Mercator Blog

Will Issuing Processors Be Marginalized as MasterCard and Visa Deploy Token Services?
Date: September 18, 2014
Tim Sloane
VP, Payments Innovation

Both MasterCard and Visa have announced the creation of business units dedicated to the deployment of tokens, but are these business units simply facilitating the existing value chain, or do they represent an effort by the networks to take over processing functions?

In the Viewpoint A Sleeping Giant Awakes: How Apple Pay Works and What It Means for Payments Mercator Advisory Group identified the token process flow that MasterCard and Visa have implemented to support the Apple Pay infrastructure. As the process flow in the Viewpoint identifies, the core capability provided by both networks is to enable a financial institution, through its processor, to identify a primary account number (PAN) that the network will enable in Apple Pay. The network creates a token to be associated with the PAN and then provisions the token into the secure element. When the phone is presented at the point of sale (POS), the token is passed to the merchant via Near Field Communication (NFC) technology, which sends the token back to the network. The network then converts the token back into a PAN and embeds the PAN into an authorization request that is sent to the issuing processor.

The issuing processor must be capable of supporting some new fields inside the authorization request, but for the most part the issuing processor has little to do in this scheme. This becomes clearer if we compare the token issuance process as implemented with Apple Pay to a traditional debit card issuance:


Comparing the Apple Pay scheme to the debit card scheme, we can see that whereas the processor was involved in all aspects of the debit card deployment, the processor is active in only one aspect of the Apple Pay scheme. It is likely that the issuing processor remains the conduit that communicates with the network on behalf of the issuer in the Apple Pay scheme, but it will be performing significantly less of the work.

In the Apple Pay scheme, the issuing bank almost certainly pays the networks for assigning and provisioning the token. It is known that MasterCard charges a 50-cent “digitization” fee each time a mobile device is provisioned with a token. (For other related fees, see Digital Transactions articleAs Card-Industry Use of Tokens Increases, MasterCard Plans “Digital Enablement” Fees,” August 14, 2014, written by Jim Daly.) If this is indeed the scenario, then it suggests that the networks have moved into a long-term revenue stream that is derived at the expense of the existing issuing processors.

Tokenization race has only just begun. The Apple Pay scenario does not utilize Host Card Emulation (HCE), which will greatly complicate the provisioning, ID&V assignment process, and authorization process. To better manage a HCE environment it will likely be appropriate to utilize tokens that have limited values and limited operational times. Mercator calls such limits when associated with the PAN, a Restricted Authorization Network (RAN) (see Understanding Restricted Authorization Networks: Cards Between Closed and Open Loops), which is typically implemented by the issuing processor. Another clue that the networks may be taking over more of the authorization business currently enjoyed by issuing processors is in the press release issued by Visa stating that this capability will be offered to financial institutions via the Visa Token Service:

“Customized Usage: Tokens can be limited to specific merchants, mobile devices or types of purchases – providing another form of innovation and security.”

Several issuing processors have distributed press releases that indicate they are offering their own token services. One processor Mercator spoke with indicated it was unconcerned with this scenario; another processor offering its own token service suggested that it is too early to determine if the networks represent a risk.

It is important to remember that the networks must establish implementation guidelines, regulations, and a certification process before an issuer solution can be operated on the network, but a network only needs a working implementation to be able to sell the service to the financial institutions. As a result, issuing processors may be forgiven for wondering if the networks are simply facilitating tokens in the short term or are implementing a long-term issuing, provisioning, and processing land grab.