Visa begins tokenisation roll out

Visa has taken advantage of the hoopla surrounding Apple's application of digital account tokens to replace card numbers for online and mobile purchasing by initiating the roll out of its Token Service to US clients.

  22 12 comments

Visa begins tokenisation roll out

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Visa Token Service replaces sensitive payment account information found on plastic cards with a digital account number or 'token'. Because tokens do not carry a consumer's payment account details, such as the 16-digit account number, they can be safely stored by online merchants or on mobile devices to for e-commerce and mobile payments.

The release of the service has been given added urgency by a spate of successful hacks on merchant card data stores, such as the recent plundering of card account data at Home Depot and Target.

Visa Tokens will be made available to issuing financial institutions globally, starting with US banks next month, and followed by a phased roll-out overseas beginning in 2015. The technology has been designed to support payments with mobile devices using all major mobile platforms.

Ryan McInerney, president, Visa Inc. says: "More than 750 staff from across the Visa organisation globally were involved in the effort, working closely with our initial launch partners - financial institutions, merchants and processors - to ensure the ecosystem was ready. Today, we are making these services available to our clients, and believe it will help transform connected devices and wearables into secure payment vehicles."

MasterCard has its own equivalent Digital Enablement Service, which will be released outside of the US in 2015.

Sponsored [Webinar] Operational Resilience in the age of DORA

Comments: (12)

Vernon Crabtree

Vernon Crabtree Test automation architect at My comments are my own

"will be made available to issuing financial institutions globally" - I'm a bit confused.

The way I understood it worked was such that the issuing financial institution does not need to know about the token.  They may, however, choose to be aware of it.

The tokens are created/requested by Merchants or device makers (indeed mobile handset makers) to protect the cardholder data.

It is liablity shift associated with EMV that will drive Merchants to want tokenisation to protect themselves.  This may also drive adoption of acceptance of new tokens (such as mobile phones).

 

A Finextra member 

I think the card number stays with issuers. What passes through the ecosystem ie mobile devices, nfc terminals , processors , acquirers and finally the issuers is just the token. The onus is on issuers to match tokens to card numbers.

Apple pay, I believe , has adopted this system and hence the need to partner with banks. Apple device does generate tokens but the matching happens at issuers. Otherwise how can apple process payments without storing card info on their servers as they have claimed.

Any comments are welcome.

 

A Finextra member 

The issuers need to sign up as they have to pay Visa or MasterCard for the Tokenization service. My understanding is that a PAN has to be enables for the service which drives the billing to the issuer.

A Finextra member 

That's also my understanding. The tokenization service itself is performed by the card schemes, but issuers have to register and pay for it. Roll-out means that issuers can start to register for the service.

A Finextra member 

The way I read it was Visa was offering this as a "on-behalf-of" service - and that Apple was using this with cooperation with Visa Inc. Whilst I agree that Tokens do increase security - it triggered a debate in the office with regards to how routing and acceptance rules/fees be applied if all a merchant can see is a token. I'd certainly like to understand the implications in more detail.

A Finextra member 

Does any one know how this tokenisation service works? My theory (based totally on guesswork) was that the token would be a dynamic or secondary PAN generated with the Issuer's BIN/IIN. The BIN would ensure that it was correctly routed by the Acquirer/scheme to the Issuer for translation back into the original account number. Is that right?

A Finextra member 

John, in principal you are right - the token is some kind of second PAN (or could be even a dynamic one-time PAN) generated woth the Issuers BIN/IIN. Translation can be done by everybody who knows how the token was generated - I guess that in the US for ApplePay the schemes do perform the genartion of tokens (tokenization service) and they will also offer to translate the token if the transactions will come along their switch - no need to change the issuer processing, but you the issuers have to pay for each translation. (But maybe someone , who is directly involved, can tell us if we are right or wrong.)

A Finextra member 

@Oliver: good to "talk" to you again!

So Orbiscom lives again eh? There's nothing new under the sun.

 

 

A Finextra member 

Leave the front digits of the PAN alone to enable BIN routing, leave the four digits of the PAN alone to ensure proper tracking for cardholder loyalty and rewards at the merchant, and adjust the... what, 2-3 digits in the middle?

Is all this just a way to dynamically change 2-3 digits?

A Finextra member 

Presumably an additional fee will be payable by the merchant for the provision of this service?

I wonder whether it'd be considered a circumvention of the card interchange fee?

Paul Love

Paul Love VP Business Development at Konsentus

If these tokens have a BIN and are in the required format to allow for routing over the existing rails, how is a hacker meant to tell the differnce.

Q: When is a card number not a card number?
A:  When it is a token!

 

Vernon Crabtree

Vernon Crabtree Test automation architect at My comments are my own

The BIN of a token ensures that the token gets routed to the token provider (so while it is associated with the issuer, it is not the same bin as the bin of the card that has been tokenized).

The token provider may be Visa, but it may also be another party (large merchant, processor, bank, some other service provider or even a phone/device maker).

It is the token provider that adds an extra layer of protection to the card-holder.  They must therefore comply with a raft of security requirements before they are allowed into the scheme as a token provider.

A token is like a card - it is issued once and used many times.  Unlike a card, it is unique to a particular use-case (such as a phone at a merchant, but cannot be used on internet without the phone).  As such, it can be specifically disabled without re-issuing the original card.

I don't know who pays for this.  I do know that issuers must change their systems to recognize and correctly process detokenized messages (compliance changes) so this is more forced on them than that they seek to join up.  Although I am sure they appreciate the extra security.

There may be some use-cases where cardholders would be willing to pay for the service themselves, or the fee is built into another service offering (as an example, think of a wrist-band at a concert as a token).  It will be interesting to see how this gets used.

 

[On-Demand Webinar] Unifying Card Programmes: The cost-reduction imperativeFinextra Promoted[On-Demand Webinar] Unifying Card Programmes: The cost-reduction imperative