The one of the main benefits and innovations of Apple Pay is that it never reveals the real card number (Primary Account Number or PAN) to the merchant's Point Of Sale (POS) terminals. Instead, Apple Pay uses static tokens provided to Apple by the payment networks and provisioned to the target iPhone when consumers add a payment card into the Apple Pay mobile wallet. The token is a piece of data, replacing the underlined card’s PAN, but which, if stolen cannot be used to obtain the underlying card number.
The vast majority of people who are still relying on normal plastic EMV chip-cards, may think that they are unable to take advantage of the latest payment security benefits associated with tokenization, which is now offered by all major card brands. Unfortunately their current EMV cards (just in 2014, 1.5 billion of them were shipped around the world) and all of the existing US based magnetic stripe cards keep ‘leaking’ unprotected PAN data to merchants in every transaction, which may be misused online if stolen. Can card issuers and payment networks offer similar PAN protection via tokenization to the plastic card users, without requiring them to switch to Apple Pay and without falling victim to merchants’ inability to protect sensitive card data (as in case of recent data breaches at Target, Home Depot, Neiman Marcus, etc.)?
Luckily, the payment industry can utilize the very cost effective concept of ProxyEMVPay cards. Imagine that you can be provided with (or even purchase for no more than $5) a reusable generic EMV chip-card (offered as a MasterCard, Visa or Amex branded card). Such a proxyEMVPay card is manufactured (issued) and provided to the user equipped with a 'generic token', which is not linked to any underlying card PAN and account. That means that when someone purchases a brand new ProxyEMVPay card, its ‘generic token’ is linked to a NULL PAN inside the payment network’s tokenization system, i.e. card is ‘inactive’ and can’t be used for payments.
ProxyEMVPay Card Activation
Before you can use such a ProxyEMVPay card for payments, you must first 'activate' it. Activation securely links it to one of your existing real payment cards, which must be of the same brand (MasterCard, Visa or Amex) as the ProxyEMVPay card you have. For activation you use the self-serve Activation Portal. During the activation process, you provide the required info of the main payment card that you want to link to your ProxyEMVPay card (i.e. card number, expiry, CVV, etc). Then you go through secure authentication with the main payment card issuer’s 3D secure service (or equivalent 2 Factor Authentication / OTP method that the issuer may prefer), to prove that you are the legitimate owner of the main payment card being linked to the ProxyEMVPay card. After this successful 3D secure authentication step, you are prompted to define the main parameters and usage limits, associated with the ProxyEMVPay card:
- Allocate ProxyEMVPay card’s ‘Spending Allowance’, as a slice of the credit limit of the main underlying payment card
- Define Maximum Number Of Transactions allowed with ProxyEMVPay card
- Define Maximum Activity Period allowed with ProxyEMVPay card (i.e. limit in time, can be hours / days, etc.)
- Define (Optional) ProxyEMVPay Card assigned PIN Code while it is active. However if the ProxyEMVPay card is issued using biometric capable chip-card (i.e. something like the Zwipe card), PIN as a parameter becomes deprecated or obsolete
As the final step of the activation process, the payment network’s tokenization system securely stores, inside its secure Token Vault, the record containing the ProxyEMVPay token, PAN of the linked card, defined ProxyEMVPay usage limits and proof of successful 3D secure authentication.
ProxyEMVPay Card Usage
Once the ProxyEMVPay Card is successfully activated, it can be used as a normal EMV card, as long as all of the ProxyEMVPay parameters are within their predefined usage limits. The ProxyEMVPay Card never reveals the underlined payment card PAN to merchants, since it uses ProxyEMVPay token instead (same as Apple Pay does). All payments made with ProxyEMVPay card are authorized against the account behind the linked / underlying card PAN and will be shown on the statement of the underlying payment card. What makes this possible is the magic of tokenization, which is provided by the payment network behind the ProxyEMVPay card and underlying linked card.
As part of the payment authorization processing with the ProxyEMVPay card, the payment network tokenization system verifies that all of the currently defined ProxyEMVPay usage limits are in their allowed ranges and then de-tokenizes ProxyEMVPay token back to the linked / underlying card PAN, before forwarding the final authorization request to the issuer of the linked main payment card. Exactly the same sequence is happening when paying using an Apple Pay enabled iPhone6/6+. However in the case of ] ProxyEMVPay, as soon as any of the predefined parameters exceeds their usage limit, the payment network tokenization system cancels the linkage and automatically links the ProxyEMVPay token back to the NULL PAN, making it effectively ‘inactive’ again. The ProxyEMVPay token can also be re-linked and switched to a different payment card of the same brand at any time (using the described Activation Portal steps and going through another 3D secure authentication), making it a very flexible payment device.
Potential For Additional Use Cases
Above, we described how a consumer may use the ProxyEMVPay Card and link it to his main payment card, in order to enjoy the similar level of protection as offered by Apple Pay, without need to switch to mobile payments.
There are however, other potentially very interesting use cases with the ProxyEMVPay cards:
- A parent can give a generic ProxyEMVPay card to their kid, and activate it on demand (from the comfort of their home or office using their mobile phone or PC web browser or dedicated mobile app) so that the kid can pay for a pizza meal with friends, snack or drink on a school lunch break, movie tickets, etc. Cash does not need to be used any more and the parent has complete insight into where the money has been spent.
- Family members can also use their own individual ProxyEMVPay cards all linked to the same underlying payment card, thus consolidating their spending on one statement and never revealing the main underlying card PAN to any merchant
- ProxyEMVPay cards, when issued as biometrics capable contactless card, can provide ‘TouchID like’ capability, and can be used for secure, ‘card present like’ and convenient (no password required) in-app online payments, in combination with NFC capable Android smartphone (able to function as a personal contactless card reader)