RegTech

Is Apple Pay Tokenization Really the EMVCo Standard?

MEDICI

There is a fair amount of debate and confusion around tokenization standards such as EMVCo, TCH and others.

Even EMVCo can't be described accurately by the large PDF file that the body has published (click here to download). Having said that, Apple worked closely with the EMVCo group (the payment networks) and its implementation is very close to EMVCo specs in terms of static time based tokens, token formatting, lifecycle management, PAN ownership etc. According to an infographic by Doug Yeager (Co-Founder, SimplyTapp) this is how Apple Pay tokenization works:

EMVCo

EMVCo is the set of standards that tries to facilitate worldwide interoperability and acceptance of secure payment transactions.  It has tried to accomplish this by managing and evolving the EMV1 Specifications and related testing processes.  This includes, but is not limited to, card and terminal evaluation, security evaluation, and management of interoperability issues.  They have come up with EMV Specifications based on contact chip, contactless chip, common payment application (CPA), card personalization, and tokenization.

The entire show is managed under the supervision of EMVCo’s six member organizations american express, Discover, JCB, MasterCard, UnionPay and Visa. It is also supported by good number of banks, merchants, processors, vendors and other industry stakeholders who they call EMVCo Associates. As we explained in our detailed article on Apple pay, Apple had to work with:

  • Visa, MasterCard, american express, Discover, UnionPay
  • The top Banks
  • The top processors
  • The top payment card merchant service companies
  • The top payment card terminal manufactures
  • The top retailers

The tokenization specifications in EMVco outline the minimum requirements for the creation and use of Payment Tokens. While this specification does not address non-Payment Tokens, it does not preclude their use either. Apple Pay seems to have build on that.

According to the definitions, *Payment Tokens may be used with all Cardholder Verification Methods (CVMs), including signature, online and offline PIN, and no CVM. If an online PIN is used with a Payment Token, in accordance to ISO 9564-1 PIN Block Format 0 or Format 3, the PIN Block would include the Payment Token in lieu of the PAN. The Token Service Provider is responsible for ensuring that the Card Issuer receives the PIN Block with the PAN or Payment Token, as appropriate, for validation.

*Source: EMVCo website.

TCH

The Clearing House (TCH) developed the Secure Token Exchange (STE) tokenization specification in 2012, which was called Secure Cloud at that time. TCH is said to have put a lot of effort to come up with this standard: It evaluated differences between the STE and EMVCo specs and identified key disparities in token formatting, lifecycle management, PAN ownership and the use of static versus dynamic tokens. TCH defined and developed a set of messages to support token formatting, which EMVCo does not include. TCH also has a lifecycle management process to handle a stolen payment card or mobile phone, including identification of messages that need to be exchanged to cancel the tokens and ensure the customer experience is not negatively impacted.

Both EMVCo and TCH are working on bringing changes for overall standardization in the industry. That initiative is still work in progress as of now, but Apple Pay can be loosely called EMVCo compliant.

Another important group trying to bring clarity on tokenization is the The Mobile Payments Industry Workgroup (MPIW), convened by the Federal Reserve Banks of Boston and Atlanta that said “With the recent introductions of new platforms that use tokenization technologies including ApplePay, we are even more convinced of the need to evaluate the optimal approach to tokenization and determine how the payments industry can better coordinate efforts to protect consumers and businesses alike.” We wrote about it on Sep 24 Mobile Payments Industry Workgroup seeks Opportunities & Challenges in Tokenization Landscape in the U.S

We wrote a lot about tokenization in 2013 highlighting its importance.

Please share your views about Tokenization with us. We will feature any informative material shared with us on the subject to bring clarity for our readers. You can Contact us using this form or write to us using our email id on that page.

MEDICI Team

MEDICI

MEDICI Team is a group of content writers, bloggers, journalists, researchers, and editors from the MEDICI who collaborate to create FinTech insights.

Apply to Become a Contributor