Network Tokenisation in Digital Payments

6 Aug 2019

  • One in five global transactions are now digital, with online commerce growing at over six times the rate of in-store sales;

  • Globally, retailers are expected to lose around $130 billion in digital card-not-present fraud between 2018-2023;

  • Network Tokenisation is an example of a technology being adopted by Issuers and Merchants to deliver both a secure and frictionless digital buying experience. 

Point of View

 

The way in which consumers make payments is evolving at an ever-faster rate. This evolution reflects advances in technological development and increased customer expectations for simplicity and speed to reflect their lifestyles. One in five global transactions are now digital, with online commerce growing at over six times the rate of in-store sales. Consistent with this global trend, Australians are embracing e-commerce. In 2018, device-not-present transactions represented 22% of all card transactions. Online spending exceeded $25 billion in the 12 months to February 2018. Mobile commerce is also increasing in Australia. One in five online purchases are now made from a mobile device, with purchases from mobile devices growing 58% in 2017, a six percentage point increase from the previous year.

 

 

As digital payments accelerate and grow, so must the digital security measures that protect consumers’ confidential information. According to Juniper Research, retailers are expected to lose around $130 billion in digital card-not-present fraud between 2018-2023. In Australia in the 12 months to 30 June 2018, card-not-present fraud increased by 7.8% to $478 million, accounting for 85% of all fraud on Australian cards. 

Network Tokenisation is an example of a technology being adopted by Issuers and Merchants to deliver both a secure and frictionless digital buying experience.  

 

Network Tokenisation is the process of a payment network replacing the cardholder’s 16-digit primary account number (PAN) with a unique EMV Payment Token (Payment Token). The Payment Token can be configured to only work in specific scenarios, for example with a nominated merchant or using a particular device. During a transaction, the Payment Token is passed to the Token Service Provider (TSP), who detokenises the Payment Token back to the PAN. The PAN is then passed to the Issuer for payment authorisation. In a Network Tokenisation scenario, the payment network plays the role of the TSP.

 

 

Two current use cases for Network Tokenisation are as follows:

  1. Mobile Payment Tokenisation

The cardholder requests to add their card credentials into their digital wallet. Once they are identified and verified by the Issuer, a Payment Token is provisioned into the secure element of the cardholder’s device. During a transaction, the token is used instead of the cardholder’s PAN to perform the payment. Separate tokens are created for each card stored in the digital wallet.

  1. Credential-on-File Tokenisation (COF Tokenisation)

Rather than a merchant storing a cardholder’s PAN on file, the merchant requests a Payment Token from the appropriate payments network. The Payment Token can be restricted to be used only by this particular merchant.

 

Implications

 

Network Tokenisation delivers a number of benefits. These include:

 

  • Reduced Fraud – the cardholder’s details are protected throughout the payment transaction. The Payment Token removes sensitive information from merchant systems, decreasing the ability to compromise sensitive data through data breach attempts. 

  • Digital Growth – 1.2 billion CNP purchases are declined globally every year, with an estimated $331 billion worth of false positives reported in 2018. As part of Network Tokenisation, merchants will have consumer payment details instantly updated when a card is lost, stolen or expires. Therefore, the chance of outdated or mismatched data triggering a false decline is reduced.

  • Interoperability – A Payment Token will traverse the payments network in the same way as a PAN. The only difference is the Payment Network passes the Payment Token to their TSP for detokenisation during a transaction.

 

There are considerations when using Network Tokenisation. These include:

  • Implementation / Reconciliation – As chargebacks take around 30-60 days to process, merchants need to consider how best to handle card details during implementation to ensure that chargebacks can be reconciled with the card details held on file.

  • Routing implications – During a transaction, the Payment Token must be passed to the TSP in order to be detokenised.

 

Payment network activity in relation to Payment Tokens

 

Amex announced the American Express Token Service.  Amex published a digital payments security survey where it reported nearly 80 million online shoppers have been the victim of payment fraud.

 

Eftpos has invested in Payment Tokenisation capabilities. Eftpos announced a partnership with Rambus’s procuring services for their Token Service Provider platform.

 

Mastercard has said that they will enable [Payment] tokenisation services on all cards by 2020 as part of its Digital Commerce Solutions. Mastercard is referenced as working with a number of gateways including Adyen, Digital River, Stripe, Square and Worldpay to deliver Network Tokenisation services to merchants.

 

Visa published their Future of Security Roadmap, which has two goals in relation to Payment Tokenisation. These are as follows:

  • Mass adoption of COF Tokenisation by 2019; and

  • Achieve 100% of tokenisation of all accountholder data held outside of financial institutions by 2020+.

According to Visa, “the collective commitment to drive tokenisation across the industry represents a win for Australian merchants, consumers, financial institutions and payments companies alike. This technology enhances the customer experience, enables greater conversion and loyalty for merchants, and protects against fraud.”

 

 

Connectivity of Token Service Providers

 

Visa and Mastercard have recently signed a tokenisation agreement to enable the interoperability of Payment Tokens in Visa Checkout and Masterpass. The agreement allows Visa to request tokenised Mastercard payment credentials from Mastercard for provisioning into Visa Checkout, and Mastercard to request tokenised Visa credentials from Visa for provisioning into Masterpass. This reciprocal request for tokenised payment credentials will ensure that each network’s wallet solutions can continue to stay open to other card brands while also adding the extra security of using tokens in place of real card numbers.

 

Multi-network debit cards are cards that support both the eftpos domestic scheme and either Visa or MasterCard. In the event that one of these cards has been Network Tokenised, the payment must route through the network TSP that has tokenised the card. This could lead to routing limitations for merchants. One possible solution would be bilateral tokenisation agreements across the schemes, allowing connectivity between payment processing and TSP infrastructure.

 

As Australia continues to transact in digital environments, Network Tokenisation can play an important role in bringing an added layer of security to digital payments, while providing a seamless shopping experience for consumers.

 

 

The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members. This publication is also subject to the AusPayNet Terms of Use and Privacy Policy available on the AusPayNet website.

 

 

 

 

 

Please reload

Consumer
Centric
Technology and Innovation
Policy and 
Regulation
ARCHIVES
Please reload

Disclaimer

The opinions and views expressed in this publication are those of the authors exclusively and do not purport to reflect the opinions, views or official policy position of AusPayNet or its members. This publication is also subject to the AusPayNet Terms of Use and Privacy Policy available on the AusPayNet website.

 

Copyright © 2017 AusPayNet. All rights reserved.  

Read full Terms of Use

Privacy Statement