Episode 214 – We Just Can’t Stop Talking About Tokenization

Yvette Bohanan

August 2, 2023

POF Podcast

Tokenization: Unlocking the Future of Payments

Welcome to Payments On Fire, a podcast from Glenbrook Partners about the payments industry, how it works, and trends in its evolution. In this episode, we dive deep into the world of tokens. These are not the tokens you use at the arcade. These are  EMV tokens, also known as issuer or network tokens. Tokens have been a hot topic in the payments industry for years – and for good reason. They offer enhanced security, lower interchange fees, and the potential to revolutionize how we make payments. 

Listen to the full episode in the player below, or continue reading as we explore the different use cases for tokens, the evolving rules and fees associated with them, and the implications for merchants and consumers alike.

The Evolution of Tokenization

The journey of tokenization began in 2014 with the launch of Apple Pay and the introduction of EMVCo tokens. Initially, tokens were used for digital wallets and in-app purchases, providing consumers with a convenient and secure way to pay. Over time, tokenization expanded to include online merchants and billers, allowing for seamless checkout experiences and reducing the risk of data breaches. Recently, tokenization has extended to browser autofill, making it easier for consumers to complete online transactions. The proliferation of tokens has been staggering, with Visa reporting six billion tokenized credentials, up 90% year over year.

The Different Models of Token Usage

There are several models of token usage in the market today. 

  • The first use case is the provision of a digital card into a wallet on a smartphone, enabling tap-and-go payments at the point of sale. 
  • The second use case is in-app purchasing, where consumers can use biometric authentication to purchase within mobile applications. 
  • The third use case is using tokens by online merchants and billers, allowing for secure and convenient checkout experiences. 
  • The fourth use case is token-on-file, where merchants can proactively enroll cards into tokenization and replace card data with tokens. 
  • The fifth use case is browser autofill, which is still being rolled out but has the potential to further proliferate tokens in online commerce.

The Economics of Tokenization

With the rise of tokenization, there have been changes in the economics of payments. Visa, for example, offers a ten basis points discount on interchange fees for tokenized transactions, incentivizing merchants to adopt tokenization. MasterCard has implemented a secure credential CNP behavioral fee, charging merchants more for non-tokenized transactions. Additionally, there are fees associated with the provisioning and storage of tokens, as well as fees for updating tokens when underlying account information changes. The cost of tokenization programs must be weighed against the benefits, including enhanced security, lower interchange fees, and potential shifts in fraud liability.

The Challenges and Considerations

While tokenization offers many benefits, there are challenges and considerations that merchants should know. Approval rates for tokenized transactions are still debated, with some merchants reporting better acceptance while others are experiencing challenges with issuer responses. The support for network tokens by issuers and debit networks can vary, leading to inconsistencies in transaction processing. Additionally, the availability and quality of metadata associated with tokens can impact data analytics and fraud detection. Merchants must stay informed about the evolving landscape of tokenization, work closely with their payment service providers, and consider the implications for their specific use cases and markets.

The Future of Tokenization

As tokenization continues its evolution in the payments industry, the future looks promising. As more merchants and consumers adopt tokenization, the benefits of enhanced security, lower interchange fees, and improved approval rates are expected to become more apparent. However, there is still work to be done in standardizing tokenization across networks and ensuring consistent support from issuers. As regulations and market dynamics continue to evolve, merchants must stay vigilant and adapt their strategies to leverage the full potential of tokenization.

In conclusion, tokenization is unlocking the future of payments. It offers enhanced security, lower interchange fees, and improved approval rates. While there are challenges and considerations to navigate, tokenization’s benefits are driving its adoption across the payments industry. As the landscape continues to evolve, merchants must stay informed, work closely with their payment service providers, and adapt their strategies to leverage the full potential of tokenization. The journey of tokenization is far from over, and we can expect to see further advancements and innovations in the years to come.

This article is based on the transcript of the Payments On Fire podcast episode on tokenization featuring Russ Jones and Chris Uriarte from Glenbrook Partners. 

Yvette Bohanan:

Welcome to Payments On Fire, a podcast from Glenbrook Partners about the payments industry, how it works and trends in its evolution.

Hello, I’m Yvette Bohanan, a partner at Glenbrook and your host for Payments On Fire. In this episode, we’re talking about tokens, not the kind that you use at the arcade. These are EMV tokens, more commonly known as issuer tokens or network tokens. We recently pulled a conversation about tokens from our podcast vault, Payments On Fire episode 21, circa 2015, that provided some great background to the origin and purpose of EMV tokens. We could have also pulled episodes 80, 95, 175, or 178. Apparently, we just can’t stop talking about tokens, and for some very good reasons that we’re going to get to in a moment.

Joining me in this installment of our tokenization updates are Glenbrook Partners, Russ Jones and Chris Uriarte. Gentlemen, welcome to Payments On Fire.

Russ Jones:

Hey, Yvette.

Chris Uriarte:

Good to be back, Yvette.

Yvette Bohanan:

This is going to be fun. We just literally can’t stop talking about this topic.

Chris Uriarte:

No, we can’t. No.

Yvette Bohanan:

So there is something to be said about the fact that the conversation on… At least on this podcast, started in 2015, and here we are in 2023, and it’s like an evolution in progress that we’ve been observing, and the models have really been augmented over the years. Maybe we can start, what are the different models that we talk about in our workshops, Russ, on how tokens are being used these days?

Russ Jones:

Well, Yvette, the journey here starts back in 2014, the launch of Apple Pay, and it coincides in support of Apple Pay is the launch of EMVCo tokens, which had just been specified the prior year, 2013. So the initial two use cases, which most people are familiar with because they’re very in your face use cases, was provision of digital card into a wallet on a smartphone and tap it, hover it, tap it at the point of sale. So there’s a digital wallet at the point of sale use case.

Simultaneous with that was the launch of in-app purchasing. So just a simple biometric authentication and, boom, you’re buying things inside of apps. Convenience, convenience, convenience. So that was the state of the market in 2014. A couple of years later, tokenization expanded into browsers so that it could be used by online merchants and online billers. So you started to see things like pay with GPay, Apple Pay, Buy Now, stuff like that. Those required merchants to deliberately implement those interfaces to these digital wallets. But it was the third use case, and it brought all the benefits that were in the prior two use cases, it brought it into the world of online commerce.

Then maybe about three years ago, four years ago, we saw the fourth use case pop up, which is a very merchant-centric use case where the merchant, not the consumer, not the buyer, but the merchant could proactively enroll a card that previously would be stored on file, and enroll it into EMVCo tokenization and get back a token that would be held on file instead of a card. That was a very different use case because the first three use cases: the wallet at the point of sale, in-app purchasing, and using the wallet online, these were all consumer-driven use cases where the consumer is proactively involved in provisioning the card into a digital wallet. Token on file was different in that sense.

Then last year, we saw the fifth use case pop up, which is also related to online commerce, and this is where the browser can autofill tokens during checkout flows. So it’s not fully deployed in the marketplace yet. It’s pretty much there on Safari. Google’s still rolling it out on Chrome. But it’s an interesting use case because it further proliferates tokens, and it’s a use case, actually going back to the start, much like wallets at the point of sale. It’s the use case where the merchant really doesn’t have to do anything. It just happens. In the wallet at the point of sale, the merchant had to be enabled for contactless cards. But if they were, they got digital cards as well.

In the case of browser autofill, if you’re accepting cards in an online checkout flow, you’re going to find yourself, all of a sudden, unbeknownst to you the merchant, there’s going to start being these mysterious tokens mixed in with live card data. And all this is goodness. It’s all goodness.

Yvette Bohanan:

It’s all good. Trust us, it’s going to be fine.

Russ Jones:

And I’m sure Chris is going to rain on my parade here.

Yvette Bohanan:

Yeah, yeah, yeah. We’re going to get there in a moment folks. We’re going to get there because everything in life can… You can look at it as a huge opportunity or fraught with peril. And so we’re somewhere in the mix here.

Russ Jones:

Yeah. So I’m sure Chris is going to say, “Yeah, it’s good, but it could be better.”

Yvette Bohanan:

Yeah, exactly. Exactly.

Chris Uriarte:

You know me too well, Russ. You know me too well.

Yvette Bohanan:

So the other thing we often say around here is people don’t talk about numbers until the numbers start looking pretty good. That’s an axiom in payments, right?

Russ Jones:

Yeah. Yeah, looking big.

Yvette Bohanan:

The numbers… That look big, yeah. Good equals big. Big equals good.

Russ Jones:

Yeah, right.

Yvette Bohanan:

Visa’s CEO recently announced that they have six billion, with a B, tokenized credentials out, up 90% year over year. That’s a lot of devices. A lot of these are Apple Pay and Google Pay still. I mean, just the proliferation of devices. But were you surprised by that number?

Russ Jones:

No, I’m not. To put it in the context here, we have physical cards and we have digital cards. When we talk about EMVCo tokens, we’re in a real nerdy way talking about digital cards. So what Visa’s CEO is talking about is the proliferation of digital cards. As of the end of 2022, there’s 4.2 billion physical cards in the Visa system. To say that there’s twice as many digital cards in Visa’s ecosystem as there is physical cards is a testimony to how wide this shift is, relatively speaking, how successful it’s been. I mean that’s a phenomenally big number in my mind.

Yvette Bohanan:

That’s not bad. Yeah. Chris, what do you think?

Chris Uriarte:

Yeah. I mean I would agree with that, with Russ. I think it’s tremendous to see the growth here, and it certainly is a testament to the success of tokenization in the use cases that it supports thus far. But I think what’s definitely clear is that both Visa and MasterCard envision a world where everything in the future is tokenized. What you see is they’re laying the groundwork, which we’ll talk about in a lot more detail here today, from a technology and a policy perspective to incent merchants to start moving in that direction.

I think when you look at Visa’s CEO on their earnings calls tout the growth by numbers, that’s him a little bit more subtly perhaps saying that, “Look at the growth. We’re headed in this direction.” But if you look at Michael Miebach, the CEO of MasterCard, he’s not so subtle and he’s been quoted directly as saying, “In the future, everything in the payments world will be tokenized.” I’m paraphrasing essentially what he said. So there’s no subtlety about that. You certainly see both networks moving in that direction, and this is exactly why we’re seeing tremendous change really happening multiple times a year based on the different technologies and the different rule changes, policy changes that have been introduced.

Yvette Bohanan:

Yes. Well, yes, with adoption comes rules. They’ve got to make sure things work properly.

Russ Jones:

Sometimes with rules comes adoption.

Yvette Bohanan:

Yeah. Well, the carrot, the stick, to this.

Russ Jones:

It’s not always clear.

Chris Uriarte:

Sometimes.

Yvette Bohanan:

So let’s dig in here on the various rules and of course the corresponding fee changes that we see, and maybe a little bit about what’s on the horizon here.

Chris Uriarte:

Yeah. So there’s a lot of things happening, and probably a big caveat is by the time that this podcast gets released a few days from now, there might actually be rule changes between now and then as we’re seeing a lot of different announcements happen globally almost on a monthly basis around rules and fees for tokenization.

I think if we rewind the clock back to a couple of years ago, Visa made a pretty significant shift in regard to their view of tokenized transactions versus non-tokenized transactions when you look at the interchange schedule in the United States. So if you look at interchange, what is listed as the default transaction type in the card-not-present situation is actually a tokenized transaction. If you look at the non-default transaction type, that is now categorized as a non-tokenized transaction. The big difference between those two transactions is that if you’re using a tokenized payment credential, you receive a 10 basis points discount on interchange for that transaction.

So it’s a little bit of a shift of a mindset, is historically they used to say the default was a non-tokenized transaction, and by the way, if you tokenize it, we’re going to give you a discount of 10 basis points. Now they’re saying tokenization is the standard. It’s almost as if they’re saying you’re going to be penalized 10 basis points if you don’t use tokenization.

Yvette Bohanan:

Exactly, yeah. It’s strong signaling, right?

Chris Uriarte:

Yeah.

Yvette Bohanan:

The interchange table is the signal for, “This is how we’re going to do this going forward.” Yeah, absolutely.

Chris Uriarte:

Yeah. Absolutely strong signaling for sure. Then the European folks of course said, “Well, they can’t play with our interchange since we have regulated interchange over here in Europe,” and Visa and MasterCard said, “Well, not so fast.” At least MasterCard being a first mover in this space, where they’ve implemented what they refer to as a secure credential CNP behavioral fee. They love to use fancy terms like this, behavioral fees. But essentially what that is saying is that non-tokenized transactions are going to cost a little bit more, and that’s two and a half basis points what they put on the fee schedule. That’s going to be implemented starting later next year in Europe, in the EU. So you see, while they can’t play, of course, with interchange in the European Union, they certainly have some freedom to play with other scheme fees and assessments, and their eye is on tokenization as they see this behavioral shift across the merchant base for sure.

Lastly, I think what’s really interesting is one of the key benefits that we see, certainly with network tokens, is that the underlying account information can change many, many times, and the network token doesn’t have to change at all. So this certainly is a great benefit for merchants in that the merchants can keep a network token on file. They could utilize that token for many years. If there’s a lost card or if there’s an update to an expiration date associated with that account number, the merchant doesn’t have to worry about that because the merchant just needs to continue using the token.

Well, historically, merchants, of course, were using the various account updater features that were available from MasterCard and from Visa. And by using tokenization, you no longer need to use account updater. So the way that Visa’s addressed that now from a fee perspective is they’re implementing a new, what they call, digital credential update fee, and that’s going to be implemented in both the EU and the US.

What that essentially says is every time the underlying account information associated with a token changes… So let’s say a card holder loses a card and reports that and they have to issue a new account number. Or an expiration date, a card expiration date expires. Visa is actually going to charge the merchant a scheme fee of 12 cents, or the equivalent in the EU, to essentially update the underlying credential associated with the token. So you’re seeing the ecosystem change dramatically from a scheme fees perspective to reflect the use of tokenization across the board.

Russ Jones:

The other little subtlety there, Chris, is that account updater, which had been around a long time, was not evenly available around the world.

Chris Uriarte:

That’s right. Yeah.

Russ Jones:

So it worked really well in some countries and it didn’t exist in others. The shift towards digital cards and EMVCo tokens is a global phenomena that’s pretty evenly distributed. Not every issuer in the world participates, but all the major ones do in all the markets that matter.

Chris Uriarte:

For sure.

Yvette Bohanan:

Yeah. So this is now the new normal in payments, and we’re talking a lot about the rules changes here, obvious. Merchants have to figure out what to do, right?

Russ Jones:

Some merchants do.

Yvette Bohanan:

Some merchants.

Russ Jones:

The reason I say it, I’m not trying to be glib, Yvette… When I say that, your grocery store doesn’t have to figure out what to do.

Yvette Bohanan:

Yeah, that’s true.

Russ Jones:

Your grocery store just accepts –

Yvette Bohanan:

Whatever shows up with it.

Russ Jones:

Yeah. As the water rises, the use of tokens rise and the financial benefits are there. For a number of merchants, it just is all transparent. I think what you’re really trying to drill into is that for merchants who operate online and want to take advantage of this fourth use case about token-on-file versus card-on-file, there is a decision to be made there. It’s a very deliberate step. It’s a very deliberate decision.

Yvette Bohanan:

Well, and I think it gets complicated a little bit, doesn’t it? Sure, my corner grocer doesn’t care. I agree. But larger chains that now have an online and an in-store presence, a lot of the omnichannel stuff that’s going on, a lot of the new models, the BOPIS models that we hear about, even restaurants that are still post-COVID doing a lot of online business in order ahead and things like that, there’s a lot of really interesting wrinkles in what they have to do. So what are their options here? If you have a card-not-present component to this or an in-app component or a recurring component, you’re going to be a merchant who cares about this a lot more than someone who’s just a merchant, just point of sale. My dentist probably has no idea this is happening. They take cards.

Russ Jones:

You need to talk to your dentist.

Yvette Bohanan:

Yeah, really. If only I could conduct all of my dental business online and never go into a dentist’s office again.

Russ Jones:

Talk to your dentist about the 10 basis points price break.

Yvette Bohanan:

Yeah, see what my dentist wants to talk about there.

But there are different options: third-party vendors, there’s stuff going on with the PSPs. Let’s step through this a little bit. Who does the merchant turn to for help?

Russ Jones:

Typically, they’re turning to whoever their payment service provider is, and it’s probably too narrow to even say that. They’re turning to the provider who helps them accept cards as a form of payment. And most of those firms, whether they’re pure acquirers or they’re payment service providers, most of them have product offerings that help merchants manage tokens on file. In a tongue-in-cheek way, you go back to fundamentals here. If it’s payment… Payments are hard, we make it easy. Tokens are hard, we make it easy.

Yvette Bohanan:

Oh yeah, absolutely.

Russ Jones:

It’s a very natural incremental step for a payment service provider to offer tokenization support for sure.

Yvette Bohanan:

Yeah, and there are some third parties out there that some of the larger merchants or some of the payment service providers are working with. You have TokenEx, you have Spreedly, Basis Theory, Thales, Pagos, a new up-and-comer now has some token support, token help, which makes sense. Your mileage can vary, how this stuff is getting priced out to merchants varies, the coverage. It’s not like every PSP is doing this the same way.

Russ Jones:

Yeah. The thing I would say is that turning to your PSP for this sort of help is a top of the market situation. Because if you look at the mid-size, the middle of the market and the low end of the market, handling of cards and live card datas was removed a long time ago through various vaulting techniques. So when you look at a merchant or a PSP like Braintree or Stripe, they’ve resolved this issue a long time ago. You wouldn’t ask Stripe… “What can you do to help me manage tokenized card data?” Because they’re going to say, “Well, you never actually see card data.”

Yvette Bohanan:

Yeah. Exactly. Exactly.

Russ Jones:

It’s really the top of the market, the online merchants who are directly taking cards. They’re the ones that are making decisions about how they want to handle these cards and what they want to do from a tokenization perspective.

Yvette Bohanan:

Yeah, but your mileage varies. If you pick one PSP, they may have one strategy around… They’re going to try a token. If they’re having problems with that token with a particular issue where they may fall back to something else right now, because things are different issuer to issuer, country to country. Another PSP could have a different model on how they retry that. While you’re not touching the credentials anymore as the merchant, your auth rates could be impacted. Your cost to accept card payments could be impacted depending on which PSP. I guess that’s my point, is your mileage can vary, right?

Chris Uriarte:

Yeah, that’s absolutely the case, Yvette. I think there’s very much an apples to oranges comparison when we talk about tokenization services that are being offered by these PSPs out there. People often think that getting a token from a PSP is pretty straightforward. You get a token, you just use the token, and that’s it.

But as you’ve indicated is a number of PSPs have built in various strategies to help optimize the use of tokens and the ability, as you’ve pointed out, to perhaps not actually utilize the token, to fall back to PAN in the clear in certain situations. These are how PSPs are trying to differentiate themselves, trying to get out of the thinking that tokenization and the requests of tokens is a commoditized activity, commoditized business.

The other thing, as you mentioned, is you do have these third parties that are available as well that are independent, that are agnostic from the PSP. So the reason that these parties are out there in the market and why merchants might choose to use them is they might have relationships with multiple PSPs and they might not want to feel locked into a tokenization technology that is tied specifically to one PSP. Perhaps they’re using multiple globally, perhaps they’re using multiple in a specific domestic instance, or perhaps they want to build their own interesting logic around use of tokenization and retries and things along those lines.

So the utilization of these third-party vendors is sometimes attractive to certain merchants who want to step outside of the functionality that their primary PSP is providing them.

Yvette Bohanan:

Right. And that threading the needle, sort of knowing your customer, knowing the journey and then making sure you get the sale is just, it’s just a little bit more complicated here. And maybe it’s the top of market as you’re saying, Russ, but I think every merchant at some level cares right about how that’s going down.

Chris Uriarte:

Yep, for sure.

Yvette Bohanan:

Can we go back to the economics a little bit for a second? How does this work when tokens are added to the payment transaction? We often break down economics in our workshops and what interchange is applied when? You were talking about, Chris, like the new normal interchange rate and all that stuff, does it switch if you retry a transaction? What happens?

Chris Uriarte:

Yeah, so typically… This really starts to get quite complex, Yvette, from different angles.

Yvette Bohanan:

I don’t ask the easy questions, Chris. We have to go into some complex questions there.

Chris Uriarte:

And usually what winds up happening is there first has to be requests for that token as part of the token provisioning requests through, what’s often referred to as the TSP, the token service provider. And that could be your PSP or third party as we talked about earlier. And usually what happens is even after you make that first request, the first transaction processed with the token is processed at the higher interchange. It’s not actually considered to be a tokenized transaction at that point. There’s sort of a delay, if you will, in the way that the network is recognizing tokenization transactions right now. It’s usually the next transaction, the second and subsequent transactions that are treated as a tokenized transaction, and various interchanges are applied there. But I think the interchange in the scheme fees is perhaps just one component that merchants need to think about when it comes to the, what I’ll call, the total cost of ownership associated with running a tokenization program.

And a lot of this has to do with how you’ve actually decided to implement your tokenization program, little bit as we’ve talked about earlier. So for example, if you are using a third party provider of tokenization gateway, some tokenization specific platform out there, merchants are usually charged for the issuing of a token, but they’re probably also charged for keeping that token on file in that platform. And they’re probably also charged with some type of licensing fee to utilize the platform. Obviously these software vendors who are creating these platforms need to make money somehow, and this is how they’re monetizing tokenization. If you look at most PSPs today, most PSPs themselves are not charging for the provisioning of network tokens. But you will see scenarios where some major players like Stripe for example, do charge platform fees for cards that are kept on file regardless of whether they’re tokenized or not, particularly on their Stripe Connect platform.

So given that the real benefit of network tokens comes from keeping those tokens on file and then reusing them for subsequent transactions. The use of tokens may naturally make merchants more susceptible to different fee types depending on their PSP and depending on how they’re using tokens. And while a lot of PSPs really aren’t charging for tokens today, or they might not be charging for any token related services today, we expect that to be changing in the future for sure, as we see the increased use of tokenization in the use cases. So things to keep in mind also is the PSP is going to wind up seeing the fees that come from the network and the scheme fees and the assessments that we talked about earlier. And that is either going to need to be passed on to the merchant if it’s a pass through interchange plus plus pricing, or the PSP is going to have to eat those fees if it is a blended pricing that’s going back to the merchant. So PSPs are taking a good look at what the fees look like on their end as well.

So I think the key thing to keep in mind in summary is that a merchant could be charged fees at many different points in the transaction and the token lifecycle. So you could be charged at the request of a token by your PSP or token service provider. You could be charged at different points in the lifecycle to keep a token on file by your PSP or your tokenization platform. Anytime that there’s an update to an underlying payment account associated with a token, as we talked about earlier with Visa, scheme fee could be produced at that point. And perhaps you’ve got this additional licensing or platform fee that’s associated with your PSP’s platform, or your token gateway if you’ve chosen to go down one of those paths to implement tokenization.

So there certainly is a cost associated with putting these programs together, but all this needs to be weighed against the benefits of tokenization, which include things like better security, lower interchange fees, as we talked about earlier. There’s also potentially a shift in fraud liability depending on the acceptance environment. So the big picture here from a cost perspective is pretty complex and merchants are spending a lot of time trying to figure out what the true cost and the real benefit is going to look like in the long term.

Yvette Bohanan:

Yeah.

Russ Jones:

Okay. I want to change my motto, Chris.

Chris Uriarte:

Yeah.

Russ Jones:

I want to say now, “Tokenization is hard. We make it easy and we charge you for it.”

Yvette Bohanan:

There You go. Exactly. I mean, net net some of these fees are swaps, like account updater versus token update… That’s kind of a…

Russ Jones:

A wash.

Yvette Bohanan:

… One for one. Some of them, if you had card-on-file and it’s a token, doesn’t matter, it’s still on file, you’re going to get charged for it, like your Stripe example. But there’s some net new here too. And I think that’s where the nuance is coming out, it’s like, “Are you ahead or behind?” And it’s a little bit of calculus. It’s not just the fees, it’s do the fees get you better approval rates, do they get you fewer chargebacks? What are you getting for that in terms of the promised land, if you will, of tokens?

Chris Uriarte:

Of course. And some of these themes when we talk about enhanced security, this is not new to network tokens. We’ve known this for years with merchant tokens. Once merchants started implementing tokenization programs to help with PCI scope, we know just inherently tokenization helps with that, but it’s very difficult to quantify what the benefit is there from a cost perspective, from a dollar value perspective. Nonetheless, merchants need to keep that in the equation when they’re looking at the overall cost of these programs.

Yvette Bohanan:

So let’s keep it real here and move in from the cost side to any other gotchas, if you will, that you’re observing in the market that merchants should keep on their radar. One of the favorite topics are approval rates. And there was a lot of touting, what was it, like a year and a half ago or two years ago, one of the networks came out and was like, “Approval rates are skyrocketing with network tokens,” and then they backed off a little. Where are we with approval rates right now with network tokens? Are they better? Are they worse?

Chris Uriarte:

So I think, Yvette, what you’re talking about is Visa specifically came to the table and said they are seeing network approval rates across the board increase over, I think, 2%, 2.1% or something along those lines for tokenized transactions. We’re not really sure what the true numbers were behind that or how they calculated that, but the story is that, “Hey, if you use tokenization, you get better acceptance.” Obviously a lot of that would make sense, particularly if you have underlying account credentials that have changed or expired. You’re no longer susceptible perhaps to sending a PAN down the line that’s no longer valid or an expiration date that’s no longer valid. So it just naturally makes sense that you would probably have better approval rates. But we also hear stories from merchants where perhaps tokens are being processed and they’re not getting approval responses from issuers, and then they retry with PANs and they get an approval.

So we’ve talked to a number of merchants who have implemented different types of strategies to optimize approval utilizing tokens. And I think the punchline here is, Yvette, probably is going to take us a little bit longer to understand at a macro level how tokens are improving overall authorization rates. Because merchants generally trial these programs and they take a very long time. They’re complex programs to trial, and we’ve spoken to merchants who have looked at this from a year to two year time horizon just to get a full understanding of the benefits that tokenization has brought them. So we’re early, and I think the verdict’s still out as to what the true benefit is from an approval perspective.

Yvette Bohanan:

And you have to have the networks and the issuer supporting all of this. So you can look at Canada right now, and there are some banks we’re hearing about that aren’t honoring network tokens on debit cards, and they’re getting these 401 errors coming back. So we hear this from merchants, and then when they retry using a PAN, it works. So it’s not all homogeneous perfect, even clear, calm, still waters out there right now. And in the US, our debit networks. So there’s an unevenness in support there with regional networks.

Russ Jones:

We started off talking about the different use cases here, Yvette, and I was making the point that tokens on file are distinctly different than the other use cases. And the major difference is the consumer is not involved in it. So there’s no opportunity for the consumer to prove who they are to their issuer. And the other four use cases, the issuer or the token service provider working on their behalf usually does a multifactor authentication of the cardholder when the digital card is provisioned. There’s a confidence score that’s associated with that and goes along the token.

When the merchant provisions the card, there’s no multifactor authentication of the card holder. It’s all done in the back office, and there’s really no more assurance to the issuer that the card is any more likely to be legitimate just because it’s been provisioned. And that’s not the case with the other use cases, where the issuer really has had an opportunity to authenticate their card holder and then that carries through the whole transaction flow as well. So you can, I think, intellectually see where some of the use cases would argue for higher authorization approval rates because the issuers authenticated their own cardholder, and other use cases don’t have that same attribute.

Chris Uriarte:

Yeah, good point.

Yvette Bohanan:

That is a good point. Anything else in terms of the gotchas that we’re seeing here that people should be aware of?

Chris Uriarte:

I think, Yvette, you raised a really good point about debit networks and… I’ll put it in a different way, networks that are not the Visa and MasterCard dual message credit networks, and the supportive tokenization on those networks by the issuers. And for the most part, tokenization isn’t supported over those networks, and that’s really interesting right now given the fact that there is a lot of conversation about routing transactions on alternative networks, particularly in the US through what we call the regional debit networks that are not the Visa and MasterCard networks. We’ve had continued push over the years for the use of pinless debit. We’ve had recent clarification by the Federal Reserve Bank over the Durbin Reg II provision, which essentially says that all issuers need to support multiple unaffiliated networks for debit cards for all types of transactions, including e-commerce transactions.

So we’ve seen continued dialogue around pushing transactions away from MasterCard and Visa, and then we saw an FTC ruling in October of last year, ordering MasterCard to make tokens available to competing networks. And MasterCard has had to put that in place as of July 1st of this year. So there’s a lot of dialogue going on right now about moving transactions to alternative networks, and those networks really aren’t supporting tokenization at this point. And we’re seeing some new things on the horizon in the US like the CCCA, the Credit Card Competition Act, which again is very much focused on utilizing competing networks aside from MasterCard and Visa. So it’ll be interesting to see as we evolve whether the type of tokenization support that we’ve become used to over the last several years for network tokens starts to migrate itself to other networks from a functionality and support perspective.

Yvette Bohanan:

And the other thing is, it’s interesting to observe that you have here in the US this mandate of you can’t… I’m going to paraphrase what you just said with MasterCard, agency coming in and saying you can’t use tokenization to limit competition effectively.

Chris Uriarte:

Yep.

Yvette Bohanan:

That’s not always true. And we always say that regulations impact payment systems that they’re hard or domestic. Even an international card network has to operate within the regs of a particular country. You compare that position in the US with India where the token service provider and the processor is tied together, and you’re not going to have this sort of fungibility regarding processing. And it’s interesting because it’s a subtle difference, but it’s going to have an impact on the merchant’s operations and they have to understand what’s possible for their PSP in one country versus what’s possible for their PSP to do for them in another country and how that can affect a lot of things: approval, rate, cost, all these things we’re talking about

Chris Uriarte:

For sure. And I think one thing I would add to that, Yvette, is a common trend we see across merchants who have implemented network tokenization programs is that they’re doing tons and tons of data analytics and trending on a very, very micro level down to who the issuer is, what country the issuers from, what type of card they believe is being used as a debit instrument and credit instrument, et cetera. Because we see such great variation in the performance of tokens and how tokens are even provisioned depending on all those different factors. So a little bit of wild west out there right now in regard to how this is being implemented at an issuer level and on a country level for sure.

Yvette Bohanan:

And there’s some implications too around the metadata that you can get back about all of this that they’re analyzing. Because if you’re a PSP, if you’re a top tier merchant that has a lot of capabilities in-house, you’re going to want to know what’s going on, and not every network gives you back the same payload of data-

Chris Uriarte:

Yeah, that’s right.

Yvette Bohanan:

… when it comes to this. So you have to really understand what you can get. And as we said in a recent episode, it’s always been about the data. It’s really all about the data as we’re entering the AI era of things. So all about the data. We think we’re talking about payments, we’re not. We’re talking about data all the time.

Chris Uriarte:

Exactly.

Yvette Bohanan:

So you mentioned liability shift, you want to go back to that for a second? What’s up with liability shift right now? And what we’re talking about is card-not-present liability shift. So these card-not-present merchants, and where does the chargeback liability fall?

Russ Jones:

Yeah. And in the payments industry when you hear the phrase liability shifts, it means usually shifting default responsibility for fraud losses from one counterparty to the other counterparty. So you see in card-present when you say liability shift, it’s a liability shift from the issuer to the merchant. In card-not-present, liability shift is the shift from the merchant to the issuer. And the EMVCo tokenization model is all about the technical framework, specifications and whatnot. It’s still up to the individual card networks to assign business rules about how they are going to treat tokenized transactions along two major metrics.

One metric would be the cost of the transactions, which Chris talked about originally the same. No economic difference between tokenized and non tokenized transactions, shifting now to a financial incentive to tokenized. The other point of control is the default fraud allocation. Is it issued by default to the issuer? Is it assigned by default to the issuer or the merchant? And in card-not-present, it’s traditionally assigned to the merchant. Those are network rules, not laws of gravity type of things. And tokenization provides an opportunity to rethink that.

MasterCard has said that when the issuer takes responsibility for authenticating, the card holder fraud liability shifts to the issuer. So if you were accepting an Apple Pay transaction online, that was a MasterCard branded transaction and it turned out to be claimed as an unauthorized transaction by the cardholder, fraud liability would start with the issuer.

Visa has a different policy. Given the exact same circumstances, they would say the fraud liability is assigned to the merchant because it’s the more traditional assignment. So there’s variation of… American Express and Discover and MasterCard, all sort of treat tokenized transactions the same way, and Visa treats them a little bit differently.

Yvette Bohanan:

All right. So anything else we want to make sure people know on this, our fifth, I think, update of tokenization?

Chris Uriarte:

Well, I think the first thing to say is there’ll probably be a sixth update of this.

Yvette Bohanan:

I know. It might be in a few days. Who knows

Chris Uriarte:

The way that this is, the way that this is moving. I think just in general, we advise merchants to really stay on top of this, both from a PSP agnostic standpoint. In other words, listening to podcasts like this, reading the press, understanding what’s being announced, hearing stories from other merchants perhaps within their network. And then also of course, working closely with their PSPs to understand what programs they’re putting in place, how they’re treating tokenization, how the tokenization product and service offerings are evolving. Because this is something that is changing, as we said at the top of this podcast, it’s changing very, very rapidly. And it’s really, really difficult to keep track of what’s happening, what is real versus folklore, or what is really important to be discussing right now versus perhaps some rule changes or products that are being implemented in 6 to 12 months. So there’s a lot of changing dynamics in this market right now, and merchants really need to stay on top of it to understand the full picture.

Yvette Bohanan:

Yeah, I’d add to that. We’ve had a lot of clients coming in and asking us about RFPs. You’ve been working on a bunch of these, Chris, along with the rest of the team. And if you’re out there considering looking at your supplier strategy about your providers who are helping you with the payment acceptance in general, and you’re crafting an RFP, make sure this is part of it. I don’t think people have historically, for the most part, thought about putting specific questions around tokenization in their RFPs. They better be now. It’s that important.

Chris Uriarte:

Agreed.

Russ Jones:

And the other part about that, Yvette, is the tokenization is for all of its benefits… One of the attributes of it is that you end up with a tighter relationship between the provider and their customer. So if a merchant is turning to a PSP or turning to an acquirer for tokenization support, they’re getting a little bit closer. And it’s the same thing with issuers and networks. Issuers using networks as token service providers are getting closer to the network. And best practices here would be to make sure you have negotiated the right terms in your agreements that if you ever were to grow disillusioned with your PSP, you could get back the live card data of your customers.

Yvette Bohanan:

That’s extremely important for sure.

Russ Jones:

And some PSPs proactively do that as part of what they do. Other PSPs want to keep it close to the vest. So it’s a point of negotiation.

Yvette Bohanan:

It’s definitely, and there’s a certain cost often associated with that step if you were to take it. So it should be considered just part of a wind down or any kind of a clause like that. Yeah, for sure.

So we’re eight years-ish into actually implementing this, ten-ish years into its birth. Is it working? The promised land here is network tokens are going to… You can fill in the blank on a couple of things that we’ve heard over these years. Reduce fraud, make things more secure, reduce the radioactivity if you will, or the usability of card data. Is it working? I mean, I look at fraud statistics, Chris… We look at these fraud statistics all the time, Russ. We go through this in every workshop, and it’s going up.

Russ Jones:

Well, it’s sort of going down in some ways.

Yvette Bohanan:

The glass is half full, the glass is half empty.

Russ Jones:

If you’re selling risk management solutions, it’s a dark and scary market. Things have never been as bad in fraud as they are right now. Let me tell you, they’re only getting worse. Thank God I have a solution, right?

Yvette Bohanan:

Right.

Russ Jones:

The independent data seems to show that card fraud on a global basis is starting to trend downward, but we don’t know what to attribute it to. We don’t know if we can attribute it to the rise of those 2 billion Visa cards that are now being tokenized, or we should attribute it to chip cards in the US. We don’t have that level of granularity. So we have a lot of flags blowing in the wind that show that tokenization is helping. But we don’t have any numbers that say, “Because of these steps, this number is down 17%, or this number is up 8%.” We don’t have that type of number. And that’s really unfortunate. But the way the wind is blowing, I would say that this is all going in the right direction, I think.

Yvette Bohanan:

And Chris, would you agree?

Chris Uriarte:

Yeah, I would agree with that. And I think just as we said earlier, there’s no simple answers to any of these questions. We certainly see benefits of tokenization in the Apple Pay, Gpay use cases for sure. I would say for sure that has probably significantly reduced card-present fraud in the US in particular where there’s still no pin associated with a credit transaction. And going through the provisioning of a unique payment credential that’s bound to a device through an issuer is a very secure process. But as Russ pointed out earlier, when you look at merchant card-on-file tokens, there’s no inherent authentication there associated with the token itself. So that’s not really helping attribute necessarily to a decrease in fraud losses in that particular use case. So because you have many different use cases here associated with tokenization, I think it’s difficult across the board to say that it’s helping or it’s not helping. I think you really have to get out the scalpel and dissect the performance of all these different channels and all these different use cases.

But I would agree in general. I think tokenization is good for the industry. I think that certainly it is a tool, one of many tools that we have available to us as payment professionals in the toolbox to help with a number of different things, whether it’s fraud, whether it’s security, whether it’s approval rates. And we just have to stay on top of it and see how it continues to evolve, and how we can best utilize these tools as the use cases increase and as adoption increases across the board.

Yvette Bohanan:

Okay. Well, the conversation continues.

Chris Uriarte:

It does.

Yvette Bohanan:

So I’m looking forward to our next installment, but right now, I think it’s that time when we have to wrap things up. So thank you so much for spending time on the podcast with me. It’s always a pleasure to bat these industry topics around with both of you, so thanks.

Chris Uriarte:

For sure. Thanks, Yvette.

Russ Jones:

Thank you for having us.

Yvette Bohanan:

And to all of you listening, thanks for joining us. If you enjoy Payments on Fire, someone else might too. So please feel free to share this podcast on your favorite social media outlet.

Payments on Fire is a production of Glenbrook Partners. Glenbrook is a leading global consulting and education firm to the payments industry. Learn more and connect with us by visiting our website at glenbrook.com. All opinions expressed on our podcast are those of our hosts and guests. While companies featured or mentioned on our show may be clients of Glenbrook, Glenbrook receives no compensation for podcasts. No mention of any company or specific offering should be construed as an endorsement of that company’s products or services.

Recent Payment Views

Payments Post #14: Wallet World – WWDC, VFC, Tokens, and the Future of the “Card”

Payments Post #13: At the Intersection of Tech, Regs, and Business Partnership

This month, Cici Northup joins regular contributor Justin Pituch to recap positive news in the form of fast payments growth, new fraud mitigation strategies, and evolution in cross-border transfers. All reflect, to varying degrees, the unique dynamic in the payments industry created by the intersection of technology, regulation, and new business partnerships.

read more
Visa Payments Forum Deep Dive: Visa Flexible Credential

Payments Orchestration: What Comes Next?

Orchestration providers have certainly come a long way, and can enable powerful capabilities and benefits for the merchants that employ them. This post explores some of the possibilities Glenbrook has been thinking about for where Orchestration (and even orchestration) can go next.

read more
Payments Post #14: Wallet World – WWDC, VFC, Tokens, and the Future of the “Card”

Payments Post #12: Lessons from Change

In this month’s Payments Post, we want to draw your attention to several recent fraud incidents that underscore the criticality of effective risk management to your business and the safety and soundness of the payments industry.

read more

Glenbrook Payments Boot CampTM

Register for the next Glenbrook Payments Boot CampTM

An intensive and comprehensive overview of the payments industry.

Train your Team

Customized, private Payments Boot CampsTM workshops tailored to meet your team’s unique needs.

OnDemand Modules

Recorded, one-hour videos covering a broad array of payments concepts.

GlenbrookTM Company Press

Comprehensive books that detail the systems and innovations shaping the payments industry.

Launch, improve & grow your payments business