TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERS€¦ · TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERS...

TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERSSteve LedfordThe Clearing House

© 2016 EastPay. All Rights Reserved

Information Interchange 2016 – Hit it Out of the Park with Payments!

Bank issues physical card

Plastic at point of sale

Ecommerce at checkout

Web bill payment

Mobile Apps

Mobile Wallet

Payment Aggregators

Future?

Problem Statement: The proliferation of live account credentials creates huge risks



Tokenization is a tool to mitigate account credential risk

Typical Attributes of Payment Tokens

Format-preserving for legacy compatibility Either “dynamic” or “static”; if static, may

be combined with a cryptogram Restricted in scope / not “general purpose” Can be used live to authorize / clear

transactions

Token Components

Consists of 15-19 digits + expiration date Domain Restrictions limit the use of the

token Cryptogram that is unique to each

transaction

Tokenization

Substitutes a limited-use random number (secure digital token) for customer’s account numbers so that the sensitive information remains safe.

Even if compromised, the token is of limited or no use to cybercriminals

Token Vaults

Bank (or multi-bank) vaults create tokens, perform customer authentication and provision tokens to digital wallets or directories



Tokenization process flows

Merchant

No access to customer bank account information

Access to customer bank account information

*token / account exchange

Token Service Provider

Token Vault

eW

mW

Payment with Token Bank

Issuer

Customer Authentication (ID&V)

Token Provisioning)

ID&V

Acquirer Card NetworksConsumer



Everyone benefits from tokenization

Sensitive account information is static

Customers provide live bank data to retailers, wallets, alternative payment providers, aggregators, others

Fraud risk increasing as cards upgrade to EMV, and as e-commerce and mobile grow

Confusing and complicated process to maintain and update consumer information across multiple providers when a card is lost, stolen or expired

Today

Customer bank data securely held behind bank firewalls

Consumers don’t need to provide sensitive information to multiple providers

Lower fraud potential in event of data breach or lost/stolen device

Single contact point to update and maintain consumer information

No change in consumer payment behavior

With Tokenization



The use of DDA account numbers is also proliferating

1

2

3

Future… Faster Payments

Jane DoeFirst Bank

1234

2746373849 982348329

Bank issues DDA account

Jane DoeFirst Bank

1234

2746373849 982348329

Payroll

Bill Pay

Ecommerce at checkout

4

5

Mobile Apps

6

Mobile Wallet

7

P2P

8



Tokenization is critical for the continued safety and security of the ACH system The proliferation of bank account information for ACH use cases increases vulnerability

- According to McKinsey, there are more than two billion instances where banking credentials are being held outside of a financial institution. Tokenizing these credentials is just as important as protecting a credit card account number

DDA account number replacement is both expensive (McKinsey estimated at $200 per instance) and cumbersome. Adequate protection of the real DDA information can generate time and cost benefits for both account holders and financial institutions

EMV, coupled with tokenization, will bring much greater security for card transactions- Securing card transactions could have the unintended consequence of pushing fraud into

ACH. In other geographies, the rollout of EMV led increased fraud in other payment channels

Same-day ACH underscores the need for enhanced security measures- The faster clearing and settlement of same-day transactions will increase the attractiveness of

the ACH network for fraud. Tokens provide a mitigating tool in the expedited processing



DDA tokens have several key features

Format preserving – DDA tokens maintain the same 9 digit routing/transit, and up to 17 digit account structure as the underlying true accounts. The tokens work with existing systems without modification, including conforming to check digit routines

Components –• Routing & Transit Number – Either

standard ABA, or dedicated token R/T

• Account Number – assigned by TSP

Static Token – The token itself is static (with a set expiration), and may be paired with dynamic components to create more robust security (see next slide)

Token AttributesApply to all DDA tokens

Dedicated routing number for tokens similar to the URT used by UPIC

023456789 00024628912321745

9 Digit Routing Transit 17 Digit Account Number

Two options for token identification:

Either:

Existing bank routing number and specified account number range

021052053

Or:

99527832046832392

23527832046832392

023456789



Control attributes increase token security

Domain Control – Limits the use of a token based on criteria provided by the RDFI. These could include credit-only (with or without reversals), credit vs. debit, originator ID restrictions, dollar limits, velocity limits, etc.

Expiration – Tokens expire based on rules set by each RDFI

Token Assurance Level – A value that represents the level of confidence in ID&V that was performed to authenticate the accountholder

Cryptogram – (only certain use cases)Adds a dynamic element to tokens, demonstrating authorized use of token. Designed to prevent tokens stolen from an originator being used to generate unauthorized transactions

Control AttributesDiffer based on risk profiles

w / Cryptogram & Domain Control

w/ Domain Control

Token Incr

easi

ng S

ecur

ity



Three tokenization options for RDFIs

RDFI – Banks may choose to deploy their own TSP service for their account holders

Operator – ACH operators are a natural candidate for TSP service due to central role in routing transactions

3rd Party – Third parties (e.g., core processors) may offer TSP services to their financial institution clients

OperatorOriginator ODFI RDFI

TSP


TSP


TSP



Where do ACH tokens come from?

Provisioning Methodology Tokenization Use Case Description

Batch Push:Token Notification of Change (COR)

Unsolicited replacement of DDA credentials with tokens

Can be used anywhere DDA information is held on file, including:• Payroll providers• Billers• Merchants• Digital Wallets

Batch Pull:Token Prenote followed by NOC (COR)

Originator requests a token in order to replace DDA credentials

Any originator with DDA information on file who wants to request a token prior to a forward transaction • Payroll providers• Billers• Merchants

Real-time Push:Banking Application

• Consumer gets token from banking application and provides token directly to originator, or…

• Banking application pushes token directly to originator

Allows consumer to protect their information by never providing it to originators• Ecommerce / Mcommerce• Mobile payments / Digital Wallets• Payroll• Billers• Account to account transfers

Real-time Pull:Provisioning API

Originator needs a token in real-time

Situations where there is little time between consumer registration and the initial forward transaction• Ecommerce / Mcommerce• Mobile payments / Digital Wallets



What does a tokenized future look like?

Mass data breaches don’t become mass payment fraud events

Use of credit-push payments (ACH and real-time) accelerates as receivers feel safe providing tokens to payers instead of account numbers

The concept of an account number becomes increasingly irrelevant to customers

TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERS€¦ · TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERS...

Documents

Transcript of TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERS€¦ · TOKENIZATION: THE FUTURE OF ACCOUNT NUMBERS...