cartes2015 pep card - final

1

ProxyEMVPay (PEP) Solution(Decoupled Tokenization)

by Milos Dunjic

(Lungo Consulting Inc.)and

Nebo Djurdjevic(Lina Consulting Inc)

P A T E N T P E N D I N G

2

Current approach to payment tokenization

Bank A – credit card

Bank A – debit card

Bank B – credit card

Bank B – DDA account

Store card

Private Label card

Corporate card

Bitcoin wallet

Financial accounts Payment devices

Cards

iPhone

Android phone

tablet

laptop

AppleWatch

Car

SmartTV

keyfob???

???

???

???

???

???

???

???

Each card account requires multiple tokens, to be supported by the Issuer, Scheme and device OEM – myriad of systems, inconvenientand not covering all consumer accounts/devices

pushing digital card tokens toconnected devices only


3

PEP approach: decoupled tokenization

Bank A – credit card

Bank A – debit card

Bank B – credit card

Bank B – DDA account

Store card

Private Label card

Corporate card

Bitcoin wallet

Financial accounts Payment devices

card

iPhone

Android phone

tablet

laptop

AppleWatch

car

smartTV

keyfob

Consumer can enable any smart device containing a PEP token to be linked to any of his/her payment accounts, and change or deactivate the links at any time via mobile app

consumer can link any device in flexibleway to any payment account


4

Coupled vs. Decoupled Tokenization

• Payment Token cannot be issued by TSP UNLESS it is uniquely linked to a real Payment Account (i.e. card PAN)– Main purpose of token is to hide real

PAN during digital channel payments – Token is permanently and statically

linked to a single payment card account and device (at time of issuance)

– Token can be for use in single or multiple transactions

• Payment Token is pre-issued as ‘inactive’ and can be linked at any time to any Payment Account / Instrument– Tokenized EMV PEP cards automatically

protect payment credentials and can be used at any EMV-compliant POS terminal

– Multiple PEP-tokenized devices can be securely & dynamically linked on-demand to the same or different underlying payment accounts (at usage time) via PEP mobile app

– EMV security and acceptance interface can be extended to other payment systems in the background (e.g. ACH, MNO carrier billing, Bitcoin, etc.)

Coupled Tokenization (Card Scheme implementations)

Decoupled Tokenization(EMV-compliant extension of tokenization)


5

ProxyEMVPay (PEP) Card - Issuing & Perso

• PEP Card is standard EMV compliant card – Issued as Visa, MasterCard, Amex or Discover EMV card

• Loaded with brand specific payment applets for contact / contactless

– Can be issued by non financial 3rd party, Payment Network or traditional financial Card Issuer

– Can be offered off the shelf in stores / kiosks or ordered online – Very cost effective to issue and operate

• Every PEP Card personalized with:– EMV PEP Token Cryptogram Unique Key– PEP Token (i.e. ISO/IEC 7812 compatible PEP Card Number)– PEP Token Expiry Data

• PEP Card is issued as ‘inactive’ – In PEP TSP PEP Token isn’t linked to any underlying payment

credentials

• PEP Card must be securely linked, via PEP Mobile App to a valid underlying set of payment credentials (i.e. ‘activated’)

• PEP Token can be ‘de-activated’– automatically (when any of the usage restrictions are exceeded) or on-

demand (using PEP Management App)

• PEP Token can be linked to the same or different payment credentials during different ‘activity’ periods

PEP TSP

PEP Token NULL Payment Credentials PEP Token Expiry

PEP Token Cryptogram Master Key

PEP TSP HSM

PEP Token PEP Token Cryptogram Unique Key PEP Token Expiry


6

ProxyEMVPay (PEP) Card - Linking

PEP TSPPEP Token Underlying Card PAN

PEP Card

PEP Mobile App

Maximum Spending Allowance

Maximum Number Of Transactions

Proof Of Underlying Card Ownership (3D Secure CAVV, ECI, and XID)

PEP Token Expiry

Step 1: Consumer provides PEP Token + Underlying Card [PAN, Expiry Date, CVV]

+ Defines usage Restrictions like: Maximum Spending Allowance

Maximum Number Of TransactionsMaximum Linking Time Period


Step 2: Establish Linking Record between PEP Token Data and

Underlying Payment Card Data

Step 3: Establish Usage Restrictions Record

Step 4: Confirmation

Underlying Payment Card


PEP TSP HSM


Maximum Linking Time Period

ProxyEMVPay (PEP) Card Transaction Flow - PEP TSP integrated with Issuer Host

7

PEP TSPr

PEP Card

Underlying Card Account

ACQ

Card Issuer Host

PaymentNetwork

Step 1: POS reads PEP card EMV data

PEP Token

Step 2: POS forwards PEP card EMV data to ACQ

Step 3: ACQ sends

PEP card EMV data to

Payment Network

Step 5: Issuer Host sends

PEP card EMV data to PEP TSP for de-

tokenizing (specific Card Issuer BIN range)

Step 4: PN sends Underlying Card PAN

data to Underlying Card Issuer (PEP TSP

uses Card Issuer BIN range)

Step 7: Underlying Card Issuer authorizes the request (treats it as Card Present type if it has relationship with / trusts its own

PEP TSP)

Underlying Card PAN


PEP TSP HSM




Step 6: PEP TSP verifies PEP card EMV data, verifies usage restrictions, de-tokenizes

PEP card EMV data, responds with EMVCo Tokenization compatible response containing Underlying

Card PAN

P A T E N T P E N D I N GMaximum Linking Time Period

8

ProxyEMVPay (PEP) Card Transaction Flow - PEP TSP integrated with Payment Network

PEP TSPr

PEP Card


ACQ

Card Issuer Host

PaymentNetwork


PEP Token

Step 2: POS forwards PEP card

EMV data to ACQ

Step 3: ACQ sendsPEP card EMV data to

Payment Network

Step 4: Payment Network sends

PEP card EMV data to PEP TSP for de-

tokenizing (PEP TSP own BIN range)Step 5: PEP TSP verifies PEP card EMV data, verifies usage restrictions, de-tokenizes


Card PAN

Step 6: Payment Network sends EMVCo

Tokenization compatible response with

Underlying Card PAN data to Underlying Card

Issuer

Step 7: Underlying Card Issuer authorizes the request (treats it as Card Present type since it trusts Payment Network certified

PEP TSP)

Underlying Card PAN


PEP TSP HSM






9

ProxyEMVPay (PEP) Card Transaction Flow - PEP TSP integrated with Acquirer

PEP TSPr

PEP Card


ACQ

Card Issuer Host

PaymentNetwork


PEP Token

Step 2: POS forwards PEP card

EMV data to ACQStep 3: ACQ sends

PEP card EMV data to PEP TSP for de-tokenizing (PEP TSP own BIN range)

Step 4: PEP TSP verifies PEP card EMV data, verifies usage restrictions, de-tokenizes


Card PAN

Step 6: Payment Network sends EMVCo

Tokenization compatible response with

Underlying Card PAN data to Underlying Card

Issuer

Step 7: Underlying Card Issuer authorizes the request (treats it as Card Present type since it trusts Payment Network certified

PEP TSP)

Underlying Card PAN


PEP TSP HSM





Step 5: ACQ sends EMVCo Tokenization compatible response with Underlying Card PAN data to Payment

Network


10

ProxyEMVPay Card Use Cases: Remittances

• Set-up– Solution to be offered by banks or specialized money transfer companies– Principle: recipient will access funds on account from sender (in sending country) by using a

PEP card• Recipient obtains (locally) a pre-tokenized, ‘inactive’ ProxyEMVPay (PEP) card (anonymous)• Sender ‘activates’ the recipient’s PEP card in a secure way

– Sender uses PEP Mobile App and links the recipient’s PEP card to sender’s payment card account– Sender defines Maximum Spending Allowance, Maximum Number Of Transactions

• Recipient can use the PEP card after it’s been activated up to the Maximum Spending Allowance and/or Maximum Number Of Transactions (ATM, POS)

• Benefits– Money transfer provider

• Full EMV security, payment credential protection• Provision of cash on receiving end without using costly agents network• Ability to enable sender to link his account to PEP cards from multiple recipients (also in ≠ countries)

– Senders and recipients of funds• high convenience (fast, secure, ability to withdraw money in multiple parts, no need to carry all

cash)• cost-effectiveness (mainly ATM fees)• ability to spend funds with card at POS• ability to receive funds from multiple senders on same card


11

ProxyEMVPay Card Use Cases: Decoupled payment wallet

• Set-up– Two (decoupled) payment legs: purchase from merchant and funding by consumer– Purchase from merchant

• Initiated at POS by consumer PEP device (e.g. card, mobile phone) provided by Third Party Wallet Provider (TPP - can be a MNO, merchant, device OEM, any other digital wallet provider)

• Processed as a card transaction, against a central card account (wallet account) held by the Third Party Provider (and issued by a bank partner or using own scheme license)

• Merchant is paid by his Acquirer, through normal scheme settlement with the Issuer of the TPP card account

– Funding of wallet by consumer• Consumer securely links a funding account to (each) PEP-enabled device (e.g. bank account via ACH, carrier

billing, card account)• TPP wallet will initiate a funding transaction request from the linked account for each transaction that hits

the central wallet account

• Benefits– Purchase at POS is enabled using the card network and acceptance infrastructure,

providing ubiquity without infrastructure investments• ignites adoption of digital wallets and enables new payment business models by removing acceptance

hurdle

– Funding of the purchases is decoupled from the POS process, and provides flexibility to consumers to choose their preferred funding method (regardless of merchant acceptance)

– In Europe, the TPP could act as Payment Initiation service provider under PSD2


12

ProxyEMVPay Card Use Cases:Retailer Store Card Programs• Set-up

– Closed loop program to be offered by Acquirer or directly by Merchant– Consumer gets PEP-enabled card (and/or mobile HCE token) to serve as payment and loyalty device– Consumer securely links an existing payment card to the PEP device– Acquirer will connect with PEP TSP (or run internally) for de-tokenization into linked card PAN before

routing the transaction to the card network– Program can also be extended to group of merchants (e.g. shopping mall, lunch voucher program,

brands belonging to same group)

• Benefits– Consumers

• single card for loyalty and payment• integrated wallet in merchant mobile app• no need to get a new payment account or to put funds in a prepaid account

– Merchants• no need to offer financial accounts to consumers and take on liability/risk• no restriction to cooperation with single financial institution• platform for merchant to design marketing/loyalty benefits for cardholders, potentially co-funded by partner banks (win-win)

– Acquirers• white label loyalty and payment solution for merchants as value-added service and to create stickiness

– Issuers• ability to create multiple partnerships with merchants, and to offer customized deals to customers based on life style

preferences and purchasing habits/interests


13

ProxyEMVPay Card Use Cases:Corporate Travel Cards• Set-up

– Corporation has small number of REAL corporate travel card accounts (i.e. ‘PAN per cost center’)– Corporation provides employees with pre-tokenized, ‘inactive’ EMV compatible PEP cards, compatible with the

payment network brand behind REAL corporate travel card accounts– Before actual travel takes place, authorized corporate person

• links the employee’s PEP travel card to one of the REAL underlying corporate travel card account PANs (i.e. cost center)• 3D Secure is used to authenticate the authorized corporate person• Authorized corporate person sets the spending parameters (e.g. Maximum Spending Allowance, Maximum Linking Time Period,

Maximum Number Of Transactions)

– All transactions made by the employee’s PEP corporate card are authorized from the REAL corporate travel card account (i.e. cost center), which is linked to the employee’s PEP travel card

• Benefits– Corporation

• Real corporate card payment credential protection • full spending control • automatic expense consolidation to appropriate cost centers

– Employee• convenience of a regular corporate card• automatic expense report generation

– Corporate Card Provider• full EMV security• Simplicity and cost-effectiveness of issuance• easy replacement if lost or stolen• risk control


14P A T E N T P E N D I N G

15P A T E N T P E N D I N G

cartes2015 pep card - final

Documents