An entire new class of service providers has emerged in the mobile finance and commerce space that appears set to play a critical role in the future development of the mobile payments ecosystem: the tokenization service provider. During and since the launch of Apple Pay, Apple has made much of the increased level of security that Apple Pay offers to consumers, hoping to take advantage of the supposed increased levels of insecurity that resulted from the major data breaches at a number of big name retailers such as Target and Home Depot. During an Apple Pay transaction, the actual credit card number is never passed from the consumer to the merchant, and instead a one-time token is generated that can be identified by the issuing bank and associated with the correct account. (For a more detailed explanation of how Apple Pay works in practice, see this previous Mondato Insight). And unlike when you lose your wallet, if you were to lose your iPhone with Apple Pay, you wouldn’t have to cancel your credit cards, because the thief or finder would have no access to them.
In this regard, digital tokens are no different from analogue tokens: they are something of low (or no) value that is a representation of something with a high value, like a casino chip or a coupon for a free desert. And looking beyond mobile payments, tokens and tokenization look set to become an ever-increasingly important part of the retail purchase process by removing the unique and sensitive credit card information contained on a mag stripe (or EMV chip), and replacing it with a unique string of numbers that is useless if compromised or stolen.
Tokenization technologies have advanced rapidly over just a few years. Somewhat ironically, tokenization emerged initially as a solution to problems raised by Host Card Emulation, as card companies attempted to wrest control of the mobile payment process away from the mobile network operators who were the gatekeepers to the secure element in the mobile device. Once thought to be the next big thing in mobile payments that would consign secure element-based NFC to the scrapheap, HCE’s future looks rather more uncertain after Apple developed an entire mobile payments ecosystem that revolved around the secure element in their phones, and which involved banks, card issuers and merchants from the beginning. Along the way tokenization made the leap from HCE to NFC.
Getting Into the Tokens Game
Such is the growing importance of this element of the payments ecosystem that in early 2014 the Clearing House Payments Company (TCH) (the private company owned by the major U.S. banks that operates the country’s payment system infrastructure) called for the development of common tokenization standards for the U.S. payments industry. EMVCo (the company that manages the common standard for ‘EMV’ payment cards; originally Europay, Mastercard and Visa, but now also including JCB, American Express, China Union Pay and Discover) has also been working since mid-2013 to develop a tokenization standard to facilitate the tokenization of credit and debit card payments made via mobile devices or online.
In an additional irony, the move in the United States towards the adoption of the EMV card standard (which will reach its dénouement on October 1st with the “great liability shift”) has accelerated the need for the development of tokenization standards or some other security measure that will help combat online card fraud. For while the adoption of EMV has had a dramatic effect in Europe and elsewhere on in-person fraud levels on retail premises, it has also resulted in a dramatic spike in online fraud, as fraudsters simply channeled their efforts in a new direction. As a 2012 study paper by the Federal Reserve Bank of Atlanta on the effects of EMV observed, “Few viable chip-and-PIN solutions for online merchants have emerged, leading to the migration of fraud to the CNP *[card not present] *channel.” From the vantage point of 2015, tokenization has emerged as a viable solution for online merchants, if industry efforts at standardizing the process prove to be successful. But with TCH and EMVCo strongly committed to driving the standardization process forward, there is little reason to believe that this will not be the case.
Cumulatively, all this means that tokens are hot right now, and are set to move from an fairly obscure technical area of payments technology offered by merchant acquirers and other vendors to being an essential element in the consumer-merchant payment card relationship, and with that, big business. That shift is best exemplified by EMVCo’s move into the space. And card companies have not just been inserting themselves into the tokenization standard development process: Visa and MasterCard launched their own tokenization services in 2014, seeing big opportunities for significant revenue streams from tokenization, and American Express shortly followed suit. The initial fees announced by MasterCard in the summer of 2014 included a “Digital Enablement Service Lifetime Management” fee, that issuers were to pay at the rate of 10 cents per primary account number (PAN). Additionally there will be a 50-cent “digitization” fee each time a mobile device is provisioned with a token, and 2.5 cents for calls to the “alternate network API”. Acquirers will also be required to pay a Digital Enablement Fee of 0.01% of volume for CNP transactions. Merchants are said to be unhappy with Visa and MasterCard’s moves towards turning an aspect of security into a revenue stream, and there are fears that they will use their size and muscle to dominate the provision of token vaults (where the mapping information that links the token to a PAN is stored). Merchants worry that this will give them even less of a voice than they have now when it comes to the card companies raising their fees for the services.
The $64,000 Question
There do exist, however, alternatives to the token vaults provided by Visa and MasterCard. Numerous technology providers offer tokenization products and services. Moreover, the more recent developments in this area have seen the arrival of “vault-less” tokenization solutions,that operate on the basis of token-account relationships derived from calculations based on some secret value. Vault-less tokens represent a major step forward in this technology’s development, but it is unlikely to be the last. For that to happen, however, industry standards need to be put in place that allow all token service providers to operate on the same footing, thereby increasing competition and hopefully keeping down prices and encouraging further innovation. The role of tokens in mobile payments is secure. The real battle lies in the tokenization process’s battle with CNP online fraud. And that would then make the $64,000 dollar question (or indeed rather a great deal more), where will fraud migrate to after that? For whoever can anticipate the answer to that question and develop a technology to combat it, they should be able to accumulate a large number of money tokens in the process.
©Mondato 2015. Mondato is a boutique management consultancy specializing in strategic, commercial and operational support for the Mobile Finance and Commerce (MFC) industry. With an unparalleled team of dedicated MFC professionals and a global network of industry contacts, Mondato has the depth of experience to provide high-impact, hands-on support for clients across the MFC ecosystem, including service providers, banks, telcos, technology firms, merchants and investors. Our weekly newsletters are the go-to source of news and analysis in the MFC industry.
Click here to subscribe and receive a weekly Mondato Insight direct to your inbox.