Talk by our expert Kurt Schmid about merchant tokenization and EMV® Secure Remote Commerce, held at MPE on 19 February 2019. Merchant Payments Ecosystems is a leading payment conference for merchants and PSPs.

1. MPE 2019 @ Berlin
Kurt Schmid, Managing Director Digital Payments
Addressing Issues in E-Commerce Checkouts
Merchant Tokenization &
EMV® Secure Remote Commerce

2. Questions to you, the Audience
 Who had experienced fraud on
his/her card(s)?
 Who likes to enter PANs again
and again for every new
merchant?
 Who knows all the places where
his/her card data is stored?
2

3. E-Commerce Checkouts
3
Majority (61%) is Card based, thereof
 29% is Cards-on-File (CoF)
 19% Guest Checkout
 13% Digital Wallets
“Global e-commerce payment market is expected
to grow from US$ 24.26 Bn in 2017 to US$ 64.69 Bn
by 2025 at a CAGR of 13.1% between 2018 and
2025.”
Even stronger growth for m-commerce and in-app
payments
Source: Mastercard, Worldpay, BCG

4. Concerns and Challenges in E-Commerce Payments
Merchant concerns:
 Lost revenues through
abandonments and
declines
 Low conversion rates
especially on mobile
channels
 Risk/fraud through
different attacks
 Higher transactional
costs for CNP versus CP
4
Issuer concerns:
 Lost transactional
revenues through
abandonments and
declines
 Risk/fraud through
different attacks
 Cost of customer care
24% Abandonment & Decline
rate when 3DS (1.0) is used
17% Decline rate when 3DS is
not used
4-10x Higher fraud rate of CNP
compared to CP
Source of figures: Mastercard, Worldpay, BCG

5. How to Solve This
5
Cards-on-file:
 Replace PAN by token to reduce risk
 Improve security to CP level (where a
cryptogram is used)
Cards in Guest Checkout:
 Same as above plus
 Improve usability for consumer

6. Let us Focus on These Points First
6
Cards-on-file:
 Replace PAN by token to reduce risk
 Improve security to CP level (where a
cryptogram is used)
Cards in Guest Checkout:
 Same as above plus
 Improve usability for consumer

7.  When PAN and other card data is
known, fraud can be committed with
little effort
 That’s why PAN and other card data is in
scope for PCI DSS
 Replacing the PAN (Funding PAN) by a
PAN only used on a device (DPAN) or
only with one defined merchant (MPAN)
Tokenization Will Improve Security and Usability
Securing the card number (PAN)
Token
Requestor
Token
Service
Provider
Card
Issuer
MDES VTS AETS

8. … Already Demonstrated by Many Token Requestors
8
Token Requestors
Token
Service
Provider
Card
Issuer
like X Pays, Smart Devices, IoT, ….
Issuer Pay
Merchant
App

9. MyBankApp
Accounts 6,750.00
Recent Transactions
Ready to Pay
ToPay SDK
Already Used for Cloud-Based Payments
9
Token
Requestor
(CMS-D,
MAP)
ToPay
Server
Scheme
Token
Service
(MDES
VTS
AETS)
Card
Issuer
Authenticates
Encrypted PAN
PSP,
Acquirer
Network
AuthDeTok.

10. So let us Apply This for E-Commerce?
VISA uses VTS for tokenization in E-Commerce
and Card on File (CoF)
Mastercard started M4M (MDES for Merchants)
The basic ideas
 A merchant does not store the PAN but a
token
 By using a cryptogram, security will be like
Card Present
10

11. Tokenization in E-Commerce is Using Same Principles Like MCP
Token
Requestor
(CMS-D,
MAP)
Scheme
Token
Service
(MDES
VTS
AETS)
Card
Issuer
PSP,
Acquirer
Network
AuthDeTok.
CoF
PAN Entry
17

12. Enroll:
 Add card manually or tokenize from Card-on-file
Display cards
 Card art coming from token service
(user sees his real card image)
Transact
 Generate EMV cryptogram (can be used for one
or more transactions)
Lifecycle
 Issuer account update
Here are the Four Main Use-Cases of Merchant Tokenization

13. Now to Solve This Challenge
13
Cards-on-file:
 Replace PAN by token to reduce risk
 Improve security to CP level (where a
cryptogram is used)
Cards in Guest Checkout:
 Same as above plus
 Improve usability for consumer

14. What is The Problem in Usability for the Consumer?
14
 Confusing number of checkout options
 Inconsistent checkout processes across the
various payment options
 Entry of card details / addresses cumbersome (in
particular on mobile device)
 Some checkout options start with onboarding
flow (“grrr” – I want to pay now”)
 OTP sent via SMS to copy from messaging app to
shopping app

15. The Answer: One Button for all Cards: SRC
15

16. EMV® Secure Remote Commerce Framework (“SRC”)
 Defined by EMVCo (https://www.emvco.com/emv-technologies/src/)
 Scheme agnostic to help interoperability
 Pay securely via single SRC checkout button
 Will be scheme-neutral successor of MasterPass & Visa Checkout starting 2019 / 2020
16

17. SRC has Some Promising Benefits to Show
Seamless experience – cards are magically found by
recognizing consumer and device
Onboarding can be made easy by pairing consumer and
device from within issuer app
SRC works the same for all schemes
Tokenization and EMV-like security will prevent fraud,
lower the costs, and increase approval rates
EMV 3-D Secure, outside the scope of SRC, will provide
the familiar authentication
17

18. SRC Flow if Device is Registered / Returned User

19. Versus First-time Flow

20. SRC Defines Some new Roles in the Checkout Flow
20
Token
Requestor
Token
Service
Provider
(Scheme)
Participating
Card Issuer
supporting
SRC
“SRC PI”
SRC System
Digital Card
Facilitator
“DCF”
Digital
Shopping
Application
(aka
Merchant)
“DSA”
PSP
SRC Initiator
“SRCI”

21. As Merchant / PSP: What to do Next?
21
Netcetera offers insights and technologies to
approach this new e-Commerce payment area.
Our experience is based on:
 A market leader position in 3DS and Digital
Payments
 Being involved in the development of the
standards as an EMVCo Technical Associate
 Being connected with all key market players
like issuers, merchants, PSP and schemes

22. Europaplatz4
4020Linz
Austria
netcetera.com
+43664 11211 00
Kurt Schmid
Managing Director Digital Payment
Kurt.Schmid@netcetera.com
22