Thursday, September 11, 2014

Apple Pay and Android payment eco-systems


It is important to understand what tokenization means in the context of the introduction by Apple on Tuesday.  The word "tokenization" can sound very general, complex, and unknown the way it is being used in payments today.  I think many use the term without really understanding the important details of the concept.  I sort of relate it to when i pick up my 4 year old daughter from sunday school class, I will ask her what she learned, and she knows that if she answers "God", that she is right.

So the point of this blog is to try to understand what tokens are, and how they are used to solve something in payments.  The mis-understood rule of tokens is that people think they change from transaction to transaction, but in reality the cryptogram changes but the token properties (tPAN and tUDK) don't:
  • A token may be created once for the life of a credential (card).  

This is easiest to understand with the Apple Pay use case.  The secure element on the phone is programmed at the factory when the iPhone is built to support many different card standards.  At the time when the token data needs to get programmed into the device, Apple requests a token for that device from the card networks.  The networks need to keep track of the token because they need to know how to translate that token into iTunes identity for processing the iTunes selected card during transactions with the payment acceptor.

But the important piece is that this token is a static identifier for the life of the card that was programmed.

A diagram describing this process for iPhone is here:   


Because Android is not a vertically owned stack similar to apple, it is really hard to distinguish who owns the SIM, or SE, or UICC that is on the particular phone.  Because of the ownership argument over the last few years, the idea of HCE was launched to push the ownership of the SE to the cloud so that it could be leveraged on any Android phone from the cloud.  But the important concept that has gotten lost with the Apple announcement is that the concept of "tokenization"  as Apple Pay uses is still the exact plan for tokenization in the android space.  With HCE enabled, however, the equivalent of the one time token "Apple ID" that lives in the iPhone SE, is actually located virtually in the cloud with a bank, or third party vendor like SimplyTapp:



======================AND STOP===================

THE TOKEN HAS NOW BEEN CREATED!!
THE TOKEN REQUESTER CAN USE THIS TOKEN FOR
ALL TRANSACTIONS ON THAT CARD GOING FORWARD
WITHOUT REQUESTING ANOTHER TOKEN FROM THE SERVICE
AGAIN FOR THE LIFE OF THAT CARD IT REPRESENTS

THIS CAN BE TREATED ON PAR WITH TYPICAL PLASTIC CARD
PERSONALIZATION SERVICES TODAY

ONLY WHEN THE TOKEN IS ACQUIRED BY THE MERCHANT
DOES THE NETWORK NEED TO VERIFY THE TOKEN AND ALSO
TRANSLATE THE TOKEN BACK TO THE CARD IT REPRESENTS
SO THAT THE BANK CAN PROCESS IT FOR APPROVAL AS
USUAL

SO ONE TOKEN AND RELATED DATA CAN BE USED FOR
MULTIPLE TRANSACTIONS

==================================================
ok, i think i'm done hammering that characteristic of a token. :)

Another very important thing to understand about transactions using tokens is to understand that the data format of a tokenized transaction is EXACTLY the same as the data format of a non-tokenized transaction from the Point of Sale perspective.  The same basic elements exist and are exchanged from the phone to the POS:
non-tokenized:
1) Personal Account Number
2)  Expiration Date
3)  Service Code
4)  Issuer Discretionary Data
5)  Cryptogram

tokenized:
1) Tokenized Personal Account Number
2)  Expiration Date
3)  Service Code
4)  Issuer Discretionary Data
5)  Cryptogram

because the data format that is exchanged between the phone and the POS is identical in both cases, the tokenized version still has the ability to include dynamic transactional data by using a Cryptogram to do so (adding the "one time number for each transaction" that Tim Cook preached about)

Keep in mind for cryptogram creation and cryptogram validation, there does not need to be a run-time link between the validator and the tokenized card (this is obvious by the apple deployment of a hardened secure element on the phone).

So understanding how tokenized or non-tokenized cryptograms are created and validated is important.  By the way,  the algorithm is identical for tokenized or non-tokenized.  The "tokenized" part of the features is actually out of the scope of cryptogram calculation / validation.

Cryptogram creation requirements:
1) card creation time, the token issuer authority (card network) contains an issuer master key for a "tokenized" BIN.  The master key for the "tokenized" bin is used to create a "tokenized" Unique Derived Key (tUDK) and "tokenized" Personal Account Number (tPAN) for each "tokenized" card when a Token Requestor requests a token on behalf of a card issuer.

2) Also at card creation time, this new "tokenized" UDK and "tokenized" PAN are delivered back to the Token Requestor

3) Now from a token requestor perspective, it is business as usual for tokenized card personalization.  This data is injected to the tokenized card just like a non-tokenized card.

4) A LUK is created PRIOR to transaction time:
   a)  Tokenized UDK in the card + ATC used to create the tokenized LUK (AKA Session Key, or one time use key)
   b) this LUK can be exposed to the mobile device (in apple case, the calculation of the LUK or similar key can be created inside the SE of the mobile device)

5) At transaction time, the cryptogram is created:
   a)  Tokenized LUK + terminal UN (POS data) used to create final cryptogram returned to the POS for processing

Have a look at how the Apple Pay system works during payment time:


And obviously, the mirror transactional sequence for the Android environment:

You will notice that the net result from the reader perspective is identical in both cases; "Tokenized Data" as described above.  The Android app and cloud based secure element, however, must work together throughout the life of the app on the phone to produce this result.


What tokens solve!:

Legacy Processing:  The main thing, in my eyes, that tokenization solves is the backend processing changes.  The HCE side of the equation requires, for some card networks, new Cryptogram calculation specifications to be processed because the cryptogram calculation process is forced to be changed.  i.e. intro to CVN 43!

Believe it or not, this is probably the biggest driver for tokenization because it is faster to build the tokenization engine and allow it to validate and convert the new cryptogram to an older version than it is to go into the old old old old (say it one more time...old) processing houses that are running Commodor 64, pascal, and big tape drives and get them to update the cryptographic algorithms on the HSM.  So, both VISA and mastercard can just as easy validate the CVN 43 CBP cryptogram just before the service de-tokenizes it.

Firewalling Transactions:  When a token is created, it is implied that the tokenization engine will always have to de-tokenize prior to processing the transaction,  with that, obviously coves verification of the token.  This is a perfect opportunity to build in transaction processing rules for that token such as:
1)  Card present only transactions (this token must ALWAYS contain a cryptogram with it)
2)  Use this token at ONLY these particular merchant IDs
3)  This token is ONLY valid for transactions within a 90 day period!

Translating to Card On File:  Major wins for Apple, Google, Amazon, and anyone else who has scores of cards on file buried in their datacenter.  Not only does tokenization allow you to translate to an existing bank account.  As displayed by Apple, it also allows you to translate a token to an account that may then represent one of many Cards On File for a particular google, amazon, or apple account.  Potentially this allows lower than Card Not Present rates for internet based transactions.

88 comments:

  1. So that means Apple only use the same token for transactions , so no need an internet connection to make payment at anytime ?
    In Android , by your post we can see, it might need to replenish tokens from token provider when tokens are finished in the device.

    ReplyDelete
  2. that is correct. because the UDK is stored in the SE, there is no need for a network connection to create more cryptograms. for Android, the UDK is cloud, so, from time to time, there may need to be network connectivity to get new LUK keys to make cryptograms on the mobile device.

    ReplyDelete
  3. Thank you for your reply Dough , it answered the question.

    ReplyDelete
  4. Great post doug.. But in android ecosystem does token and UDK provisioned every time then? Which means same token cannot be used for multiple transactions??

    ReplyDelete
    Replies
    1. token and UDK is provisioned only once, jus tike in apple ecosystem. only difference is WHERE it is provisioned. in android, it should get provisioned to the cloud system (this is what simplytapp does). master card calls this a CMS or credential management system. then the CMS is responsible for dispatching individual transactional data to the phone prior to tapping. these are called LUK or SUK derived from the UDK

      Delete
  5. Thanks Doug for a the very clear explanation.
    This is really interesting stuff!
    but how do you build the LUK so that it can calculate the cryptogram without the UDK?

    ReplyDelete
  6. Great q. The luk is created from atc and udk. The later the luk can be used independently to create the cryptogram from terminal un.

    ReplyDelete
  7. Hi. I don't understand something... At the payment process, who has to make the relation between Token-PAN? I mean, are the banks systems affected? I don't know if the bank has to modify their systems to process the apple pay payments, to translate that token to the PAN number, or are the networks (VISA, MasterCard, AMEX) who made that translation?

    ReplyDelete
  8. networks for now. think of it as a lookup table. or SQL query. it hits the network router or standin service and they do SELECT PAN FROM TOKEN_TABLE WHERE SPAN=?; and replace the SPAN with the real PAN and allow the ISO-8583 packet to continue up the stream for processing. they actually do more than that because they also know that issuers do not have the capability to process EMV or new CBP cryptograms. so they can "reverse convert" cryptograms after authentication to one that bank processing systems can understand or in some cases just mag data.

    ReplyDelete
  9. Hi Doug,

    I found all very interesting and useful.
    I have a question anyway.
    IF I understood correctly Apple had to stipulate agreement with retailes (Merchants) to accept Apple Pay; if this is correct, why? I do not see the reason as Apple Pay should work anywhere in any store. correct?

    thanks
    Donato

    ReplyDelete
    Replies
    1. no agreements needed. anywhere that accepts existing NFC transactions is ok

      Delete
  10. I somehow find the ApplePay transaction diagram inaccurate ... I believe when the consumer taps the phone the transaction NFC txn data including token, application cryptogram, criptogram information data, etc is following standard payemtn rail ... i.e. it is submitted first to the processor, which routes it to the applicable payment network operating the Tokenization Service Provider (TSP - which supplied token for the PAN, when card had been added to the wallet). Payment network then de-tokenizes the token back into the PAN via TSP (which also checks the token expiry info, validates cryptogram, etc) and submits the authorization request to the card issuer.

    So the flow is like this in my opinion
    1. consumer taps the phone at POS - execute NFC / EMV txn APDU flow, but the SE element returns token instead of real PAN
    2. POS normally submits to the processor
    3. Processor then uses token BIN to determine routing - routes to the applicable payment network
    4. Payment network recognizes it TSP BIN range, forwards token and related data to the TSP, obtains back PAN in clear
    5. replaces token in the request with PAN and forwards to the issuer

    One the way back inside the response the payment network replaces PAN with token before returning the response to the processor / merchant POS

    ReplyDelete
  11. Hi Doug,
    could you please better explain the "Receive token request parameter" and "you receive my blessing" arrows?
    Thanks
    Roberto

    ReplyDelete
  12. This comment has been removed by the author.

    ReplyDelete
  13. really awesome article thanks for sharing.......http://www.trainingbangalore.in/informatica-training-in-bangalore.html

    ReplyDelete
  14. Thanks for sharing this its too informative to know about payment difference between android and ios...
    Android Training in bangalore

    ReplyDelete
  15. Thanks Doug for a the very clear explanation. Informatica is such a course that requires learning the technological features of the product. visit our site for more details informatica online training in hyderabad

    ReplyDelete
  16. Music School Sydney offer a FREE trial lessons for classes and some offer a Free Trial private lesson.

    ReplyDelete
  17. This helps the clients remember about the pending appointment and provide the customers enough time to reschedule the appointment (if required). If the customer reschedules his/her appointment, you can allot the vacant slot to other customer.
    crack-serials.com/winzip-activation-code-winzip-20-5-free-serial-key

    ReplyDelete
  18. nice posts..
    Hadoop online training in hyderabad.All the basic and get the full knowledge of hadoop.
    hadoop online training in hyderbad

    ReplyDelete
  19. Well Said, you have furnished the right information that will be useful to anyone at all time. Thanks for sharing your Ideas.
    SAS Training in Chennai | SAS Course in Chennai

    ReplyDelete
  20. Big data and data warehousing related information is always updated to me at hadoop online training in hyderabad. Nice insight on the topic refer the details at
    hadoop online training

    ReplyDelete
  21. Thanks to given the biggest variation between the android and iphone. Its really amazing to read. Whatever, anybody can learn android and ios training courses through training Bangalore institute

    ReplyDelete
  22. very nice blogs we have to share it useful information
    java training in chennai

    ReplyDelete
  23. Establishing corporate credit is vital to a business's success and develops over time. While it is acceptable to use personal credit to secure the start-up costs of building a business, the need to establish this type of credit will arise at some points. See more company write up

    ReplyDelete
  24. Great post.
    It really helped me to learn something new. So thanks.
    Linux training in Bangalore

    ReplyDelete
  25. The Super Bowl LI Halftime show will take place on February 5, 2017, at NRG Stadium in Houston, Texas as part of Super Bowl LI. American singer Lady Gaga will headline the show.
    Super Bowl
    Super Bowl Live
    Super Bowl Live Stream
    Super Bowl 51
    Super Bowl 2017
    NFL Super Bowl

    ReplyDelete
  26. Grammy 2017 will be at 5:00 PM - 8:30 PM on Sunday, February 12, 2017 in Los Angeles at the Staples Center. Read more:



    Grammys

    Grammy 2017

    Grammys 2017

    2017 Grammys

    Watch Grammy 2017

    Grammy Awards

    Grammy Awards 2017

    ReplyDelete
  27. Alright, but what about the other movies? There are nine best picture contenders, you know, and many other acting nominees besides Gosling and Stone
    Oscar 2017
    We’re nearly there, movie fans — awards season is drawing to a close. In less than two weeks, the annual parade of galas and ceremonies honoring the films of the
    Oscar 2017 Live

    ReplyDelete
  28. Your topic is completely different. Here, I have learned lots of new things about apple pay and android payment eco-system. Your guide is very easy to understand.
    IOS training in Bangalore | android training in Bangalore

    ReplyDelete
  29. RONDA ROUSEY was battered by Amanda Nunes in her long-awaited UFC comeback bout - here are some of the best pictures from the fight. Born in Sweden, Hermansson (14-3) looks to bounce back from his first UFC loss, a submission defeat to Cezar Ferreira that snapped .
    UFC 209
    UFC 209 Live Stream , UFC 209 Live
    UFC 209 Fight , UFC 209 Fight Card

    UFC lightweight Marc Diakiese is putting out a strong message of tolerance and acceptance, become the first fighter for the world's largest MMA. CONOR McGREGOR has been pictured with Manchester United star Wayne Rooney as talks of a superfight with Floyd Mayweather rumble on.
    UFC 209
    UFC 209 Live , UFC 209 Fight Card
    UFC 209 Live Stream , UFC 209 Fight

    ReplyDelete
  30. There may be practically a full week March Madness of action before the NCAA tournament announces their field on Selection Weekend. But even though that won't happen until Walk 12, March Madness Live it's simple enough to project the four Little. 1 seeds in Drive Madness.

    The four top seeds should be March Madness Live Stream guarding national champion Villanova, North Carolina, Kansas and Gonzaga. Those four have recently been at the top of the rankings and still have also been the selections of bracketologists March Madness Bracket like ESPN's Paul Lunardi and March Madness 2017 s Jerry Palm, and it might be a surprise if they didn't emerge at the conclusion of the convention tournaments that will be held at throughout the week.

    Villanova (28-3, 15-3 Big East) has put together a sensational season after beating New you are able to in last year's March Madness 2017 Live nationwide title game. Head instructor Jay Wright has retained his foot on the gas pedal, and the Wildcats have continued to produce on a steady most basic. NCAA March Madness

    Villanova is the Little. 1 seed in the Big East tournament 2017 March Madness , and while that league has regularly produced upsets in the conference tournament, it would be somewhat of a shocker if the Wildcats didn't make it to it game. In the event they face second-seeded Retainer, it could be a good game that should go down to the line because Butler has crushed Villanova twice. In case it is any other Big East team, the Wildcats would be a significant favorite.

    ReplyDelete
  31. Arkansas, California, TCU, Ohio Express, Wake Forest,

    Virginia Technology, Texas Tech, Xavier and The south all play video

    games that will either help solidify their at-large berth/seed or make Selection

    Weekend more of an restless

    March Madness
    March Madness Live
    March Madness Live Stream
    March Madness Bracket
    March Madness 2017
    March Madness 2017 Live
    NCAA March Madness
    2017 March Madness
    march madness schedule
    march madness schedule 2017

    ReplyDelete
  32. As the shimmer of March Madness 2017 (NCAA Tournament) becomes a raging fire, we're certain that you intend to sign up with countless people to enjoy the most interesting college basketball event of the year! Right here's just how you could enjoy March Madness 2017 HD 1080p 720p on any one of your gadgets such as apple iphone, iPad, Android, Mac/PC, Apple TELEVISION, etc.
    March Madness

    March Madness Live

    March Madness Live Stream

    March Madness 2017

    March Madness 2017 Live

    ncaa March Madness

    ncaa march madness live

    ncaa tournament

    March Madness Bracket

    ncaa final four

    View March Madness 2017 Live on TELEVISION with Cable
    The most convenient method to capture a total amount of 68 teams consisting of to play basketball games is to see them on a cable TV with NCAA Tournament registration. Networks broadcasting March Madness 2017 like ESPN, AMC, TNT, TBS, Food Network, Sling TV, and Roku TELEVISION will certainly bill $20 each month without any contract.
    March Madness

    March Madness Live

    March Madness Live Stream

    March Madness 2017

    March Madness 2017 Live

    ncaa March Madness

    ncaa march madness live

    ncaa tournament

    March Madness Bracket

    ncaa final four

    After paying, all subscribers can delight in limitless live streaming insurance coverage throughout the whole males's basketball champion 2017 on TV.

    ReplyDelete
  33. As the glimmer of March Madness 2017 (NCAA Tournament) ends up being a surging fire, we're certain that you intend to sign up with numerous people to view the most exciting college basketball occasion of the year! Right here's how you could watch March Madness 2017 HD 1080p 720p on any of your tools such as iPhone, iPad, Android, Mac/PC, Apple TV, etc.
    March Madness

    March Madness Live

    March Madness Live Stream

    March Madness 2017

    March Madness 2017 Live

    ncaa March Madness

    ncaa march madness live

    ncaa tournament

    March Madness Bracket

    ncaa final four

    Enjoy March Madness 2017 Live on TELEVISION with Cable
    The easiest method to capture an overall of 68 groups including to play basketball games is to watch them on a cable television with NCAA Tournament registration. Networks airing March Madness 2017 like ESPN, AMC, TNT, TBS, Food Network, Sling TV, and also Roku TELEVISION will certainly bill $20 per month without contract.
    March Madness

    March Madness Live

    March Madness Live Stream

    March Madness 2017

    March Madness 2017 Live

    ncaa March Madness

    ncaa march madness live

    ncaa tournament

    March Madness Bracket

    ncaa final four

    After paying, all clients can delight in unrestricted live streaming insurance coverage throughout the entire men's basketball champion 2017 on TV.

    ReplyDelete
  34. The Masters Tournament, also known as The Masters or The US Masters, is one of the four major championships in professional golf. The Masters is scheduled for the first full week of April, and it is the first of the majors to be played each year.

    Masters

    Masters Golf

    Masters 2017

    2017 Masters

    Master 2017

    2017 Master

    Masters Golf 2017

    2017 Masters Golf

    Masters

    Masters Golf

    Masters 2017

    2017 Masters

    Master 2017

    2017 Master

    Masters Golf 2017

    2017 Masters Golf

    Masters Tournament 2017 live coverage from Augusta National Golf Club at CBSSports.com. Watch the tournament live, choose cameras and get live stats.

    ReplyDelete
  35. In the headliner at, Daniel Cormier and Anthony Johnson will go head to head for the second time. In their past meeting, Cormier vanquished Johnson. Anthony Johnson says Daniel Cormier is his own 'greatest. Video: Embedded, section 1 - 'That was so all around played!'
    UFC 210
    UFC 210 Live , UFC 210 Live Stream , UFC 210 Fight , UFC 210 Card , UFC 210 Fight Card , UFC 210 Online , UFC 210 PPV , UFC 210 Free



    Ultmate Fighting Championship (UFC) Lightweight veterans Will Brooks and Charles Oliveira will duel this Saturday (April 8, 2017) at Betting Line: Oliveira and Brooks Clash With Lopsided Odds. There have been a lot of incredible battles in the UFC light heavyweight division, however which one was the best?
    UFC 210
    UFC 210 Live , UFC 210 Live Stream , UFC 210 Fight , UFC 210 Card , UFC 210 Fight Card , UFC 210 Online , UFC 210 PPV , UFC 210 Free

    ReplyDelete
  36. hi welcome to this blog. really you have post an informative blog. it will be really helpful to many peoples. thank you for sharing this blog.
    selenium training in chennai

    ReplyDelete
  37. From this post we can able to know many things about android application and It gives lot of ideas to develop an app to become a android developer.
    android training in marathahalli

    ReplyDelete
  38. This is a great inspiring article.I am pretty much pleased with your good work. You put really very helpful information. Keep it up. Keep blogging. Looking to reading your next post fashion handbags uk

    ReplyDelete
  39. This article comes with amazing concept. Thanks for showing the latest technology of android and apple. I would like to share this information on my facebook wall with great pleasure.

    Training in Bangalore | IOS training in Bangalore

    ReplyDelete
  40. This is a good post. This post give truly quality information. I’m definitely going to look into it. Really very useful tips are provided here. thank you so much. Keep up the good works. Low OBL dofollow Blog Comments

    ReplyDelete
  41. The Kentucky Derby 2017 will be the 143rd running of the Kentucky Derby, and is set for Saturday, May 6, 2017.
    Javier Castellano is arguably the best jockey in racing right now.
    Except, that is, at the Kentucky Derby 2017.

    It is a baffling fact: The top rider in the game -- he's won the Eclipse Award as the sport's best in each of the last four years -- has the worst record of any jockey ever to ride in the Kentucky Derby. And even with all his accomplishments, when the Run for the Roses draws near the most glaring omission from his resume starts gnawing at him.

    This is the one he wants, more than anything else.
    "To win this Kentucky Derby Live race, it would mean a lot," Castellano said. He paused for a moment, looked up and quietly continued his thought: "A lot," he said again.

    ReplyDelete
  42. Thanks for a very interesting blog. What else may I get that kind of info written in such a perfect approach? I’ve a undertaking that I am simply now operating on, and I have been at the look out for such info High Trust Flow Dofollow Blog Comments

    ReplyDelete

  43. This is excellent information. It is amazing and wonderful to visit your site.Thanks for sharng this information,this is useful to me...
    Android training in chennai
    Ios training in chennai

    ReplyDelete
  44. Thanks for posting useful information.You have provided an nice article, Thank you very much for this one. And i hope this will be useful for many people.. and i am waiting for your next post keep on updating these kinds of knowledgeable things...Really it was an awesome article...very interesting to read..please sharing like this information......
    Web Design Development Company
    Mobile App Development Company

    ReplyDelete
  45. Prior to the 101st running of the Indianapolis 500 at Indianapolis Motor Speedway on May 28, the top drivers in the IndyCar Series will vie to start on pole during Sunday's qualifying. Saturday's first round of IndyCar qualifying decided the Fast 9, and those drivers will have an opportunity to claim the No. 1 starting position after spots No. 10 through No. 33 get decided earlier in the day. More Details Cick Here: Indy 500 Live

    ReplyDelete
  46. This article is very much helpful and i hope this will be an useful information for the needed one. Keep on updating these kinds of informative things...

    Android App Development Company

    ReplyDelete
  47. The United States Golf Association (USGA) has announced sectional qualifying sites for the 117th US Open 2017 Championship, which will be held at Erin Hills, in Erin, Wis., on June 15-18. Erin Hills is hosting its first U.S. Open and third USGA championship.



    Sectional qualifying, conducted over 36 holes, will be held on Monday, June 5, at 10 sites in the U.S. For the 13th consecutive year, Japan and England will host international sectional qualifying, scheduled for May 22 and May 29, respectively.

    ReplyDelete
  48. The United States Golf Association (USGA) has announced sectional qualifying sites for the 117th US Open 2017 Championship, which will be held at Erin Hills, in Erin, Wis., on June 15-18. Erin Hills is hosting its first U.S. Open and third USGA championship.



    Sectional qualifying, conducted over 36 holes, will be held on Monday, June 5, at 10 sites in the U.S. For the 13th consecutive year, Japan and England will host international sectional qualifying, scheduled for May 22 and May 29, respectively.

    ReplyDelete
  49. great and nice blog thanks sharing..I just want to say that all the information you have given here is awesome...Thank you very much for this one.
    Web Design Development Company
    Web design Company in Chennai
    Web development Company in Chennai

    ReplyDelete
  50. These ways are very simple and very much useful, as a beginner level these helped me a lot thanks fore sharing these kinds of useful and knowledgeable information.
    Fitness SMS
    Salon SMS
    Investor Relation SMS

    ReplyDelete
  51. it is really amazing...thanks for sharing....provide more useful information...
    Mobile app development company

    ReplyDelete