Decrypting Tokenization What is it and why is it important? Anne Fields, Crutchfield, Director Financial Compliance Nate Morgan, CyberSource, Product Manager Ian Poole, CardinalCommerce, Technical Product Manager

Tokenization What is it & Types of Tokens Merchant Perspective Merchant Considerations Q & A

Payment Tokenization: What is it? Customer Data Other Data Card Data Replaces sensitive data (card numbers, PII data) with a different, unrelated value called a token Cannot be reversed, meaningless to hackers in the event of a breach Mostly follow the PAN (primary account number) format, compatible with existing payment flows, financial systems T

Evolution of Merchant Tokenization Secures stored card and customer data Reduces PCI scope Enables card-on-file Drives omni-channel experiences Supports marketing efforts: analytics, loyalty programs

Merchant Payment Tokens Seamless, friction-less payment experience Your customer data is better protected in the event of a breach Renders sensitive card (and other) data worthless Card data securely stored in your vault PCI scope is reduced; no payment data in your network when using a PSP Tokens, not card numbers used for payment activities Essential for bill payers / returning customers Enables new, “Uber-like” experiences Card updater service highly recommended

Comparing Merchant Tokenization Providers ? Gateway Token Services Acquirer Token Services Proprietary technology, not standardized Designed to safeguards merchants from consequences of data breaches and reduce merchant PCI demands Designed to safeguards merchants from consequences of data breaches and simplify Merchant and Acquirer PCI Tokenization of Payment Data, PII data and other sensitive customer data Tokenization focused on Payment Data Works across all card brands, payment types supported across Acquirers (Acquirer agnostic) Works across all card brands and card issuers supported by Acquirer Tied to Gateway Tied to a Acquirer/Processor Protection of stored card data Reduced PCI scope Processor Agnostic Support for digital payment solutions like Apple Pay, Android Pay, etc. via network tokens Tokenization of PII data (some providers cater to healthcare industries) Proprietary, tied to the acquirer issuing the token- merchant cannot switch acquirers, integrate to/inter-operate with tokens from other acquirers Able to support POS and eCommerce transactions (omni functionality) Other features similar to PSP tokens Protection of stored payment data Reduced PCI scope

EMVCo standards; launch of VTS and MDES Evolution of Issuer Tokenization VTS MDES EMVCo standards; launch of VTS and MDES Enables digital payments such as Apple Pay, Android Pay Powers connected commerce, IoT and other new payment experiences Future applications *EMVCo members include American Express, Discover, JCB, MasterCard, UnionPay and Visa Note: All brand names and logos are the property of their respective owners, are used for identification purposes only, and do not imply product endorsement or affiliation with Visa

Issuer-Side (Network) Payment Tokens Card brands * collaborated as EMVCo, developed standards for worldwide interoperability & security Apple Pay was the first use case, now also Android Pay, Samsung Pay, etc. Visa, Mastercard, Amex built solutions using token standards in the EMVCo framework and are the “TSP” of digital payment tokens Issuers control activation, suspension, deactivation of tokens for cardholder Tokens are unique to device, channel, and stored for future payments May be single or multi-use, merchant specific or have time limitations

Comparing Tokenization Approaches? Issuer (Network Tokenization) Processor (Merchant Tokenization) Based on industry standard Proprietary technology, not standardized Designed to safeguard the payment ecosystem from consequences of data breaches Designed to safeguards merchants from consequences of data breaches Likely requires issuer opt-in participation Likely requires merchant opt-in participation Currently works in limited use cases (mainly the digital payments) Works across all card brands and card issuers Independent of processors and gateways but tied to individual card network Tied to a processor / gateway Processor tokenization may also be referred to as Acquirer tokenization

Tokenization & Connected Commerce Allows commerce to be embedded in everything Device manufacturers, large businesses are becoming token requestors Gearing to enable secure, device-driven on-demand transactions on a massive scale eComm wallet, IoT wallet, Issuer wallet, Wearable wallets, POS – tap and pay

Merchant Perspective Why did we consider Tokenization? How do we Tokenize? What did we want to accomplish with Tokenization?

Merchant Considerations Interoperability considerations Ensure cross-channel compatibility Protect from fraud Recurring/Card on File billing Work with other protocols- 3DS 2.0 Other factor considerations New digital pay adoption Retain access and control of your customer data Consider multi-acquirer requirements Consider tokenization of non-card payment methods Risk Strategy considerations PCI Compliance Cost/Complexity Breach risk / Brand Consequences Security considerations for 3rd Party Seek accredited PCI DSS Level 1 service provider Select a cloud-based solution to reduce PCI scope Augment with other technologies such as hosted payment acceptance, P2PE

Questions from the audience

Tokenization Panel Anne Fields, Crutchfield, Director Financial Compliance afields@crutchfield.com Nate Morgan, CyberSource, Product Manager nmorgan@visa.com Ian Poole, CardinalCommerce, Technical Product Manager ipoole@cardinalcommerce.com If you have any questions about the presentation, go to our LinkedIn Group (the Payments Education Forum) and request an invitation (this is a closed group specifically for the payments industry).