Authentication & Security

Tokenization Service Provider as Natural Plug-In Point for Value Added Services?

TD Bank

The EMVCo Tokenization specification captures the basic services, envisioned by the payment industry, to support the payment authorization processing during the card not present (CNP) e-commerce and card present (CP) mobile payment use cases. On the other hand, the ProxyEMVPay Card concept elaborated on how the basic Tokenization Service Provider (TSP) functionality can be extended cheaply and elegantly, to enable usage of tokenization with plastic EMV chip-cards as well - for card present and for card not present payments.

Tokenization is a potent, yet relatively straightforward concept. It can be used irrespective of the channel or use case. Its main purpose is to protect the sensitive card data (Primary Account Number or PAN) by replacing it with the irreversible equivalent (token), which if stolen can't be misused. But should we stop at that and be satisfied only with cost effectively achieving the standardized sensitive card data protection?

In my view however, the tokenization service providers could and should play a much bigger role. Since they already play the friendly 'man in the middle' role, by intercepting all tokenized payment authorization requests and responses, they can also serve as perfect 'API plug-in' points for all kinds of 3rd party Value Added Services, such as: loyalty, stored value, authentication, social networking, etc. The payment industry (i.e. mainly EMVCo) should therefore consider moving beyond pure tokenization and toward standardized APIs for these value added services, in order to make them easily pluggable into the compliant TSPs -- all in a standard and controlled way.

With such a extensible and flexible architecture, the payment processing can be extended for the use cases, which aren't a natural fit for the traditional payment rails, still under full control by the established industry players.

For example, the loyalty collection could potentially be achieved transparently to the user (as part of the payment processing), by using the same card / device, and regardless of the payment channel -- once the payment authorization response is intercepted by the TSP, the appropriate loyalty collection standard API plug-in can be invoked, just before the final response is sent to POS or the online merchant server.

Along the same lines, the processing of low value payment authorization requests (LVP) can be intercepted by TSP and redirected to the specialized LVP service provider, implementing and offering an optimized / cost efficient stored value solution - outside of the existing processing network and standard issuer host, which are cost inefficient for processing of small payments.

This architectural transformation and extension is not going to happen overnight though, but the tokenization service providers certainly have the opportunity to make it possible. In other words - those who can intercept the payment authorization requests and responses can add value. The payment industry has a big and obvious opportunity to move beyond pure tokenization toward an even brighter future. Let’s hope it happens!

Milos Dunjic

TD Bank

Milos Dunjic is a technology executive fascinated with and focused on payments innovation. He currently leads and is responsible for TD Bank’s Payments Innovation practice. All opinions are purely his own and not of his past and current employers.

Apply to Become a Contributor