Tokenization: FAQs & General Information. BACKGROUND. GENERAL INFORMATION What is Tokenization?

BACKGROUND

As technology evolves, consumers are increasingly making their purchases online or through mobile devices and “digital wallet” applications — and their payment card information may be saved online for more efficiency in future check-out experiences. In response, the industry has moved to support payment form factors that provide increased protection against counterfeiting, account misuse and other forms of fraud.

With criminals inventing new ways to steal customer information, it is more important than ever for financial institutions, merchants and payment brands to ensure consumer security. While EMV chip cards provide substantial protection for card-present transactions, a similar need exists to minimize unauthorized use of cardholder account data and to reduce cross-channel fraud for card-not-present transactions, as well as in emerging transaction environments that combine elements of card- present and card-not-present transactions. One such way is through the use of payment token numbers.

GENERAL INFORMATION What is Tokenization?

Tokenization is a method for protecting card data by substituting a card’s Primary Account Number (PAN) with a unique, randomly generated sequence of numbers. This “token” can be reversed to its true associated PAN value by the service provider who initially created the token. Tokens can be either single- or multi-use.

The number is the same length and format as the original PAN; it is no different from a standard payment card number in the virtual eyes of back-end transaction processing systems, applications and storage tools. The random token sequence acts as a substitute value for the actual PAN while the data is at rest inside an issuer’s or retailer’s systems. Tokenization eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks.

Payment Tokenization allows a consumer to register a payment card with a mobile wallet or online store and replace the actual card number with a payment token number used for that merchant or wallet vendor.

What are the benefits of payment Tokenization for the issuer and cardholder? For the cardholder, Tokenization provides a digital user experience offering:

• Data security — the payment token number is meaningless to anyone except the issuer and payment brand, and it can only be used with the registered mobile device or online merchant with whom the consumer registered. • Simplified purchasing experience for consumers by largely eliminating the need to enter and re-enter the account

number when shopping on a consumer controlled mobile device

• Reduced proliferation of account numbers for both e-commerce and m-commerce Issuers benefit from:

• Data security

• Enhanced cardholder experience

• Global standard and interoperability — helps reduce data protection requirements for the payment brand and its participants • New POS payment protocol support (i.e., NFC, QR code, other)

• Increased transparency of transactions from alternative payment providers • Simplified payment process for the cardholder

• Improved transaction approval levels, and reduced risk of subsequent fraud in the event of a data breach in which payment tokens are exposed instead of PANs

Tokenization:

FAQs & General Information

How does Tokenization benefit the merchant?

A token is stored in the merchant environment in place of the primary account number, making it possible for a merchant to process follow-up transactions, without having to store customers’ account data in the clear:

• Tokens remove the need for merchants to retain PANs in card data environment. • Tokens cannot be used by an unauthorized party to conduct fraudulent transactions. • Tokens match the format of the initiating PAN.

• Tokens do not overlap major brands. Visa®_{, MasterCard}® _{and American Express}® _{are using different BIN ranges for}

Tokenization that look exactly like their PANs today. Visa and MasterCard will be using BINs within their existing range today. • Tokens are card-based, meaning a merchant will always get the same token back for a specific PAN.

• Tokens share the last four digits with the corresponding PAN.

• A payment token can be used freely by systems and applications within a merchant environment. Where payment

Tokenization is properly implemented, merchants can limit the storage of cardholder data to within the Tokenization system, and can simplify an entity’s assessment against PCI DSS standards.

• Acquirers and merchants may experience a reduced threat of online attacks and data breaches, as payment token databases are less appealing targets given their limitation to a specific domain (i.e., online, NFC, QR Code). Acquirers and merchants may also benefit from the higher assurance levels that payment tokens offer.

• Merchants can use Tokenization to facilitate on-demand, subscription or recurring transactions. • Decreased shopping cart abandonment rates.

How does payment Tokenization affect the consumer experience?

The consumer has greater peace of mind with enhanced security measures, and he or she also benefits from a more efficient shopping experience. For instance:

• The card number and other details a consumer uses during enrollment can be taken by a wallet provider and passed securely to the payment brand.

• The Token Service Provider then switches the physical card number for a completely different payment token number with a new expiration date.

• The payment token — not the consumer’s card number — is stored securely in the phone’s wallet. • The payment token can only be used with the associated device.

Similarly, whenever a consumer uses NFC at a merchant, the payment token is used in the transaction. If a criminal compromises the merchant, the data is completely unusable.

The consumer can also use payment Tokenization in e-commerce or m-commerce scenarios. When the consumer associates their payment card with an e-commerce merchant using payment Tokenization, they receive a new payment token number to be used solely with that particular e-commerce merchant.

When the consumer shops online with that merchant, the payment token is the only data being passed to the merchant’s site. Just as in the in-store example above, if a criminal hacked the e-commerce site and accessed the consumer’s information, the hacker would find the information completely useless.

Why is Tokenization needed today?

Over the past few years, broad proliferation of “card-on-file” models, both “Remote” and “Proximity,” has created an industry need to produce and use tokens. Some examples:

www.tsys.com

3

These new business models and use cases for card-on-file transactions create several issues:

• Emerging Payment models within the current industry infrastructure result in the lack of full visibility into transaction data. • Reduced security with the card credentials passed through new channels and form factors

• Challenges in ownership of customer service and post-transaction issues/dispute resolution What is the difference between Tokenization and encryption?

Tokenization protects data “at rest,” while encryption protects data “in motion.” Other differences between tokenization and encryption are outlined in the table below:

1 _{Applies to a typical, smaller sizes. Source: RSA Data Tokenization Server with Encryption.} What is the difference between a token and a single-use or virtual accounts?

Tokenized accounts, single use accounts and virtual accounts are similar in that each masks the original PAN. However, each differs in use case as well as how it “translates” back to that PAN behind the scenes.

• A single-use account number is typically used once for a specific purchase and changed for each transaction. There are also other forms of virtual accounts or ghost accounts that can be used for more than one purchase or transaction. Usually the financial institution or processor owns the conversion of the single use/virtual account to the PAN.

• Tokenized accounts can be used for multiple purchases, and can be restricted in how they are used with a specific merchant, device, transaction or category of transactions. Token purchases go through the Network Service with the card brands for conversion to the PAN.

How is payment Tokenization affecting the payments ecosystem?

Technology is changing the way we deal with payments. As the table below highlights, there are a number of differences in how the payments ecosystem deals with plastic and non-plastics in the market.

Regardless of how the payment token is created, stored, or used, the token must be compatible with the existing payment processing ecosystem. The industry recognizes two new entities for payment tokenization, as indicated in the following table.

Tokenization

encryption

Performance

1 Centralized model with good performance in data center, _{assuming a robust back-end. Network latency is a}

performance consideration. Distributed model with excellent performance.

Data portability

Data must be “de-tokenized” to be exported outside of _{customer-controlled domain.} Key can be exported to allow encrypted data to be exported.

“Off-line” use

Requires connection to token server, or distributed _{token servers.} Locally cached keys permit offline use.

Operational impacts

Can customize token to reduce or eliminate _{operational impacts.} Format of encrypted elements cannot be defined.

Deployment impacts

Low. Only applications capturing or using the PAN need _{to be changed. No DB/file changes needed.} Moderate. All applications capturing or using the PAN, plus *all* _{applications where the expansion of the PAN impacts other fields.}

how is the credential created and

transmitted to the storage location?

where and how is the

credential stored?

how is the credential used to

create a payment transaction?

With Plastics

Create a 16-digit PAN, personalize plastic EMV, mag stripe, card-on-file system Swipe, dip or tap plastic

www.tsys.com

4

TOKEN STANDARD

What standards are in place to guide the industry for Tokenization?

On March 11, 2014, EMVCo (Visa®_{, MasterCard}®_{, American Express}®_{, JCB}®_{, Discover}® _{and UnionPay}®_{) published the first}

guide covering industry specifications for Tokenization − Titled “EMV Tokenization Payment Tokenization Specifications.” The specifications deal with the required technical architecture of the Tokenization standard for securing online payments using tokens via consumer-controlled mobile devices.

Current payment token standards include:

• Tokens will meet ISO standards (13- to 19-character numeric length) to support payment processing within the existing ecosystem.

• There is no conflict with an issuer-assigned PAN, and tokens are generated from a separate BIN. • Token BIN/PAN ranges reflect the product attributes, such as debit or signature.

• Payment tokens must pass basic validation rules of an account number while reinforcing interoperability. • All tokens are mapped and associated with an underlying PAN that is sent in authorization to the issuer. • Tokens are accepted, processed and routed based on the ecosystem (i.e., merchants, acquirers, processors,

networks and issuers).

What are the token-related fields that TSYS is supporting?

TSYS clients can refer to the TSYS Enterprise Tokenization Manual on Docline for this information. How are token decisions made?

Token approvals for requesting card accounts will not always be granted. Issuers will be able to evaluate each token request based on numerous risk parameters in place at the time. Generally, this results in one of the following outcomes:

• Successfully approve to generate and issue an active token • Decline the request to issue the token

• Conditionally approve, requiring additional cardholder authentication before going to the decline

If additional cardholder authentication is required, issuers have the option to perform additional Identification and Verification (ID&V) checks (i.e., one-time password (OTP) or Knowledge based authentication (KBA)) with the consumer to decide whether the card qualifies to be tokenized.

What does the payment token request process look like? The illustration below highlights the process of a Payment Token Request:

Token Vault

Token

PAN

ID&V

Token Evaluation Request

Token

Requestor

2 3 4

Issuer

1

Authorization Request

entities

description

Cardholder Consumer-enrolled issuer / network

Card Acceptor Merchant-enrolled acquirer / network

Issuer Financial Institution / Processor

Acquirer Financial Institution / Processor

Network (Visa, MasterCard, American Express) Card network / Processor

Token Requestor Enrolled entity requesting tokens

www.tsys.com

5

Step 1: The Token Requestor sends a cardholder PAN to the token vault (i.e., a request).

Step 2: The issuer performs ID&V and passes those results to the vault. This is known as “binding.” This completes the payment

token registration. ID&V ensures that the payment token is replacing a PAN that was legitimately being used by the Token Requestor. ID&V is performed each time a payment token is requested.

Step 3: As part of the Payment Token Evaluation Request Process, the Token Vault alerts the issuer that Identification and

Verification (ID&V) is needed.

Step 4: The Token Vault passes the registered payment token to the Token Requestor, completing the payment token request.

Token Authorization

The illustration below demonstrates the Payment Token Transaction Authorization process:

Step 1: The cardholder initiates a purchase with a payment token, which then passes through the merchant

acquirer as if it were a PAN.

Step 2: The payment token is de-tokenized into a PAN by the Token Service Provider (TSP). Step 3: The PAN and token are sent to the issuer, which makes an authorisation decision. Step 4: The issuer sends the PAN and authorisation response back to the TSP.

Step 5: The TSP re-tokenizes the PAN.

Step 6: The TSP sends the PAN and authorisation response through the acquirer to the merchant.

WHAT TSYS IS DOING IN TOKENIZATION

Is TSYS ready for Tokenization from a compliance standpoint?

Yes. TSYS is supporting the mandates issued by the payment brands relating to Tokenization processing. Additionally, TSYS is reviewing the EMVCo proposed token standards. There are currently several pieces of compliance information available on Docline that our clients can access:

• XMLM Enhancements

• Changes to FCS and WCSA Screens and Reports to Support the Visa Payment Token Standard • Compliance Release 14.1 North America

• Adding Fields to the Authorization Log to Support the Payment Token Standard Is TSYS supporting the Network Token On Behalf Of (OBO) Services?

Yes. TSYS Enterprise TokenizationSM _{is a plug-and-play solution specifically designed to secure payment card information for Mobile}

use cases — whether those are through digital wallets or “In-App” transactions. POS and online purchases remain unchanged as they are today with no token. It is our belief that Tokenization via the digital/mobile wallet will be the catalyst that fuels mobile payment growth and proliferation because both the consumer’s and the merchant’s data are more secure. TSYS’ Tokenization solution is designed for compatibility with various mobile offerings. As cardholders begin to shift to mobile payments, we recommend that you provide the highest protection available.

Token Vault

Token

PAN

ID&V

Token Evaluation Request

Token

Requestor

2 3 4

Issuer

1

Merchant

Authorization Request

Authorization Response

Token Service

Token

Token

PAN+Token

1 2 3

The initial TSYS Tokenization solution includes the following products and services:

• Brand Enrollment and Configuration to manage issuer enrollment with digital wallets (i.e. Apple Pay) and Network Services, including both Service Administration and Risk Management set-up. This service is not available for our International clients at this time.

• Transaction Processing to on-board clients to the platform and process token authorizations across TSYS systems and applications • Call Center Management for existing TSYS Managed Services clients to administrate tokens and tokenized cardholder accounts

TSYS recognizes that continued investment and development is required to support Tokenization as a global standard. Further development is under way to support Tokenization beyond the U.S. and the U.K., and will be communicated in the future. What steps do I need to take to begin offering Tokenization to my cardholders?

1. Determine your digital payments strategy. TSYS is available to assist you in this process.

2. Build and educate your team; research the requirements. Contact TSYS to receive the initial Product Documentation that includes our Implementation Overview with a questionnaire and pricing.

3. For Apple Pay specifically, engage TSYS to formally begin the process of enrolling with the networks, processing transactions and readying your call center representatives to receive inquiries related to tokenized transactions and accounts.

More detail on each of the steps above can be found in our published best practices document, located on www.tsys.com

Who is eligible to offer Apple Pay?

Apple Pay is now available to U.S. and U.K. issuers on the Consumer platforms. TSYS is waiting for Apple and the brands to finalize the rollout dates for commercial portfolios and other regions, and we will be able to determine eligibility or implementation dates shortly thereafter. Contact your account manager for updates.

When will Tokenization be available for the rest of North America and other International Locations? TSYS is working now to make our service available to our Canadian clients to accommodate other digital wallets that may be available in the near future.

Apple has not specified a date for Apple Pay (Tokenization) to be available to the rest of North America or wider European

1

2

Brand

Enrollment and

Configuration

Service Administration

• As part of the set up, TSYS will do

the enrollment on behalf of the

issuer (Enablement model to be

confirmed with the schemes)

• Issuer must identify BINs, provide

card art and sign the wallet provider

agreement

This service is not available to International clients at this time.

ENROLLMENT

CONFIGURATION

Transaction

Processing

Token Operations

• Implementation — Configuration

management, authorisation logs,

fraud & risk, testing

• Processing — Provisioning authorization

requests, account verification, tapped

transaction & e-commerce

• Implementation — Configuration

management, authorisation logs,

fraud & risk, testing

• Processing — Provisioning authorization

requests, account verification, tapped

transaction & e-commerce

AUTHORISATION/CLEARING/

SETTLEMENT EXCEPTIONS

FRAUD/RISK VALUE-ADD APPS

Call Center

Management

Token Administration

LIFECYCLE

© 2015 Total System Services, Inc.®. All rights reserved worldwide. Total System Services, Inc., and TSYS® are federally registered service marks of Total System Services, Inc., in the United States. Total System Services, Inc., and its affiliates own a number of service marks that are registered in the United States and in other countries. All other products and company names are trademarks of their respective companies. (06/2015)

to learn more

contact your sales representative or account manager at +1.706.649.2307, +44 1904 562 000 or visit us at www.tsys.com.

twitter.com/tsys_tss

facebook.com/tsys1

linkedin.com/company/tsys

What about Commercial, Debit, Prepaid, the rest of North America and other International Locations? We are evaluating other card types, platforms and regions based on both client demand and changes in the industry. Contact your TSYS account manager or relationship representative to discuss your specific needs, and we will share additional details as our plans and long-term roadmaps develop.

Is my small business portfolio eligible?

If your small business customers are on the Consumer credit platform, they could be included. However, current use cases are consumer-focused. This service is BIN-driven. Check with your TSYS account manager or sales representative to verify availability. Will we need to re-issue cards in order to offer this product to our cardholders?

No. Adding Apple Pay or any other digital wallet does not have any impact on your issued cards. What is unique about the TSYS Tokenization Solution?

TSYS is able to utilize the OBO services provided by the payment brands and combine the results with account data, using issuer– defined rules and parameters to process transactions. TSYS is also preparing to enhance reporting capabilities associated with token authorizations through TSYS Analytics.

I know there are other digital wallets available in the market. Can TSYS process transactions for those providers as well as Apple?

TSYS is working to enable Tokenization for all issuers through any digital wallet or payment application provider − as they are available in your market.

Who should I contact at Apple to begin discussions on offering Apple Pay?

Contacting Apple is not necessary for each issuer. All activities for enablement with Apple will be managed through a combination of TSYS and the payment brands. In the enrollment process, you will need to accept the non-negotiable Issuer Terms and Conditions of Apple.