Talk by our expert Kurt Schmid about merchant tokenization and EMV® Secure Remote Commerce, held at MPE on 19 February 2019. Merchant Payments Ecosystems is a leading payment conference for merchants and PSPs.
Merchant tokenization and EMV® Secure Remote Commerce
1. MPE 2019 @ Berlin
Kurt Schmid, Managing Director Digital Payments
Addressing Issues in E-Commerce Checkouts
Merchant Tokenization &
EMV® Secure Remote Commerce
2. Questions to you, the Audience
Who had experienced fraud on
his/her card(s)?
Who likes to enter PANs again
and again for every new
merchant?
Who knows all the places where
his/her card data is stored?
2
3. E-Commerce Checkouts
3
Majority (61%) is Card based, thereof
29% is Cards-on-File (CoF)
19% Guest Checkout
13% Digital Wallets
“Global e-commerce payment market is expected
to grow from US$ 24.26 Bn in 2017 to US$ 64.69 Bn
by 2025 at a CAGR of 13.1% between 2018 and
2025.”
Even stronger growth for m-commerce and in-app
payments
Source: Mastercard, Worldpay, BCG
4. Concerns and Challenges in E-Commerce Payments
Merchant concerns:
Lost revenues through
abandonments and
declines
Low conversion rates
especially on mobile
channels
Risk/fraud through
different attacks
Higher transactional
costs for CNP versus CP
4
Issuer concerns:
Lost transactional
revenues through
abandonments and
declines
Risk/fraud through
different attacks
Cost of customer care
24% Abandonment & Decline
rate when 3DS (1.0) is used
17% Decline rate when 3DS is
not used
4-10x Higher fraud rate of CNP
compared to CP
Source of figures: Mastercard, Worldpay, BCG
5. How to Solve This
5
Cards-on-file:
Replace PAN by token to reduce risk
Improve security to CP level (where a
cryptogram is used)
Cards in Guest Checkout:
Same as above plus
Improve usability for consumer
6. Let us Focus on These Points First
6
Cards-on-file:
Replace PAN by token to reduce risk
Improve security to CP level (where a
cryptogram is used)
Cards in Guest Checkout:
Same as above plus
Improve usability for consumer
7. When PAN and other card data is
known, fraud can be committed with
little effort
That’s why PAN and other card data is in
scope for PCI DSS
Replacing the PAN (Funding PAN) by a
PAN only used on a device (DPAN) or
only with one defined merchant (MPAN)
Tokenization Will Improve Security and Usability
Securing the card number (PAN)
Token
Requestor
Token
Service
Provider
Card
Issuer
MDES VTS AETS
8. … Already Demonstrated by Many Token Requestors
8
Token Requestors
Token
Service
Provider
Card
Issuer
like X Pays, Smart Devices, IoT, ….
Issuer Pay
Merchant
App
9. MyBankApp
Accounts 6,750.00
Recent Transactions
Ready to Pay
ToPay SDK
Already Used for Cloud-Based Payments
9
Token
Requestor
(CMS-D,
MAP)
ToPay
Server
Scheme
Token
Service
(MDES
VTS
AETS)
Card
Issuer
Authenticates
Encrypted PAN
PSP,
Acquirer
Network
AuthDeTok.
10. So let us Apply This for E-Commerce?
VISA uses VTS for tokenization in E-Commerce
and Card on File (CoF)
Mastercard started M4M (MDES for Merchants)
The basic ideas
A merchant does not store the PAN but a
token
By using a cryptogram, security will be like
Card Present
10
11. Tokenization in E-Commerce is Using Same Principles Like MCP
Token
Requestor
(CMS-D,
MAP)
Scheme
Token
Service
(MDES
VTS
AETS)
Card
Issuer
PSP,
Acquirer
Network
AuthDeTok.
CoF
PAN Entry
17
12. Enroll:
Add card manually or tokenize from Card-on-file
Display cards
Card art coming from token service
(user sees his real card image)
Transact
Generate EMV cryptogram (can be used for one
or more transactions)
Lifecycle
Issuer account update
Here are the Four Main Use-Cases of Merchant Tokenization
13. Now to Solve This Challenge
13
Cards-on-file:
Replace PAN by token to reduce risk
Improve security to CP level (where a
cryptogram is used)
Cards in Guest Checkout:
Same as above plus
Improve usability for consumer
14. What is The Problem in Usability for the Consumer?
14
Confusing number of checkout options
Inconsistent checkout processes across the
various payment options
Entry of card details / addresses cumbersome (in
particular on mobile device)
Some checkout options start with onboarding
flow (“grrr” – I want to pay now”)
OTP sent via SMS to copy from messaging app to
shopping app
16. EMV® Secure Remote Commerce Framework (“SRC”)
Defined by EMVCo (https://www.emvco.com/emv-technologies/src/)
Scheme agnostic to help interoperability
Pay securely via single SRC checkout button
Will be scheme-neutral successor of MasterPass & Visa Checkout starting 2019 / 2020
16
17. SRC has Some Promising Benefits to Show
Seamless experience – cards are magically found by
recognizing consumer and device
Onboarding can be made easy by pairing consumer and
device from within issuer app
SRC works the same for all schemes
Tokenization and EMV-like security will prevent fraud,
lower the costs, and increase approval rates
EMV 3-D Secure, outside the scope of SRC, will provide
the familiar authentication
17
18. SRC Flow if Device is Registered / Returned User
20. SRC Defines Some new Roles in the Checkout Flow
20
Token
Requestor
Token
Service
Provider
(Scheme)
Participating
Card Issuer
supporting
SRC
“SRC PI”
SRC System
Digital Card
Facilitator
“DCF”
Digital
Shopping
Application
(aka
Merchant)
“DSA”
PSP
SRC Initiator
“SRCI”
21. As Merchant / PSP: What to do Next?
21
Netcetera offers insights and technologies to
approach this new e-Commerce payment area.
Our experience is based on:
A market leader position in 3DS and Digital
Payments
Being involved in the development of the
standards as an EMVCo Technical Associate
Being connected with all key market players
like issuers, merchants, PSP and schemes