• A Token is 16 digits and a card PAN is 16 digits, why is it any more secure?
  • A token is more secure due to the abstraction of card information that can be used to make a purchase. This needs to be decrypted by the entities that either created the digital wallet token (the network in the instance of network tokenization) or the entities that have access to do so, namely the issuer processor associated with the network that issued the digital wallet token. The token is not linked in any way to the PAN except through the encryption done by the network that the token originated from, creating the ability for any payments not authorized to the original devices the token was provisioned to, to fail. This is also due to the lack of a valid cryptogram when transacting. A cryptogram is a technology that generates a one time code for use in a transaction. This one time code is sent in transactions on digital wallet tokens and is generated by the token and terminal where the payment is taking place. The cryptogram that is created is used to validate the transaction preventing.
• How does a card get tokenized and into ApplePay?
  • In order to get your card into ApplePay, this can be done in a few different ways. You as a cardholder can request Apple to tokenize this yourself through manual provisioning which is you either entering your card number into the apple wallet application or scanning your card in the mobile app. Your card can also be “pushed” into the application through what is called push provisioning. This occurs when an issuer sends a request to Apple with the card information. After one of these methods Apple will reach out to the Token Service Provider, namely this is the payment network for network tokens which is what we are referring to here. Payment networks, those being MasterCard, Visa, American Express, or Discover (just to mention the top networks in the US). The network will then send a request to the issuer processor or the entity who issued your card, the issuer processor will then respond back to the network, and the network will then respond back to Apple Pay. Those are the steps for what is called “provisioning a token” at a high level, but what is important to remember is Apple does not store your card information and actually keeps the digital wallet token information and expiration, it is sent from the network to Apple to store on what is called a Secure Element or a small electronic chip in your device.
• How does a card get tokenized and into GooglePay?
  • Group this in with the above since they are similar although Google uses the HCE?
• Tokenization is kind of like an abstraction from the full card. Why is this better?
  • Increased convenience, tokenization can also make payments more convenient for customers by allowing them to make payments with multiple devices or across different platforms. For example, customers can use the same token across multiple merchants or use the same token for both in-store and online payments.
  • Increased security, by using a token instead of the actual card information, payment tokenization makes it more difficult for attackers to steal and use card information. This is because the token is useless without the payment system, and even if an attacker were to steal a token, it would likely be quickly identified and invalidated.
  • Improved compliance, tokenization can help merchants and payment processors comply with regulations such as the Payment Card Industry Data Security Standards (PCI DSS) by reducing the amount of sensitive card information that they need to store and protect.
  • Better scalability, tokenization can help merchants and payment processors to scale their operations more easily by reducing the number of card numbers they need to manage and process. Digital wallet tokens also have an independent lifecycle from standard cards where the tokens will map back to the card at the network level.

EMV chips are also considered more secure than traditional magnetic stripe cards, as they use dynamic data and cryptographic techniques to protect card information during transactions. However, tokenization using digital wallets offers additional security features that can further protect card information and make it more difficult for attackers to steal and use.

• What prevents a person from just stealing a card and adding it into their AppleWallet or Google Wallet? (Step-Up)
  • To give you a bit of background, when referring to digital wallets and tokenization there is a concept of different colored paths that the provisioning of the digital wallet token can take. These are the green, yellow, orange, and red paths. The green path is the happy path where the different entities associated to provision a token all accept the provisioning. The yellow path is also referred to as step up and in this, the issuer will generally ask the user to further authenticate through one method such as a one time passcode either via text or email. This could also be done in a few other ways with the most common other two being calling into a call center or verifying through the banking app on your device. All of these authentication methods are known as Identity and Verification. The orange path is similar to yellow path, but this is when one of the digital wallet token providers is requiring the issuer to force step up, and the red path is when one of the entities involved in the process asks to decline the transaction resulting in the provisioning request stopping. Now that you know about the different paths for provisioning, the way this works is that each entity involved, these being the digital wallet provider, the network, the issuer, or some rules engine all have the ability to take an action on this provisioning request given the proper permissions. Generally you would have some sort of base configuration of rules on the provisioning request, this starting with the digital wallet service provider and ending with them after the loop of provisioning has been closed but these different entities will determine this based on the device information, account information, and any rules the issuer processor has configured on this card that is requesting a token to be provisioned.
• Are there differences between how Visa and Mastercard process their tokens/create tokens?
  • “Technically there are differences between the APIs that they use and some restrictions around certain features, but in general the flow is similar with the entities they communicate to, there are nuances with each of them though.
• What are the key differences between ApplePay and GooglePay?
  • The key differences between Apple Pay and Google Pay are the way that they store digital wallet tokens, the ways they allow digital wallet tokens to be provisioned and the methods they require issuers to integrate with them to do so. Here we will focus on the storage which is the largest difference. The storage of the digital wallet token on the apple devices today is on a chip called a secure element. The secure element is an industry-standard, certified chip inside of apple devices running the java card platform which is a secure operating system in a tamper-resistant processor chip. It is compliant with financial industry requirements for electronic payments. Another form of this token storage moreson known to be used by Android devices is called host card emulation. Host card emulation, otherwise known as HCE is a software architecture that provides an exact virtual representation of various electronic identity cards using only software. This enables mobile applications running on supported operating systems to offer payment card access independently of third parties while leveraging cryptographic processes online without the need for a secure element. Support for this started with the major networks in 2014 while secure elements have been supported much longer.
• How is this more secure than using EMV?
  • The use of a digital wallet token is more secure than EMV due to the use of tokenization being applicable all the time as to where when using an EMV chip card, tokenization of the credentials is not standard.
  • https://www.emvco.com/emv-technologies/payment-tokenisation/
  • In tokenization, a unique token is created to represent a card, instead of using the actual card number. This token is then used for transactions and the actual card number is not shared with merchants. This makes it more difficult for attackers to steal card information as they would only be able to access the token which is useless without the payment system.
  • Digital wallets can also use a dynamic token, this is a token that changes with each transaction. This makes it even more difficult for attackers to use stolen tokens as they would have to steal a new token for each transaction.
  • Device-based security: Digital wallets are often tied to a specific device, such as a smartphone, which can be secured with a passcode, fingerprint, or face recognition. This provides an additional layer of security to ensure that only the authorized user can access the digital wallet and make payments.
  • Tokenization can also be used in conjunction with other security measures such as 3DS(3D Secure) which is an additional layer of security for online transactions.
• At the time of the tap, how is the Token being passed to the terminal?

At the time of a tap, a digital wallet token can be passed to the terminal in several ways, depending on the specific digital wallet and terminal being used. The most common method would be:

• Near-field communication (NFC); Many digital wallets use NFC technology to transmit the token to the terminal. This involves bringing the digital wallet device, such as a smartphone, close to the terminal and the token is transferred wirelessly.
• Some less common forms of the token being passed are, QR code, Barcode, Bluetooth, or Audio.
  1. QR Code: Some digital wallets use QR codes to transmit the token to the terminal. This involves displaying a QR code on the digital wallet device, which the terminal scans using its built-in camera to retrieve the token.
  2. Barcode: When using a barcode, this works similar to QR code where the user is displaying a barcode on the digital wallet device, which the terminal scans using its built-in scanner to retrieve the token.
  3. Much less common, but some digital wallets also use Bluetooth to transmit the token to the terminal, transmitting it through an established connection after pairing.
  4. Lastly, some digital wallets also use audio to transmit the token to the terminal. This involves using the device microphone to transmit the token through soundwaves and the terminal uses its built-in microphone to receive the token.

The specific method used will depend on the capabilities of the digital wallet and the terminal. The most common method is NFC, which is supported by most modern smartphones and payment terminals.

• How is it being decrypted?
  • The decryption of a digital wallet is done at the network level for the standard digital wallet tokens which is why they are called network tokens in the context of the Apple, Google, Samsung, or other major digital wallet provider.
• Do I have to have FaceID or TouchID enabled to use ApplePay or GooglePay?
  • When using ApplePay you do need to have FaceID or TouchID enabled! Specifically on Apple, you can verify with a passcode if that is the only thing you have enabled, if you do not have that enabled, when trying to provision a token you will have to enter in your Apple ID passcode. !!! Add Google Notes !!!
• How is Express Transit bypassing the need for FaceID or TouchID?
  • When using express transit on a digital wallet, the wallet uses the last known state of the digital wallet token in order to bypass the need for authentication. This does open up the use case for bad actors to use it in order to get free rides but the networks are putting in place security measures to help prevent this. This is not something I am likely allowed to discuss at this time so will refrain from doing so.
• Are there major differences in using ApplePay or GooglePay for Online Commerce vs In Person?
  • There are differences between the two, generally when you are in person you would use your device which stores the digital wallet token on either the secure element in the case of apple or the host card emulation (cloud) in the case of google. For checking out in online commerce, there are generally three different ways you could pay using these services. This could be through the digital wallet token being stored on your device that being your mobile device or desktop device, or it could be an ecommerce token which would be you previously having your card on file and the merchant requesting a digital wallet token provisioned to the merchant in order to transact on the token rather than the card.
• Do debit cards behave differently if they are tokenized vs using the physical card? (Bypass PIN is usually not allowed on Tokens at some terminals)
  • Need to input information here
• In App Provisioning vs Manual Provisioning - what are the benefits?
  • In order to look at this properly, lets take a product approach to looking at the differences between these two and focus on the customer experience piece of this. When walking through the experience of provisioning in general, two major things come to mind, first is the ability provision and second is the speed to provisioning. When thinking about the ability to provision for manual provisioning, in order to do this you must have access to both the digital wallet as well as the actual card number in order to do so. In order to have access to the card number, you must be able to either have the physical card so you can see the number and either type it in or scan it or you could have the card number displayed online somewhere. There are limitations with this but the great thing is you can do this solely with having the card number and from a browser as long as the number is displayed. From a implementation perspective this requires your issuer to either be PCI compliant or use a widget from the issuer processor up steam that is PCI compliant. Something that isnt well known by many is that due to their being more risk here from a card usage perspective, step up is more frequent and the risk profile from a digital wallet’s perspective is greater because any card could be picked up off the ground and manually provisioned into a user’s device causing risk to be higher. When thinking about in app provisioning, the great thing is that you do not have to be PCI compliant, but you do have to have an application installed which requires the issuer to build an app integrating with the digital wallet provider and the issuer processor or program manager. This allows the card to be “pushed” into the wallet while the user has already been verified by the issuer because the cardholder is in their application causing the likelihood for yellow or orange path to be less frequent.