With new NFC payment technologies like Host Card Emulation and now Apple Pay, many ask us: “What is tokenization?”. This post might help explain.
by Neil Livingston
Director of Mobile Products
- Using a token PAN on a consumer device means that the actual plastic card PAN is never used or shared by the consumer during the payment transaction – either at the retail POS or with the online merchant. In fact, the plastic card PAN is never stored in the consumer device. This means it is possible to switch on and off token PANs on different consumer devices without impacting the plastic card. If a consumer device (for example, a mobile phone) is stolen or the token PAN details have somehow been compromised, then the consumer device / token PAN can be deactivated without impacting/deactivating the plastic card. Indeed, the same plastic card can be mobilised across multiple consumer devices at the same time, each having a different token PAN, all mapping to the same plastic card PAN.
- Each token PAN can be tied to a single enrolled consumer device and, for added security, the permitted usage of any token PAN can be limited, for example, for use only via the specified consumer device, only over a specific payment channel (NFC, e/mCommerce, etc.), only within certain merchants/locations, or up to specific spend thresholds, etc. These constraints can be checked and validated during the payment transaction to mitigate against fraudulent use.
Carta offers a managed tokenization service to Issuers, in line with the models described in the EMVCo Tokenization framework, and which implements payment-scheme specific specifications and rules. This service is agnostic to the type of deployment model, and supports cloud-based payments models (like MCBP, VCBP), using HCE, and hardware Secure Element-based deployment models (using SIM-based and embedded Secure Elements).