February 22, 2015
The one of the main benefits and innovations of Apple Pay is that it never reveals the real card number (Primary Account Number or PAN) to the merchant's Point Of Sale (POS) terminals. Instead, Apple Pay uses static tokens provided to Apple by the payment networks and provisioned to the target iPhone when consumers add a payment card into the Apple Pay mobile wallet. The token is a piece of data, replacing the underlined card’s PAN, but which, if stolen cannot be used to obtain the underlying card number.
The vast majority of people who are still relying on normal plastic EMV chip-cards, may think that they are unable to take advantage of the latest payment security benefits associated with tokenization, which is now offered by all major card brands. Unfortunately their current EMV cards (just in 2014, 1.5 billion of them were shipped around the world) and all of the existing US based magnetic stripe cards keep ‘leaking’ unprotected PAN data to merchants in every transaction, which may be misused online if stolen. Can card issuers and payment networks offer similar PAN protection via tokenization to the plastic card users, without requiring them to switch to Apple Pay and without falling victim to merchants’ inability to protect sensitive card data (as in case of recent data breaches at Target, Home Depot, Neiman Marcus, etc.)?
Luckily, the payment industry can utilize the very cost effective concept of ProxyEMVPay cards. Imagine that you can be provided with (or even purchase for no more than $5) a reusable generic EMV chip-card (offered as a MasterCard, Visa or Amex branded card). Such a proxyEMVPay card is manufactured (issued) and provided to the user equipped with a 'generic token', which is not linked to any underlying card PAN and account. That means that when someone purchases a brand new ProxyEMVPay card, its ‘generic token’ is linked to a NULL PAN inside the payment network’s tokenization system, i.e. card is ‘inactive’ and can’t be used for payments.
ProxyEMVPay Card Activation
Before you can use such a ProxyEMVPay card for payments, you must first 'activate' it. Activation securely links it to one of your existing real payment cards, which must be of the same brand (MasterCard, Visa or Amex) as the ProxyEMVPay card you have. For activation you use the self-serve Activation Portal. During the activation process, you provide the required info of the main payment card that you want to link to your ProxyEMVPay card (i.e. card number, expiry, CVV, etc). Then you go through secure authentication with the main payment card issuer’s 3D secure service (or equivalent 2 Factor Authentication / OTP method that the issuer may prefer), to prove that you are the legitimate owner of the main payment card being linked to the ProxyEMVPay card. After this successful 3D secure authentication step, you are prompted to define the main parameters and usage limits, associated with the ProxyEMVPay card:
As the final step of the activation process, the payment network’s tokenization system securely stores, inside its secure Token Vault, the record containing the ProxyEMVPay token, PAN of the linked card, defined ProxyEMVPay usage limits and proof of successful 3D secure authentication.
ProxyEMVPay Card Usage
Once the ProxyEMVPay Card is successfully activated, it can be used as a normal EMV card, as long as all of the ProxyEMVPay parameters are within their predefined usage limits. The ProxyEMVPay Card never reveals the underlined payment card PAN to merchants, since it uses ProxyEMVPay token instead (same as Apple Pay does). All payments made with ProxyEMVPay card are authorized against the account behind the linked / underlying card PAN and will be shown on the statement of the underlying payment card. What makes this possible is the magic of tokenization, which is provided by the payment network behind the ProxyEMVPay card and underlying linked card.
As part of the payment authorization processing with the ProxyEMVPay card, the payment network tokenization system verifies that all of the currently defined ProxyEMVPay usage limits are in their allowed ranges and then de-tokenizes ProxyEMVPay token back to the linked / underlying card PAN, before forwarding the final authorization request to the issuer of the linked main payment card. Exactly the same sequence is happening when paying using an Apple Pay enabled iPhone6/6+. However in the case of ] ProxyEMVPay, as soon as any of the predefined parameters exceeds their usage limit, the payment network tokenization system cancels the linkage and automatically links the ProxyEMVPay token back to the NULL PAN, making it effectively ‘inactive’ again. The ProxyEMVPay token can also be re-linked and switched to a different payment card of the same brand at any time (using the described Activation Portal steps and going through another 3D secure authentication), making it a very flexible payment device.
Potential For Additional Use Cases
Above, we described how a consumer may use the ProxyEMVPay Card and link it to his main payment card, in order to enjoy the similar level of protection as offered by Apple Pay, without need to switch to mobile payments.
There are however, other potentially very interesting use cases with the ProxyEMVPay cards: