The way that card payments work has evolved several times since the first credit cards arrived in the 1950s. Manual checks carried out by bank tellers were initially the norm, with merchants using credit card imprinters to capture card data. Electronic payment terminals first appeared in the late 1970s, gradually becoming more pervasive towards the end of the 20th Century, with magnetic stripes being added to cards.
As we moved into the 2000s, Chip-and-PIN cards based around the EMV standard – with EMV representing Europay, Mastercard and Visa, the institutions that created this standard – were introduced, before contactless payment cards that utilised NFC (Near Field Communications) technology took over.
The age of the token
But we’ve fast moved on into the era of tokenization, which is a system designed to improve payment security and streamline payment experiences that emerged in 2013. In simple terms, this is a process that involves substituting the sensitive cardholder data that a credit or debit card contains with a digital token that has no intrinsic value. The token is the reference used within the tokenized system to map back to the sensitive data – the card information. When consumers make a tokenized transaction, their card data is safe as it is never transmitted and even if the system was hacked and token details accessed, the hackers wouldn’t be able to reverse-engineer their way to the card details.
While physical purchases made through digital wallets such as Apple Pay and Google Pay have been using tokenization for some time, there are some areas where tokenization is only just beginning to make an impact. Making online payments can still be quite a clunky affair, with cardholders required to enter their card details manually each time they make a purchase, or choose to store their card details with a merchant in order to speed up the process – though with few cast iron guarantees that the details are completely secure.
And as well as the question marks over security, the friction involved in the online payment process can often lead to cart abandonment, with sales opportunities slipping through merchants’ fingers. So making ecommerce more secure and convenient has been a priority for payment schemes, banks, fintechs, merchants and other stakeholders for some time, and we’re now seeing some real progress in this area.
Mastercard mandates
Mastercard has stated its intention to phase out manual card and password entry in ecommerce by 2030, with no need for physical card details or one-time passcodes. Instead, it is mandating tokenized, one-click payments across its network through its Click to Pay functionality and payment passkeys for online transactions, using biometric authentication methods used in most smartphones.
Mastercard says that 30% of transactions on its network are already tokenized, and these new ecommerce initiatives will see this rate rise steeply. Meanwhile, Visa has issued its 10 billionth token, and boasts a similar proportion of tokenized transactions to Mastercard.
With Mastercard and Visa making tokenization such a central part of their present and future vision for payments, it’s entirely likely that regulators are likely to follow their lead and make tokenization a legal requirement for all card payments at some stage.
The upshot of all this is that it is now imperative for issuing banks to ensure that their own tokenization strategies are in place. As this diagram shows, there are a number of entities involved in the tokenization value chain. The cardholder is a customer of the issuing bank, who can work with issuer processors such as Paymentology to get their cards tokenized ready for use in digital wallets. The issuer processor must authorise every request to provision tokens for the payment cards.
The Token Service Provider is responsible for issuing, managing and storing tokens, and is usually an entity related to the relevant payment scheme. For example, in the case of Mastercard, Mastercard Digital Enablement Service or MDES acts as the Token Service Provider, while Visa has the Visa Token Service (VTS). The token requester is a payment service provider such as an online retailer or a digital wallet, which requests and stores tokens for the payment cards. The token user is the merchant that is receiving the transaction.
It’s a complex picture but for financial institutions that want to future-proof their offering, it’s essential to get to grips with tokenization sooner rather than later. For issuing banks that want to approach tokenization in a flexible, scalable and cost-effective way, it’s essential to partner with an issuer processor that already has the technology, network and expertise in place.
How Paymentology can help
Paymentology can help your institution to issue tokenized cards quickly and build your own digital wallets easily with turnkey APIs that require no tokenization knowledge. Paymentology's solution is platform agnostic, supporting transactions for all major wallets and payment networks. You won't have to worry about security updates and system maintenance – Paymentology takes care of all of that – but can instead sit back and give your customers access to streamlined, secure payments for physical and online purchases with no hassle at all.
If you’d like to find out more about Paymentology’s pedigree in tokenization solutions and how we can help your institution prepare for the future of payments, get in touch today.
