for BAI Banking Strategies, we looked at tokenization from the standpoint of managing token directories. Now it’s time to tackle the issue of sorting through the different approaches to delivering tokens to the point of sale.
The industry has reacted positively to the EMVCo’s interoperable payment tokenization scheme, in large part due to the role of EMVCo within the Apple Pay ecosystem. However, notwithstanding with the popularity around all things Apple Pay, usage of tokenization among the general population of consumers and merchants remains low. Even if informed and keen to participate, most consumers are left out because they don’t have the means to present or accept tokenized payment credentials within the current payments environments, whether it’s due to the wrong terminal or wrong card and/or wrong phone.
EMVCo payment tokens are used in the card-present channel to provide increased protection against counterfeit, account misuse and other forms of fraud. Media for facilitating the payment token exchange between consumer and merchant use a variety of technologies such as EMV cards for contact interactions; Near Field Communication (NFC); Quick Response (QR) codes; and Bluetooth Low Energy (BLE) for contactless interactions, such as those initiated using mobile devices. Much of this represents new technology that requires modifications or upgrades of existing technology. With release cycles introducing innovations at an increasing rate, these types of impacts are inevitable, but have been resisted until the last possible minute, especially if the attending cost for hardware, software and training is material.
When it comes to unlocking the benefits of tokenization for more merchants and consumers, navigating the complexity created by the labyrinth of various smartphones, point-of-sale (POS) terminals and implementation options is challenging. The most obvious, yet under-utilized delivery method, is the EMV chip card, where the primary account number (PAN) encoded on the chip is replaced by a token that is then delivered by the consumer to the merchant’s POS terminals. By layering EMV chip and tokenization technologies, all parties involved in the transaction are further protected against card fraud.
The EMV chip provides cryptographic card authentication that deters counterfeiting of cards, while tokenization replaces card data with payment tokens that cannot be used outside a specific merchant or channel (token domain) and, therefore, hold limited value for a criminal. But, given the U.S.’s dependence on the magnetic stripe, there is a weakness in this approach as the chip card still needs to support a static magnetic stripe, effectively incorporating a poorly secured back door into the card structure. This magnetic stripe is vulnerable to counterfeit and could be used in a card-not-present environment, such as an eCommerce website.
Currently, EMV cards aren’t in everyone’s hands, although this is rapidly changing. Aite Group estimates that by the end of 2015, approximately 70% of credit cards and 40% of debit cards in the U.S. will support EMV. These consumers armed with EMV cards will be able to easily find an in-store merchant to accept them. The Payments Security Task Force estimates that at least 47% of U.S. merchant terminals will be enabled for EMV chip technology by the end of 2015. While this is good news, the use of tokenization within this environment has not been given much thought, largely because most of the resources available have been focused on meeting the deadlines around converting the large universe of cards in the U.S. to the EMV-standard. Issuers and merchants will need more time to tokenize and use EMV cards in stores at the point of sale.
Meanwhile, newer schemes are emerging that facilitate payment token exchange using mobile smartphone technologies based on NFC. A secure element (SE) scheme stores tokenized payment credentials in the SE of the device. Apple Pay and Samsung Pay are prime examples of SE-based solutions. An alternative scheme is host card emulation (HCE), where the tokenized payment credentials are stored in a host environment and delivered to the mobile device on an as-needed basis. Google Wallet, Tim Hortons (Canada), Royal Bank of Canada (RBC) and BBVA (Spain) are examples of this type of HCE-based deployment, as is the impending Android Pay.
Mobile smartphone NFC delivery options look promising, but are somewhat of an exclusive club at the moment. For Apple users, membership to the club means owning an Apple 6 smartphone or Apple Watch. For non-Apple users, it means owning a device supporting Android 4.4 (onward) or Blackberry 10 (onward). Are consumers adopting this new technology to access these new ways to pay? Sort of.
According to Phoenix Marketing International’s report, Apple Pay Live: The First Four Months, only 61% of the consumers purchasing a new smartphone in the first five months after the iPhone 6 was made available actually acquired a new generation smartphone, iPhone 6 and/or Android 5.0. On the other hand, adoption rates for those consumers armed with the right equipment are encouraging. According to Auriemma Consulting Group’s Apple Pay Tracker, as of May 2015, 46% of iPhone 6 users have successfully used Apple Pay, with 63% of these users stating that they use Apple Pay at least weekly.
For merchants to provide consumers with the ability to pay with their phones, it means having a NFC-ready POS terminal with NFC turned on. Consistent, comparable statistics on the NFC-ready device install base are difficult to find, but most percentage estimates hover in the single digits. Terminal makers are working to increase this number. Verifone says that more than 70% of the terminals it now sells in the U.S. support both NFC and dipped chip cards. Square recently announced its new Square Reader (coming fall of 2015) will accept NFC and EMV payments. It’s a bit clunky, since the merchant still needs the classic Square reader for magnetic stripe payments, but for around $50, this innovation could easily broaden EMV contact and contactless payment acceptance among small to medium U.S. merchants.
Recognizing that NFC terminal rollouts will take some time, Samsung 6 does not simply support NFC, but also can deliver payment tokens to existing magnetic stripe readers. Earlier this year, Samsung acquired LoopPay and its Magnetic Secure Transmission (MST) technology. MST mimics a magnetic stripe swipe by passing magnetic pulses from the mobile phone to the card reader. LoopPay is currently working with the card brands to develop a form of tokenization that is compatible with MST, where a seven-character EMV cryptogram is placed in the discretionary field in the mag stripe Track 2 data.
While not 100% compatible with magnetic stripe readers, MST can be used at 90% of U.S. merchants that use mag strip technology at their POS terminals. The merchants needn’t upgrade their terminals, as they do if they choose to support NFC. But, even if you have the Samsung 6, you have to wait until this summer’s launch of the Samsung Pay wallet to be able to take advantage of the phone’s MST capabilities.
Other products such as Coin, FiTeq, Stratos, Swyp and Wocket are popping up supporting a programmable magnetic stripe so that a consumer can consolidate multiple cards onto a single card. Because of the dynamic aspect of these products, the possibility exists that their services can be extended to provide tokenized track data in a manner similar to LoopPay. While these cards can be used at most POS terminals, it is yet to be determined whether consumers will be willing to make the investment required to use them, which in some can be upwards of $100 per year.
Mobile QR codes (mobile QRC) show promise too, and could be used to facilitate payment token exchange in emerging acceptance environments. However, overall enthusiasm is somewhat muted by the fact that EMVCo does not currently specify a QR code solution. Once sanctioned, it is expected that the QR code would include a token cryptogram to protect against reuse and be one-time use or have limited life.
Finally, there’s the merchant’s conundrum about which, if any, of the delivery methods to support. Gone are the days of the old zipzap embossing devices, but magnetic stripe reader-based POS terminals still reign supreme in the U.S. Merchants typically do not invest in new POS technology unless there is a compelling reason, such as the threat of the liability shift, access to a desirable special customer segment (ApplePay) or widespread demand. With the adoption of the EMV standard in the U.S., retailers will be forced to upgrade their devices at the POS. The problem is determining what should replace that old Verifone Zon JR. What acceptance technology will the merchant need in the next three to five years?
This is a difficult challenge since POS terminal vendors don’t have a crystal ball either and are hedging their bets. Many are introducing the Swiss Army knife-equivalent of a POS terminal in an effort to support the full range of technologies in play. Poynt, for example, is offering a supposedly future-proof terminal that has a hybrid EMV/mag stripe card reader, QR/barcode camera, NFC antenna and Bluetooth antenna.
So, what can we conclude from all of this? The change to the payment ecosystem will be gradual, but is inevitable. With every transaction that migrates to payment tokens, the scope of data breaches will be reduced. But just as the migration from check to magnetic stripe card did not happen overnight, the switch to payment tokens will take time. The EMVCo tokenization framework focused the industry’s mindset. Apple Pay amplified the momentum several fold. Google is attempting to do the same thing with Android Pay, but we will have to wait for the rollout to happen to fully understand the level of impact on consumers and merchants.
Meanwhile, expect to see even more emerging mobile technologies to appear on the landscape, including wearables, embeddables and driveables. Many of these innovative products will include payment capabilities making navigation of this turbulent sea even more of a challenge for companies and their customers. If the digital revolution has taught us anything, it is that wherever the ship of digital payments makes port, it will not be the big tech companies, banks, credit unions, retailers and FinTech suppliers who chart the course. It will be Joan and Joe Main Street, who will weigh their options and choose the answer that best suits their needs for security, control, choice and convenience and then sail for home.