Token Talk: Demystifying Tokenized Card Payments for Modern Issuers

In our previous blog, we understood how critical the ISO 8583 message protocol is in standardizing information exchange between the multiple entities involved in a card payment: Merchants, Acquirers, Schemes, and Issuers. We also saw, using a raw ISO 8583 message, how exactly critical card and transaction data is transferred. For example, data field 2 contains PAN (the actual card number), data field 14 (Expiration Date) contains the card expiry, data field 44 (Additional Response Code) contains card CVV, etc. 

As you can imagine, the impact of this data falling into the wrong hands is severe. Data breach concerns have driven the growing adoption of tokenization in card payments, which is essentially a method of replacing cardholders’ sensitive PAN information with a unique alternative value for in-store and online transactions. Today, tokenized payment transactions are becoming mainstream, with Juniper Research estimating that tokenized payments will exceed $1 trillion in value globally by 2026¹. 

In this context, enabling tokenized card payments has become a critical requirement for issuers, offering a range of business benefits – but also posing some technological challenges. We present a simplified overview of tokenized transactions, and the implications for issuers.

Tokenized card transactions

Fraudsters use multiple tricks to obtain access to card information. They install card skimmers at POS or ATM terminals and use phishing, vishing, and social engineering to trick customers. An interesting question to ask is: What would happen if the most valuable data (card number and card expiry) to the fraudster in the payment is completely removed and replaced with similar-looking information? In such a scenario, fraudsters will find very little value from the compromised information. That is exactly what tokenization of card payments does. Replace the PAN (primary account number) with a unique alternative value: a payment token.

The payment tokenization specification was first published by EMVCo in March 2014 [EMVCo is a global organization that was established by major payment card brands, including Europay, Mastercard, Visa, JCB, American Express, and UnionPay to manage and enhance specifications for payment systems worldwide]. It defined Payment Tokenization as, “the process of replacing a Primary Account Number (PAN) and PAN Expiry Date with unique alternative values that can be defined in where and how it is used”. For example, it could be designed to be used only at a single specific merchant; only on/with a unique consumer device; and/or only with a specific transaction type. The specification can be accessed here.

Image 1 shows a typical information exchange during a card payment looks like without and with tokenization.

Image 1

As you can see, the usage of card account number (and even the card expiry) is eliminated in a large part of the information exchange chain. A token service provider (TSP) is responsible for generating as well as storing these tokens. The network scheme (Visa, MasterCard, EuroPay, etc) converts the token back to the PAN using the TSP before letting the issuer conduct all checks to determine whether the payment should be authorized or not.

What this means, however, is that the merchant needs to have the token for the corresponding card being used by the cardholder. That brings us to a new role in the tokenization ecosystem: the token requestor (TR). A token requestor registers with token service providers in order to request payment tokens on behalf of the merchant. For every card that needs to be tokenized, TRs fetch the token for a given PAN once before initiating a tokenized payment (Image 2).

Image 2

Token provisioning and token lifecycle management by issuers

In order to enable tokenized card payments, the EMVCo specifies the following entities for the payment information exchange: 

• Token Service Provider (TSP): The TSP is responsible for generating a secure token, its distribution and management, as well as providing APIs and integration tools so issuers can connect to their systems. Issuers typically partner with technology providers to offer TSP services. Even network schemes offer TSP services.
• Token Requestor (TR): TRs manage the token requests at the start of a transaction. Merchants typically work with payment aggregators or payment service providers for TR services. 

Every TSP and TR needs to be registered with EMVCo and are allotted unique identification IDs. Image 3 presents an entity view of tokenization.

Image 3

Now let’s understand the specific role of the issuer in enabling tokenized card payments. 

1. Cardholder Onboarding: Onboarding cardholders, verifying their identity, and obtaining consent for tokenization
2. Identity Verification and Authorization: Authenticating cardholder identity during a transaction and verifying their eligibility for tokenization.
3. Token Provisioning: Handling tokenization requests and provisioning the token
4. Lifecycle Management: Handling activation, updates, and changes to tokens based on changes in card or cardholder details, deactivation, and revocation, as well as the monitoring and reporting of all tokens on their system

Benefits of tokenization

Tokenization benefits all players in the payments ecosystem.

1. Merchants
   1. helps make them less of a criminal target and minimizes the impact of any payment data compromise
   2. potentially reduces costs associated with storing and protecting PANs that merchants otherwise have to undertake
   3. enables friction-free, single-click transactions with card-on-file tokenization, improving authorization rates by 2.1% for merchants² 
2. Cardholders
   1. reduces the impact from data compromise affecting payment tokens compared to when a card number (PAN) is exposed
3. Issuers
   1. reduces fraud rates by 26%³
   2. reduces the impact of data compromise
   3. can reduce card replacements (even if a payment token is compromised, the actual card can still be used)
   4. enables the ability to control and replace EMV Payment Tokens for specific merchants, devices, or transaction types, often without any interaction with the cardholder

Preparing for a tokenized future of payments

Enabling tokenization for cardholder payments is table stakes for issuers today. As of 2021, Visa estimated that over 95% of all North American payment volume was already enabled by issuers to support digital tokenization⁴. By enabling tokenization, issuers can dramatically reduce the risk and impact of data breaches. Since actual card details are never stored by merchants, issuers can offer industry-standard secure payments, both online and offline, to their customers. Importantly, tokenization also plays an important role in enabling innovative payment use cases like card-on-file tokenization and tap-n-pay with mobile devices. Watch this space for our next blog, where we dive into contactless payments that use device tokenization, and the opportunities this opens up for issuers.

And talk to us to know how Zeta accelerates issuer adoption of tokenization!

Footnotes

1. Juniper Research, Tokenized Payment Transactions to Exceed 1 Trillion Globally by 2026 | July 2022
2. Visa, Convenience and Control: Embedding Tokenization in Everyday Commerce | April 2021
3. Visa, Convenience and Control: Embedding Tokenization in Everyday Commerce | April 2021
4. Visa, Convenience and Control: Embedding Tokenization in Everyday Commerce | April 2021