Unified Communications, Payments & HPE NonStop Guides | IR

The rise of Tokenized Payments

Written by IR Team | Aug 30, 2016 2:00:00 PM

Digital payments were on the rise well before the start of COVID-19, but the impact of remote working has catapulted a massive shift to digital around the world. The global pandemic has changed the way we live, work and shop — and digital payments have allowed us both necessities and conveniences when we need them most.

In 2017, the global mobile wallets market was worth $368 billion. In the next two years, the value jumped over $745.7 billion. Statistics indicate the unified market is expected to double by 2023, growing by 28.1% to $2.1 trillion value, in terms of compound annual growth rate. Key players are Apple Pay, Google Pay, PayPal, Samsung Pay, Venmo, and Lemon Wallet.

According to Techcrunch.com, 'consumer online spending is up globally, with spend per active card-not-present cardholder up by over 25% in April 2020, compared to January'. With this meteoric rise, comes the potential for increased fraud in a world full of hackers trying to steal personal data.

What is tokenization?

The use of tokens in the digital world came about as a means of replacing sensitive data with a non-sensitive digital equivalent. Digital tokenization was first introduced by TrustCommerce in 2001 as a means of protecting credit card information.

Before tokenization, merchants would store sensitive credit card information on their own servers, which meant that anyone with access to the system could view potentially sensitive information.

Tokenization replaces the Primary Account Number (PAN) with randomized numbers, called tokens, which merchants can reference to allow TrustCommerce to process the payment on their behalf. This process ensures sensitive data is protected from unauthorised sources. Payment tokenization is non-reversible and increases the security of sensitive cardholder data.

Payment tokenization explained

Here’s how payment tokenization helps protect consumers who use tokenizing as a part of their payments, subscription billing and recurring payments methods.

Apple Pay

Once you have taken a picture of your payment card and the card data is loaded into your iPhone, Apple sends the details to the card’s issuing bank or network. This replaces payment card details with a series of randomly generated numbers (or pay tokens). That random number is sent back to Apple, which programs it into the phone. This means that the number stored on the phone can’t be extracted into anything valuable to fraudsters.

Android Pay tokenization

In Android Pay, tokenization works in a similar way. Once your card information has been loaded into the app, Google creates a pay token to represent your account number. This makes it almost impossible for anyone to hack your account and access your actual credit card information.

Apps Tokenization

When you buy something directly from an app on your phone - like clothes, books, furniture or concert tickets, if your phone contains a token, none of these apps have access to your credit card details. Essentially, your bank information is locked and inaccessible to fraudsters. Checking out is also easier, as most apps link directly to your stored delivery information.

eCommerce Tokenization

Online shopping activities are also protected by tokenization. Stores that use card tokenization may never actually see or store the sensitive data, but if someone does gain illegal access to the system, they will only see randomized tokens.

The other great thing about tokenization is that your tokens are different at each online retailer, so in the event of a security breach, all tokens issued to that website will be disabled, alleviating the need for customers to replace their card.

Provisioning & Lifecycle

The lifecycle of tokenization begins when the customer attempts to load a card onto their device.

  • This may be via a vendor app provided on the device, or an app provided by the bank.
  • The verification process – which may be via the token provider as shown in the diagram or often it goes direct to the issuer.
  • Generation of the token and activation of the card for tokenized payments – the final activation step is often used as the metric to track for take up.

Step 1 The Token Request sends a cardholder PAN to the token vault. (i.e. a request)
Step 2 The issuer performs identification and verification (ID&V) and passes those results to the vault. This is known as "binding." This completes the payment token registration. ID&V ensures that the payment token is replacing a PAN that was legitimately being used by the token requestor. ID&V is performed each time a payment token is requested.
Step 3 As part of the Payment Token Evaluation Request Process, the token vault alerts the issue that D&V is needed.
Step 4 The token vault passes the registered payment token to the token requestor, completing the payment process token request.
Source: TSYS Tokenization FAW & General Information

Authorization

In the authorization or transaction process, the challenge is to integrate smoothly into the existing payment flow. When the device is used at a terminal, only a token is delivered to the acquirer, not the actual card number.

The transaction needs to be switched via the acquirer to the token provider where the card number will be retrieved and forwarded to the issuer. At this stage, depending on the provider, other information may be appended to the transaction to give more visibility into other key metrics like the wallet type (Apple, Android, Samsung).

The transaction flows back via the same path. Some companies are both acquirer and issuer, and want to track the whole flow of the transaction.

This includes the first step when the token is delivered to the acquirer, through to the issuer, with the results of the transaction.

Step 1 The cardholder initiates with a payment token, which then passes through the merchant acquires as if it were  PAN.
Step 2 The payment token is de-tokenized into a PAN by the Token Service Proverder (TSP).
Step 3 The PAN and token are sent to the issuer, which makes an authorisation decision.
Step 4 The issuer sends that PAN and authorisation response back to the TSP.
Step 5 The TSP pre-tokenized the PAN.
Step 6 The TSP sends the PAN and authorisation response through the acquirer to the important merchant.
Source: TSYS Tokenization FAW & General Information

Performance management, monitoring and troubleshooting

The payments industry is evolving at lightning speed, with the continuous introduction of new technologies . How can businesses effectively manage booming transactions volumes, emerging technologies, regulatory challenges and higher customer expectations, as well as the ever-increasing risk of fraud? Tokenization now has a firm foothold in the payments space. Without comprehensive performance management, monitoring and troubleshooting your entire payments ecosystem, the gap between technology and banking widens for financial institutions, merchants and acquirers.

IR's Transact suite of solutions simplify the complexity of managing modern payments ecosystems. Bringing real-time visibility to your entire payments environment, Transact uncovers unparalleled insights into transactions and trends to help you streamline the payments experience, turn data into intelligence and assure the payments that keep you in business.

  • A good deployment is the first step towards great cooperation between technology and banking.
  • Banks can engage with younger, tech-savvy customers with financial clout.
  • Overcoming disintermediation can allow banks to re-engage with their customers.
  • A great opportunity to target customers with the most wealth who are open to new ideas about their finances.

  • Frustrated customers who are unlikely continue to use your service
  • Bad press
  • Lack of ROI - the service that you have invested heavily in and hope to realize the benefits of will not occur
  • Frustrated customers are likely to vent on social media as they have done in China
  • A poor deployment and poorly implemented processes with insufficient monitoring will open the door to fraudsters
  • A poor deployment will cost you money and quite possibly customers.

Measures for Success

Start benchmarking during testing, certification and QA

  • Performance of the application enhancements
  • Performance of system and network
  • Response and processing times per device
  • Response times and performance of internal, external and host connections
  • Support for various merchant devices
  • Transaction throughput
  • Speed and performance impact of on-boarding process
  • Response times for tokenization service
  • Capture of standard errors and message

Implement real-time service monitoring

  • Monitor by service ie Apple Pay, Samsung Pay, Android Pay etc
  • Holistic end to end payment transaction monitoring of subcomponents
  • Performance of system and network
  • Response times and availability of internal, external and host connections
  • Transaction volume and throughput
  • Speed and performance impact of on boarding process
  • Response times for tokenization service
  • Capture of standard errors and messages

Compare tokenized transactions performance to existing transaction performance

  • Response times of new transactions
  • Decline and approval rates
  • Number of tokenized transactions versus activation transactions
  • Transaction hot spots and purchasing patterns
  • Impact of activations against switch performance
  • Mapping of activations to purchase transaction to lifecycle transactions
  • Comparing wallet types
  • Apple Pay
  • Samsung Pay
  • Android Pay

Speed troubleshooting and service recovery

  • Merchant terminal, location
  • BIN
  • Token service
  • Wallet type
  • Activation problems
  • Correlate to infrastructure problems
  • Historical analysis and retrospective trending

Deploy service reporting

  • Wallet transaction by credit and debit cards
  • Wallet spend by credit and debit
  • Average transaction size
  • In app versus POS versus peer to peer
  • Number of provision cards
  • Usage report - active versus provisioned
  • Active users and transaction performed
  • Merchant reports
  • Transaction failure report
  • Comparison against non wallet transactions

IR's Transact suite of solutions simplify the complexity of managing modern payments ecosystems. With the increased use of card tokenization, bringing real-time visibility to your entire payments environment, Transact uncovers unparalleled insights into transactions and trends to help you streamline the payments experience, turn data into intelligence and assure the payments that keep you in business.

You may download this checklist by clicking the button below