What is Tokenization
A token is a randomly generated number that is used to hide a customer payment credentials stored in a credit card’s primary account number (PAN). Tokenization replaces the original payment credentials with a secure substitute. This unique identifier, called a Payment Token or Tokenized PAN, cannot be used if stolen as it is just a reference number, which only the bank can map to the customer’s payment credential.
Tokenization for credit cards have been around for a while, although it was recently popularized by the introduction of Apple Pay back in 2014.
How does Tokenization work on Apple Pay?
The main steps to add a credit card to Apple Wallet are:
- From Apple Wallet tap “Add credit card”
- Enter card details (Card Number, Expiration Date, etc.). This information can also be entered by digitizing the credit card. To do the latter, simply scan the card by taking a picture using the phone, and the information will be automatically populated.
- Once the card information is entered, a cardholder authentication will be required. Each issuer bank will have a different method of verification. The most common method is a phone call to the bank providing the user credentials to authenticate the operation.
- The steps in the tokenization process include checking eligibility, completing terms and conditions (T&Cs), and the issuing of a token.
- After the authentication and eligibility are completed, the bank issues the token, the token is securely sent to the mobile device and the iPhone will store it on the embedded Secure Element (eSE).
- Now the card is provisioned and ready to be used on any store accepting Apple Pay.
The figure below shows how a credit card original PAN is tokenized. The trusted service manager (TSM) keeps a copy of it to use it later in order to match the original PAN with the tokenized one, when a transaction is performed using Apple Pay (or any tokenized credit card). If the user loses the phone, then there is no need to replace the original credit card, the token (PAN credentials issued for that iPhone) can be cancelled and reissued for the new device. The original card PAN is maintained.
Can tokenization work on contactless credit cards?
Since the iPhone is connected to the Internet, the bank can securely send a token to be stored on the eSE. Contactless credit cards are not connected to the Internet; they are passive devices. Tokens cannot be easily changed or assigned on the go to contactless credit cards unlike the iPhone. Instead, usually the PAN is already stored when the cards are shipped, it never changes, and it is activated when user calls the issuer bank.
The only connectivity with the outside world a contactless credit card has is the Near Field Communication (NFC). Therefore, using a contactless reader, the NFC can be used to assign or change a tokenized PAN on the go, and then write that token to the eSE, which securely stores the payment token. With the NFC read-write capabilities, a token can be generated in similar fashion as the iPhone and then transferred and stored in the card. Using the same logic, the card can also be changed on the go, just like with the Apple Wallet. For example, the customer can change between MasterCard, Visa or AMEX on the go, or write virtual cards, etc. on a passive credit card (no connectivity).
At Flomio, we are using an NFC reader to connect to an iPhone via Bluetooth. From the iPhone, users can select which card to tokenize (either by manually entering the credentials or by scanning the card); the iPhone contacts the issuer bank TSM, obtains the token, and then transfers and stores it on the credit card using the FloBLE Plus reader (more info on this post).
A comparable solution as the one described in the picture below was implemented by Flomio in Rio de Janeiro for VISA. The system provisioned payment rings (instead of using a regular credit card form factor), similar to the ones that athletes used during the event.
These rings had embedded hardware (eSE and NFC controller) that mimic a credit card. The payment rings were wearables “designed not only to be inconspicuous, but also be water resistant to 50 meters and never need charging”. (Source: Engadget: Visa Olympic Wearable)