Why Does AnyBank Manage its own Token Vault?

Bell ID, tokenization expert at HCE

01:00 am

HCE

As HCE and tokenization mobile payment solutions begin to come to market, Bell ID draws on its first-mover experience with multiple live projects to make the case for why a bank should consider becoming a Token Service Provider (TSP) and managing its own Token Vault. As the live projects are under NDA, Bell ID has used AnyBank, a fictional bank, to discuss the key drivers and challenges that inform the decision to in-source.

European-based AnyBank prides itself on being at the forefront of banking technology. It has 1,500 branches across the region, a number of subsidiaries and over 5 million customers. AnyBank has been engaged in a number of mobile payments trials over the past five years utilizing a range of different technologies including barcodes and a platform based on a SIM secure element (SE) using near field communication (NFC).

Since host card emulation (HCE) gained momentum at the end of 2013, the bank has focused on launching a mobile payment wallet for Android, BlackBerry and Windows handsets, in addition to preparing for Apple Pay and Samsung Pay integration. In 2013, the bank invested in Bell ID’s Secure Element in the Cloud solution to enable it to launch a restricted pilot without the need to establish business relationships with any third parties, as with the traditional SE/NFC model.

What is HCE?

Host card emulation enables the secure element to be placed in a remote and hosted cloud environment, rather than inside the mobile device. Application issuers can therefore take control of their deployments by in-sourcing a Secure Element in the Cloud platform, easing the launch and use of NFC based mobile payment services. This model has a number of benefits, including increased flexibility, independence, greater storage and processing power and no need for certification of the SIM as it does not house the payment application.

AnyBank’s board recognizes the importance of developing and launching an own-brand mobile wallet in order to keep pace with industry development. Many of the internet giants and large smartphone manufacturers have now come to market with mobile contactless payment solutions, endangering the position of banks at the forefront of the payments ecosystem. The mobile payments division within AnyBank has been tasked with bringing a large-scale solution to market in line with the current industry trends and in accordance with the latest guidelines and specifications. Challenge: Adding Tokenization to its HCE Mobile Wallet

HCE Security

The bank has decided to move forward with a full-market launch of its HCE mobile wallet. As the cloud approach is considered less secure than leveraging a hardware secure element within the device, the bank is encouraged by the payments schemes to increase security by ensuring that customers’ primary account numbers (PANs) are not stored on their devices, through the process of tokenization.

What is tokenization?

Tokenization reduces the value of stored payment credentials by removing the need for merchants or digital wallet operators to store a customer’s primary account number (PAN). Instead, a unique identifier called a Payment Token or Tokenized PAN replaces the real PAN, which is worthless if stolen.

Multiple payment schemes

Additionally, AnyBank’s product portfolio incorporates a number of payment system brands, including American Express, MasterCard and Visa. The bank therefore has the option of using the schemes’ tokenization services or in-sourcing a solution to enable it to undertake this function itself.

Apple Pay & Samsung Pay support

The board was also very clear that any investment on this scale needed to be future proofed and offer options for product and service development in the coming years. Any systems should also support its planned integration with Apple Pay and Samsung Pay, once the handset manufacturers launch their mPayment wallets in Europe.

Solution: Becoming a Token Service Provider with its Own Token Vault

AnyBank selected Bell ID’s Token Service Provider solution to deliver the required tokenization functionality and to host its own token vault. The platform enables AnyBank to perform the tokenization, transaction and lifecycle management, in addition to the provisioning of tokens, required to fulfil the role of a Token Service Provider, as defined by EMVCo.

For example, AnyBank can perform the ongoing operation and maintenance of its own token vault, generate and issue tokens, apply security and controls, and register authorized ‘token requestors’. The bank drew on Bell ID’s in-house expertise to support and manage the integration process with its legacy systems and existing mobile banking and payment platforms.

What is a token vault?

A token vault is a secure server where issued tokens and the PAN numbers they represent are stored. Service providers can either draw on the services provided by selected payment schemes or in-source a solution to enable them to host and manage their own vault.

Outcome: Flexible and Controlled Tokenization

AnyBank was able to quickly, efficiently and cost effectively update its existing HCE mobile wallet platform to also support tokenized payments, bringing it in line with the latest industry requirements. Implementing and managing its own solution gives full control to the bank, reduces the long-term cost and complexity of its tokenization activity, increases privacy for the bank and opens up options for future product and service development. Additionally, the platform can be used to connect to both Apple Pay and Samsung Pay, once the services are launched.

Using 3^rd party services would be more expensive and complex as the bank would need to connect with the tokenization interface belonging to each 3^rd party. This could slow down the development and launch phase of the project with complex integration work. Additionally, AnyBank would need to pay fees to each 3^rd party for their tokenization services. As it purchased a platform to manage all of this activity in-house, the ongoing fees are minimal following initial investment in the platform, reducing costs long-term.

Competitive edge

With regard to privacy, by selecting a product rather than a service model, AnyBank can control the information shared outside of the organization. In taking a service, banks may need to share details of product and service development plans with 3rd parties so that integration work can run in parallel. In an extremely fast paced market, banks and service providers don’t want to share their roadmap outside of the organization to ensure they keep their competitive edge.

Flexibility

From a service development and expansion perspective, insourcing a solution gives AnyBank more flexibility. Initially, as a large bank with a number of international subsidiaries, having an in-house platform enables the bank to offer tokenization as a service to its affiliated banks. This enables the wallet service to be rolled out across the bank’s entire portfolio of customers, rather than needing to do it one subsidiary at a time with separate infrastructures.

Service expansion

The bank is also in a position to work in collaboration with Bell ID’s technical support team to develop new revenue streams. On the acquiring side of the banks’ business, an interest has been expressed in offering tokenization services to its merchant community to protect customer’s PANs when they are stored for online shopping. This can be considered at a later date.

AnyBank had been working on mobile payments for a number of years. With the advent of HCE and tokenization, a large-scale launch was possible. Bringing the technology in-house needed more up-front commitment, but gives the bank more control and flexibility long-term. Additionally, AnyBank will save money and time long-term by not using the services of, and integrating with, multiple schemes. Easy integration with ApplePay and Samsung Pay fulfils another of the board’s requirements and offers scope for future development of the platform.