SlideShare a Scribd company logo

Tokenization and Protection of Card Data for Online Payments

Smart Payment Association
Smart Payment Association

Tokenization in payments has been around for years. However, in recent months tokenization has once again become a buzzword within the financial industry which is looking to add tokens to the list of alternative payment methods using card data (cloud-based accounts, mobile wallets, Google HCE). The SPA considers that what’s different this time round is the standardization efforts taking place for online payments using tokens (for example, EMVCo, US Clearing House and new ANSI X.9 standard, PCI-DSS) and the fact that these efforts are being aligned with upcoming legal frameworks for e-commerce, m-commerce and data protection in several regions of the world. However, it is not always clear how these new payment methods are positioned with respect to existing card payments; in other words, whether these are complementary or a replacement. Are these new payment methods and technical drivers bound to make profound changes in the way we do payments? The SPA’s opinion is that payment innovation breakthrough is only possible when both trust and convenience are achieved. Yet trust and convenience must be compatible with a business case for the issuers of new payment methods. Finally, the terminology used for tokens is not always consistent, which in turn contributes to the generation of additional confusion. For instance, what do we really mean by “tokens”? In this paper, the SPA discusses the business and technical drivers for tokenization, provides initial feedback on the EMVCo Draft Framework for tokenization, and suggests ways to develop secure and interoperable online payments with a great user experience.

TechnologyEconomy & FinanceBusiness
1 of 13
Download to read offline
shaping the future of payment technology SPA Position on e/m-Commerce & Tokenisation Sylvie Gibert SPA Board President
shaping the future of payment technology Who we are The Smart Payment Association addresses the challenges of today’s evolving payment ecosystem. We offer leadership and expert guidance to help members and their financial institution customers realize the opportunities of smart, secure and personalized payment systems and services - both now and in the future. Since 2004 Members:
shaping the future of payment technology3 How we do it  By delivering the market’s most accurate barometer of payment trends  An annual analysis of payment trends based on actual manufacturer sales data  SPA members 85% of the total smart payments card market  By supporting the creation and adoption of standards and best practice  EPC-CSG/SEPA: Card Representative and Vendor Sector Spokeperson, Chair of the CSG Task Force to specify the SEPA functional and security requirements for emergent & remote payments ( Internet + Mobile), Convenor of the new CSG Expert Team on Card Innovative Payments, Member of the Preparatory Committee of the SEPA Security Certification Management Body  EMVCo: Technical Associate and Board Advisor for Card Sector  By extending expert advice and support across the payments ecosystem  An eye-growing library of expert technical resources and thought leadership collaterals to shape the future of payment  Taskforce “The Quadrant” to workout concepts for next payment generation
shaping the future of payment technology4 The rise of e- and m-payments – more payments channels and non-bank providers Source: World Payments Report 2013 CAGR 2010-14 58,5% Non-Bank Providers 92,3% Bank Providers 55,4%  Driven by smart devices & connectivity  Convenience and innovation  New players and new usages  Leading to asymmetry and fragmentation  Need for accelerated standardization
shaping the future of payment technology5 In e-Commerce channel the card-not-present fraud (CNP) is dominant and further increasing  Total level of fraud has reduced overall for the SEPA region  However, card-not- present transactions now represent the biggest share and the biggest growth in terms of fraud  Most of fraudulent F2F transactions with EU cards took place outside the EU  Top 6 locations: USA, Dominican Republic, Colombia, Russian Federation, Brazil, Mexico) – Source: Europol Source: ECB - Second report on card fraud, July 2013 56 %CNP Value in millions of EUR / % Evolution of the total value of card fraud using cards issued within SEPA 1) Transactions (millions) / % 60 %CNP CPSs: Card Payment Schemes
shaping the future of payment technology6 Card technology to fight CNP fraud- Why ?  Chip & PIN EMVCo specifications means worldwide interoperability, security and convenience for F2F transactions  Interoperability drives security  Without convenience no adoption by users  Trade-Off security –convenience was found for Chip&PIN F2F payment contexts  Different card form factors for « fixed » or « mobile » personal devices  A rational way to come along is to export the basic security concepts of F2F transactions to the online payment context, meaning:  The card and card data are to be authenticated  The cardholder is to be authenticated  The transaction terms are to be certified by the card  Reuse existing card payment infrastructures  The risks for the users of electronic payment means should be equivalent regardless of the channel chosen to pay
shaping the future of payment technology7 Several Relevant CNP solutions , but …  A way is by using a personal reader connected to your PC and browser to pay with your card at home as you do in a physical shop  OTP generation using a card also requires an additional device and solutions are proprietary, more suitable for e-banking  3D-Secure enables a more trusted cardholder authentication  But implementations have very different levels of security  Different adoption rates  At present however, most CNP solutions require the manual entry of visible card data but …. the card was not invented for that purpose !  The static card sensitive data can be captured for fraudulent purposes  The cardholder authentication requires the use of an additional channel (eg, 3D Secure)  Online retailers need to go through complex and expensive PCI-DSS certification  Manual Entry is inconvenient specially in a mobile device  Tokenisation is now being pushed by big players as EMVCo
shaping the future of payment technology8 What’s Tokenisation about ?  Usually the Token is a standard Card Data structure but where the original card data (PAN, Expiry Date, CVV) are replaced digit by digit  The structure of the card data is maintained so the token may be routed using payment system protocols  However, in order to be routed to the right Issuer the IIN part of the PAN is the same than in the original PAN  Example: May 2014 - Tokenization Original Funding card : 5123 4912 3756 1890 08/12 123 Token PAN: 5123 4963 4909 3549 10/10 375 IIN PAN Token PAN CVVExpiration Date Token Expiration Date
shaping the future of payment technology9 Tokenisation overview  Both, merchants and cardholders have to be enrolled  The token generation is requested in principle by the merchant, but it could also be requested by the cardholder  The aim of tokenization is to remove the card information from the merchant environment as completely and quickly as possible  Address the root cause of data security issues  Maintains existing business processes  The token can be used just like the original card number for returns, sales reports, marketing analysis, recurring payments, and so on  Can’t be used for a fraudulent transaction outside the merchant environment May 2014 - Tokenization
shaping the future of payment technology10 What challenges for EMVCo Tokenization?  Develop an effective technical solution  Appropriate choice the underlying technology  Right tradeoff enhanced security with ease of purchase  Integrated in existing mobile payment systems ( see next slide)  How to integrate tokenization in a mobile wallet ?  Enabling for competition between EMVCo members anyway, and with solutions from disruptive players  Time-to-market: how long will take the standard to be published ?  Certification and Type approval procedures to be agreed and put in place  Incentive retailers to sign on (liability shifts, other advantages )  Incentive consumers adopting May 2014 - Tokenization
shaping the future of payment technology11 Customer- Merchant Domain Token Service Provider Domain 2. Generate Token (PAN) 1. PAN 4. Token 5. AUTH Request (Token) 3. Strong User Authentication Card Issuer Domain 6. AUTH Request (PAN) Interoperability Architecture compatible with existing card payment systems May 2014 - Tokenization
shaping the future of payment technology12 But …. Key security issues to be addressed  where the token will be generated  which party will secure the token  which methods to identify and verify a user before issuing a token  what form will the actual token take  which security properties for the token  which lifecycle for the token  standard distinguishability mechanism  new data fields for richer transactional information to help improve fraud detection and expedite approval  common API for tokenisation request and redeem May 2014 - Tokenization
shaping the future of payment technology13 … and SPA recommends:  Security, interoperability, good user experience and a robust business model for the token issuer and the other players of the tokenization framework  Specify the security services required for the generation and operation of tokens, as well as the certification framework for components of the framework  Specify early the security properties to be featured by the token  Standardize protocols and message structures on the retailer to Trusted Service Provider  Mandate strong cardholder authentication to protect tokens for high value transaction  Position the Secure Element for cardholder authentication, storage and generation of tokens  Better collaboration between PCI, EMVCo and ANSI X.9 in order to avoid different standards covering the same needs Download our Tokenization whitepaper on www.smartpaymentassociation.com

Recommended

CARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINALCARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINAL
Milos Dunjic
 
Mobile Payment Security Trends for the Future
Mobile Payment Security Trends for the FutureMobile Payment Security Trends for the Future
Mobile Payment Security Trends for the Future
First American Payment Systems
 
Ken Smith - Tokenization
Ken Smith - TokenizationKen Smith - Tokenization
Ken Smith - Tokenization
Source Conference
 
1.1. menjelas kan pengertian internet intranet 2
1.1. menjelas kan pengertian internet intranet 21.1. menjelas kan pengertian internet intranet 2
1.1. menjelas kan pengertian internet intranet 2
Ali Mochtar
 
Minotaur Exploration Project Timelines June 2010
Minotaur Exploration Project Timelines June 2010Minotaur Exploration Project Timelines June 2010
Minotaur Exploration Project Timelines June 2010
Minotaur Exploration
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
Nisum
 
Slideshop lines-and-trends-charts-flat-slideshare
Slideshop lines-and-trends-charts-flat-slideshareSlideshop lines-and-trends-charts-flat-slideshare
Slideshop lines-and-trends-charts-flat-slideshare
SlideShop.com
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?
Rambus Inc
 

Recommended

CARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINALCARTES2015 PEP Card - FINAL
CARTES2015 PEP Card - FINAL
Milos Dunjic
 
Mobile Payment Security Trends for the Future
Mobile Payment Security Trends for the FutureMobile Payment Security Trends for the Future
Mobile Payment Security Trends for the Future
First American Payment Systems
 
Ken Smith - Tokenization
Ken Smith - TokenizationKen Smith - Tokenization
Ken Smith - Tokenization
Source Conference
 
1.1. menjelas kan pengertian internet intranet 2
1.1. menjelas kan pengertian internet intranet 21.1. menjelas kan pengertian internet intranet 2
1.1. menjelas kan pengertian internet intranet 2
Ali Mochtar
 
Minotaur Exploration Project Timelines June 2010
Minotaur Exploration Project Timelines June 2010Minotaur Exploration Project Timelines June 2010
Minotaur Exploration Project Timelines June 2010
Minotaur Exploration
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI MeasuresWhite Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
Nisum
 
Slideshop lines-and-trends-charts-flat-slideshare
Slideshop lines-and-trends-charts-flat-slideshareSlideshop lines-and-trends-charts-flat-slideshare
Slideshop lines-and-trends-charts-flat-slideshare
SlideShop.com
 
What is Payment Tokenization?
What is Payment Tokenization?What is Payment Tokenization?
What is Payment Tokenization?
Rambus Inc
 
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
Smart Payment Association
 
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
Smart Payment Association
 
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
Smart Payment Association
 
The Multichannel Issues and Opportunities of EMV 2.0
The Multichannel Issues and Opportunities of EMV 2.0The Multichannel Issues and Opportunities of EMV 2.0
The Multichannel Issues and Opportunities of EMV 2.0
Smart Payment Association
 
Unleashing The Power of Smart Payment - Contactless
Unleashing The Power of Smart Payment - ContactlessUnleashing The Power of Smart Payment - Contactless
Unleashing The Power of Smart Payment - Contactless
Smart Payment Association
 
SPA Futureproofing your payments at RBTE 2013 in London this week
SPA Futureproofing your payments at RBTE 2013 in London this weekSPA Futureproofing your payments at RBTE 2013 in London this week
SPA Futureproofing your payments at RBTE 2013 in London this week
Smart Payment Association
 
SPA Explains EMV2.0 Vision at Cartes 12
SPA Explains EMV2.0 Vision at Cartes 12SPA Explains EMV2.0 Vision at Cartes 12
SPA Explains EMV2.0 Vision at Cartes 12
Smart Payment Association
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Katpro Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
Anna Loughnan Colquhoun
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
Results
 

More Related Content

More from Smart Payment Association

How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
Smart Payment Association
 
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
Smart Payment Association
 
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
Smart Payment Association
 
SPA Futureproofing your payments at RBTE 2013 in London this week
SPA Futureproofing your payments at RBTE 2013 in London this weekSPA Futureproofing your payments at RBTE 2013 in London this week
SPA Futureproofing your payments at RBTE 2013 in London this week
Smart Payment Association
 

More from Smart Payment Association (7)

How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
 
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
Contactless payment and US chip-and-PIN adoption drives smart card growth in ...
 
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
Contactless Card Shipments Jump enabling Shoppers Take Advantage of Everyday ...
 
The Multichannel Issues and Opportunities of EMV 2.0
The Multichannel Issues and Opportunities of EMV 2.0The Multichannel Issues and Opportunities of EMV 2.0
The Multichannel Issues and Opportunities of EMV 2.0
 
Unleashing The Power of Smart Payment - Contactless
Unleashing The Power of Smart Payment - ContactlessUnleashing The Power of Smart Payment - Contactless
Unleashing The Power of Smart Payment - Contactless
 
SPA Futureproofing your payments at RBTE 2013 in London this week
SPA Futureproofing your payments at RBTE 2013 in London this weekSPA Futureproofing your payments at RBTE 2013 in London this week
SPA Futureproofing your payments at RBTE 2013 in London this week
 
SPA Explains EMV2.0 Vision at Cartes 12
SPA Explains EMV2.0 Vision at Cartes 12SPA Explains EMV2.0 Vision at Cartes 12
SPA Explains EMV2.0 Vision at Cartes 12
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Recently uploaded (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Tokenization and Protection of Card Data for Online Payments

  • 1. shaping the future of payment technology SPA Position on e/m-Commerce & Tokenisation Sylvie Gibert SPA Board President
  • 2. shaping the future of payment technology Who we are The Smart Payment Association addresses the challenges of today’s evolving payment ecosystem. We offer leadership and expert guidance to help members and their financial institution customers realize the opportunities of smart, secure and personalized payment systems and services - both now and in the future. Since 2004 Members:
  • 3. shaping the future of payment technology3 How we do it  By delivering the market’s most accurate barometer of payment trends  An annual analysis of payment trends based on actual manufacturer sales data  SPA members 85% of the total smart payments card market  By supporting the creation and adoption of standards and best practice  EPC-CSG/SEPA: Card Representative and Vendor Sector Spokeperson, Chair of the CSG Task Force to specify the SEPA functional and security requirements for emergent & remote payments ( Internet + Mobile), Convenor of the new CSG Expert Team on Card Innovative Payments, Member of the Preparatory Committee of the SEPA Security Certification Management Body  EMVCo: Technical Associate and Board Advisor for Card Sector  By extending expert advice and support across the payments ecosystem  An eye-growing library of expert technical resources and thought leadership collaterals to shape the future of payment  Taskforce “The Quadrant” to workout concepts for next payment generation
  • 4. shaping the future of payment technology4 The rise of e- and m-payments – more payments channels and non-bank providers Source: World Payments Report 2013 CAGR 2010-14 58,5% Non-Bank Providers 92,3% Bank Providers 55,4%  Driven by smart devices & connectivity  Convenience and innovation  New players and new usages  Leading to asymmetry and fragmentation  Need for accelerated standardization
  • 5. shaping the future of payment technology5 In e-Commerce channel the card-not-present fraud (CNP) is dominant and further increasing  Total level of fraud has reduced overall for the SEPA region  However, card-not- present transactions now represent the biggest share and the biggest growth in terms of fraud  Most of fraudulent F2F transactions with EU cards took place outside the EU  Top 6 locations: USA, Dominican Republic, Colombia, Russian Federation, Brazil, Mexico) – Source: Europol Source: ECB - Second report on card fraud, July 2013 56 %CNP Value in millions of EUR / % Evolution of the total value of card fraud using cards issued within SEPA 1) Transactions (millions) / % 60 %CNP CPSs: Card Payment Schemes
  • 6. shaping the future of payment technology6 Card technology to fight CNP fraud- Why ?  Chip & PIN EMVCo specifications means worldwide interoperability, security and convenience for F2F transactions  Interoperability drives security  Without convenience no adoption by users  Trade-Off security –convenience was found for Chip&PIN F2F payment contexts  Different card form factors for « fixed » or « mobile » personal devices  A rational way to come along is to export the basic security concepts of F2F transactions to the online payment context, meaning:  The card and card data are to be authenticated  The cardholder is to be authenticated  The transaction terms are to be certified by the card  Reuse existing card payment infrastructures  The risks for the users of electronic payment means should be equivalent regardless of the channel chosen to pay
  • 7. shaping the future of payment technology7 Several Relevant CNP solutions , but …  A way is by using a personal reader connected to your PC and browser to pay with your card at home as you do in a physical shop  OTP generation using a card also requires an additional device and solutions are proprietary, more suitable for e-banking  3D-Secure enables a more trusted cardholder authentication  But implementations have very different levels of security  Different adoption rates  At present however, most CNP solutions require the manual entry of visible card data but …. the card was not invented for that purpose !  The static card sensitive data can be captured for fraudulent purposes  The cardholder authentication requires the use of an additional channel (eg, 3D Secure)  Online retailers need to go through complex and expensive PCI-DSS certification  Manual Entry is inconvenient specially in a mobile device  Tokenisation is now being pushed by big players as EMVCo
  • 8. shaping the future of payment technology8 What’s Tokenisation about ?  Usually the Token is a standard Card Data structure but where the original card data (PAN, Expiry Date, CVV) are replaced digit by digit  The structure of the card data is maintained so the token may be routed using payment system protocols  However, in order to be routed to the right Issuer the IIN part of the PAN is the same than in the original PAN  Example: May 2014 - Tokenization Original Funding card : 5123 4912 3756 1890 08/12 123 Token PAN: 5123 4963 4909 3549 10/10 375 IIN PAN Token PAN CVVExpiration Date Token Expiration Date
  • 9. shaping the future of payment technology9 Tokenisation overview  Both, merchants and cardholders have to be enrolled  The token generation is requested in principle by the merchant, but it could also be requested by the cardholder  The aim of tokenization is to remove the card information from the merchant environment as completely and quickly as possible  Address the root cause of data security issues  Maintains existing business processes  The token can be used just like the original card number for returns, sales reports, marketing analysis, recurring payments, and so on  Can’t be used for a fraudulent transaction outside the merchant environment May 2014 - Tokenization
  • 10. shaping the future of payment technology10 What challenges for EMVCo Tokenization?  Develop an effective technical solution  Appropriate choice the underlying technology  Right tradeoff enhanced security with ease of purchase  Integrated in existing mobile payment systems ( see next slide)  How to integrate tokenization in a mobile wallet ?  Enabling for competition between EMVCo members anyway, and with solutions from disruptive players  Time-to-market: how long will take the standard to be published ?  Certification and Type approval procedures to be agreed and put in place  Incentive retailers to sign on (liability shifts, other advantages )  Incentive consumers adopting May 2014 - Tokenization
  • 11. shaping the future of payment technology11 Customer- Merchant Domain Token Service Provider Domain 2. Generate Token (PAN) 1. PAN 4. Token 5. AUTH Request (Token) 3. Strong User Authentication Card Issuer Domain 6. AUTH Request (PAN) Interoperability Architecture compatible with existing card payment systems May 2014 - Tokenization
  • 12. shaping the future of payment technology12 But …. Key security issues to be addressed  where the token will be generated  which party will secure the token  which methods to identify and verify a user before issuing a token  what form will the actual token take  which security properties for the token  which lifecycle for the token  standard distinguishability mechanism  new data fields for richer transactional information to help improve fraud detection and expedite approval  common API for tokenisation request and redeem May 2014 - Tokenization
  • 13. shaping the future of payment technology13 … and SPA recommends:  Security, interoperability, good user experience and a robust business model for the token issuer and the other players of the tokenization framework  Specify the security services required for the generation and operation of tokens, as well as the certification framework for components of the framework  Specify early the security properties to be featured by the token  Standardize protocols and message structures on the retailer to Trusted Service Provider  Mandate strong cardholder authentication to protect tokens for high value transaction  Position the Secure Element for cardholder authentication, storage and generation of tokens  Better collaboration between PCI, EMVCo and ANSI X.9 in order to avoid different standards covering the same needs Download our Tokenization whitepaper on www.smartpaymentassociation.com