It's no coincidence that Visa Inc. launched its new Visa Token Services the same day Apple unveiled its mobile wallet.
"We viewed the Apple announcement as a coming out party for tokenization," said Matthew Dill, Visa's senior vice president and head of innovation and strategic partnerships. "Apple has a sophisticated clientele that does a lot of commerce off Apple devices, so they represent a great lighthouse for this new service."
In the tokenization process, a series of characters replaces the cardholder's primary account number, meaning the actual cardholder number is never exposed to a merchant's network. This makes data breaches less damaging, since tokens can't be used to create counterfeit cards.
The card brands provide the tokenization services and pass the issued tokens along to processors, like First Data, that provide payments services on behalf of the issuers.
In an interview with PaymentsSource, Dill provided insight and details into how tokenization will work with ApplePay, and Visa's role in developing the mobile payment security standard. This interview has been edited for length and clarity.
PaymentsSource: The Apple Pay announcement set off a flurry of news about various aspects of the system and the roles that card brands would play. Tokenization is one of those key services. Is there anything that has been somewhat lost in the rhetoric?
Dill: It's important to note that when Visa Token Services and the network are provisioning tokens, we actually are creating an EMV cryptogram for an EMV-capable transaction that we can process. Even if the consumer has a mag-stripe card in his pocket, he can still initiate an EMV transaction through the phone. That's a big enabler that assures one side of the equation is activated broadly. It's EMV secure transactions without the issuer having to deploy EMV cards in the market for those accounts.
PaymentsSource: All the more reason for a merchant to get a Near Field Communication reader, it appears.
Dill: If they are making an investment in EMV in anticipation of the October 2015 liability shift, and given the move in the market with Apple, it is smart to get an NFC reader. We are really comfortable in our ability to scale payments globally, but it is great to have a company like Apple really working on the consumer experience side.
PaymentsSource: Tokenization renders stolen data useless, but what if someone steals a card and tries to quickly put it on their iPhone for an Apple Pay token?
Dill: The first thing that is most important before you even push a token out for a payment is you have to trust that card is valid and goes with that person using the phone. When the image of the card is submitted, there is a standard request with data elements submitted to Visa. We create a score and involve issuers in the decision as to whether that card will be provisioned directly to the phone or if other steps are needed to validate that the consumer is who they say they are and the card is in the possession of that consumer.
PaymentsSource: Apple made it sound pretty easy, that you just take a picture of your card and place the image in your phone, and then they verify.
Dill: Apple doesn't need to talk about the verification. They can just say the picture of the card will be on the screen. What is actually happening is that the message comes to Visa and we allow 9,000 financial institutions in the U.S. to be part of the decision on whether to generate a token at that time, or if more verification is needed before we allow payments to move into a digital domain.
PaymentsSource: And after Apple is informed the card is legit, what happens?
Dill: When the token goes through, the card art and other information we have gathered from all of our members is reflected on that screen art. The token goes into the secure element on the handset. It is a 16-digit token that looks, feels and smells like the underlying payment instrument, be it a debit or credit card, and has all of the attributes needed to be used in the existing payments network. It is transaction-ready and capable of being routed over multiple networks. That's part of the benefit of having a standard in place before this went live.
PaymentsSource: Much has taken place regarding tokenization standards in the past year. What was Visa's role in that process?
Dill: About 15 months ago, Visa was looking at what was happening in the digital domain. We noticed many players were what I would term technology companies or consumer ecosystems. Payments were critical to them, but they had no ability to work with banks or networks. In some cases, they were building merchant-of-record models, in other cases card-fronting systems or ways to put prepaid cards in front of other cards to make transactions. People were building things like QR code demonstrations, but it would degrade the transaction data and in some cases turning card-present transactions into card-not-present transactions.
PaymentsSource: So, in general, it was getting fairly confusing out there?
Dill: It was our responsibility as a network to provide the tools to the industry to enable digital payments. The best thing we could do was to define new standards for how to work in a positive and complementary way with the existing ecosystem and existing plumbing.
PaymentsSource: Was it essentially a case of going to EMVCo, the chip-card standards body, or were others involved?
Dill: We carefully reached out to MasterCard in 2013, all under anti-trust general counsel, because we are all part of the U.S. payments ecosystem, and initiated a discussion that focused on the minimum we could do to provide the maximum benefit to all players current banks and merchants, and future technology companies. That started the definition of a standards proposal for tokenization. When other card brands joined in, we took it to EMVCo. What you are seeing is a company like Apple, representing 40 percent of operating system penetration, helping introduce this for us in a way that consumers will find comfortable and easy to adopt. It's a great behind-the-scenes story in the evolution of payments.