October 2, 2014
There is a fair amount of debate and confusion around tokenization standards such as EMVCo, TCH and others.
Even EMVCo can't be described accurately by the large PDF file that the body has published (click here to download). Having said that, Apple worked closely with the EMVCo group (the payment networks) and its implementation is very close to EMVCo specs in terms of static time based tokens, token formatting, lifecycle management, PAN ownership etc. According to an infographic by Doug Yeager (Co-Founder, SimplyTapp) this is how Apple Pay tokenization works:
EMVCo is the set of standards that tries to facilitate worldwide interoperability and acceptance of secure payment transactions. It has tried to accomplish this by managing and evolving the EMV1 Specifications and related testing processes. This includes, but is not limited to, card and terminal evaluation, security evaluation, and management of interoperability issues. They have come up with EMV Specifications based on contact chip, contactless chip, common payment application (CPA), card personalization, and tokenization.
The entire show is managed under the supervision of EMVCo’s six member organizations american express
The tokenization specifications in EMVco outline the minimum requirements for the creation and use of Payment Tokens. While this specification does not address non-Payment Tokens, it does not preclude their use either. Apple Pay seems to have build on that.
According to the definitions, *Payment Tokens may be used with all Cardholder Verification Methods (CVMs), including signature, online and offline PIN, and no CVM. If an online PIN is used with a Payment Token, in accordance to ISO 9564-1 PIN Block Format 0 or Format 3, the PIN Block would include the Payment Token in lieu of the PAN. The Token Service Provider is responsible for ensuring that the Card Issuer receives the PIN Block with the PAN or Payment Token, as appropriate, for validation.
*Source: EMVCo website.
The Clearing House (TCH) developed the Secure Token Exchange (STE) tokenization specification in 2012, which was called Secure Cloud at that time. TCH is said to have put a lot of effort to come up with this standard: It evaluated differences between the STE and EMVCo specs and identified key disparities in token formatting, lifecycle management, PAN ownership and the use of static versus dynamic tokens. TCH defined and developed a set of messages to support token formatting, which EMVCo does not include. TCH also has a lifecycle management process to handle a stolen payment card or mobile phone, including identification of messages that need to be exchanged to cancel the tokens and ensure the customer experience is not negatively impacted.
Both EMVCo and TCH are working on bringing changes for overall standardization in the industry. That initiative is still work in progress as of now, but Apple Pay can be loosely called EMVCo compliant.
Another important group trying to bring clarity on tokenization is the The Mobile Payments Industry Workgroup (MPIW), convened by the Federal Reserve Banks of Boston and Atlanta that said With the recent introductions of new platforms that use tokenization technologies including ApplePay, we are even more convinced of the need to evaluate the optimal approach to tokenization and determine how the payments industry can better coordinate efforts to protect consumers and businesses alike. We wrote about it on Sep 24 Mobile Payments Industry Workgroup seeks Opportunities & Challenges in Tokenization Landscape in the U.S
We wrote a lot about tokenization in 2013 highlighting its importance.