tokenization: the future of account numbers€¦ · tokenization: the future of account numbers...
TRANSCRIPT
TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERSSteve LedfordThe Clearing House
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
Bank issues physical card
Plastic at point of sale
Ecommerce at checkout
Web bill payment
Mobile Apps
Mobile Wallet
Payment Aggregators
Future?
Problem Statement: The proliferation of live account credentials creates huge risks
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
Tokenization is a tool to mitigate account credential risk
Typical Attributes of Payment Tokens
Format-preserving for legacy compatibility Either “dynamic” or “static”; if static, may
be combined with a cryptogram Restricted in scope / not “general purpose” Can be used live to authorize / clear
transactions
Token Components
Consists of 15-19 digits + expiration date Domain Restrictions limit the use of the
token Cryptogram that is unique to each
transaction
Tokenization
Substitutes a limited-use random number (secure digital token) for customer’s account numbers so that the sensitive information remains safe.
Even if compromised, the token is of limited or no use to cybercriminals
Token Vaults
Bank (or multi-bank) vaults create tokens, perform customer authentication and provision tokens to digital wallets or directories
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
Tokenization process flows
Merchant
No access to customer bank account information
Access to customer bank account information
*token / account exchange
Token Service Provider
Token Vault
eW
mW
Payment with Token Bank
Issuer
Customer Authentication (ID&V)
Token Provisioning)
ID&V
Acquirer Card NetworksConsumer
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
Everyone benefits from tokenization
Sensitive account information is static
Customers provide live bank data to retailers, wallets, alternative payment providers, aggregators, others
Fraud risk increasing as cards upgrade to EMV, and as e-commerce and mobile grow
Confusing and complicated process to maintain and update consumer information across multiple providers when a card is lost, stolen or expired
Today
Customer bank data securely held behind bank firewalls
Consumers don’t need to provide sensitive information to multiple providers
Lower fraud potential in event of data breach or lost/stolen device
Single contact point to update and maintain consumer information
No change in consumer payment behavior
With Tokenization
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
The use of DDA account numbers is also proliferating
1
2
3
Future… Faster Payments
Jane DoeFirst Bank
1234
2746373849 982348329
Bank issues DDA account
Jane DoeFirst Bank
1234
2746373849 982348329
Payroll
Bill Pay
Ecommerce at checkout
4
5
Mobile Apps
6
Mobile Wallet
7
P2P
8
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
Tokenization is critical for the continued safety and security of the ACH system The proliferation of bank account information for ACH use cases increases vulnerability
- According to McKinsey, there are more than two billion instances where banking credentials are being held outside of a financial institution. Tokenizing these credentials is just as important as protecting a credit card account number
DDA account number replacement is both expensive (McKinsey estimated at $200 per instance) and cumbersome. Adequate protection of the real DDA information can generate time and cost benefits for both account holders and financial institutions
EMV, coupled with tokenization, will bring much greater security for card transactions- Securing card transactions could have the unintended consequence of pushing fraud into
ACH. In other geographies, the rollout of EMV led increased fraud in other payment channels
Same-day ACH underscores the need for enhanced security measures- The faster clearing and settlement of same-day transactions will increase the attractiveness of
the ACH network for fraud. Tokens provide a mitigating tool in the expedited processing
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
DDA tokens have several key features
Format preserving – DDA tokens maintain the same 9 digit routing/transit, and up to 17 digit account structure as the underlying true accounts. The tokens work with existing systems without modification, including conforming to check digit routines
Components –• Routing & Transit Number – Either
standard ABA, or dedicated token R/T
• Account Number – assigned by TSP
Static Token – The token itself is static (with a set expiration), and may be paired with dynamic components to create more robust security (see next slide)
Token AttributesApply to all DDA tokens
Dedicated routing number for tokens similar to the URT used by UPIC
023456789 00024628912321745
9 Digit Routing Transit 17 Digit Account Number
Two options for token identification:
Either:
Existing bank routing number and specified account number range
021052053
Or:
99527832046832392
23527832046832392
023456789
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
Control attributes increase token security
Domain Control – Limits the use of a token based on criteria provided by the RDFI. These could include credit-only (with or without reversals), credit vs. debit, originator ID restrictions, dollar limits, velocity limits, etc.
Expiration – Tokens expire based on rules set by each RDFI
Token Assurance Level – A value that represents the level of confidence in ID&V that was performed to authenticate the accountholder
Cryptogram – (only certain use cases)Adds a dynamic element to tokens, demonstrating authorized use of token. Designed to prevent tokens stolen from an originator being used to generate unauthorized transactions
Control AttributesDiffer based on risk profiles
w / Cryptogram & Domain Control
w/ Domain Control
Token Incr
easi
ng S
ecur
ity
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
Three tokenization options for RDFIs
RDFI – Banks may choose to deploy their own TSP service for their account holders
Operator – ACH operators are a natural candidate for TSP service due to central role in routing transactions
3rd Party – Third parties (e.g., core processors) may offer TSP services to their financial institution clients
OperatorOriginator ODFI RDFI
TSP
OperatorOriginator ODFI RDFI
TSP
OperatorOriginator ODFI RDFI
TSP
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
Where do ACH tokens come from?
Provisioning Methodology Tokenization Use Case Description
Batch Push:Token Notification of Change (COR)
Unsolicited replacement of DDA credentials with tokens
Can be used anywhere DDA information is held on file, including:• Payroll providers• Billers• Merchants• Digital Wallets
Batch Pull:Token Prenote followed by NOC (COR)
Originator requests a token in order to replace DDA credentials
Any originator with DDA information on file who wants to request a token prior to a forward transaction • Payroll providers• Billers• Merchants
Real-time Push:Banking Application
• Consumer gets token from banking application and provides token directly to originator, or…
• Banking application pushes token directly to originator
Allows consumer to protect their information by never providing it to originators• Ecommerce / Mcommerce• Mobile payments / Digital Wallets• Payroll• Billers• Account to account transfers
Real-time Pull:Provisioning API
Originator needs a token in real-time
Situations where there is little time between consumer registration and the initial forward transaction• Ecommerce / Mcommerce• Mobile payments / Digital Wallets
© 2016 EastPay. All Rights Reserved
Information Interchange 2016 – Hit it Out of the Park with Payments!
What does a tokenized future look like?
Mass data breaches don’t become mass payment fraud events
Use of credit-push payments (ACH and real-time) accelerates as receivers feel safe providing tokens to payers instead of account numbers
The concept of an account number becomes increasingly irrelevant to customers