Case Study

RS Software Helps Major Payments Network
introduce Tokenization-as-a-Service


The Advantage of Tokenization for Merchants

Tokenization is a process of replacing sensitive data with a unique identifier called a token. Unlike encryption, where the original data can always be decrypted, tokens cannot be mathematically reversed.

Merchants, in particular, would benefit from the widespread use of tokenization in the payments industry as it would remove the requirement that they meet four PCI compliance clauses that introduce considerable overhead and risk into their operations today.

1. Requirement – Install and maintain a firewall configuration to protect cardholder data Reason: Firewalls will continue to be the dominant end-point security device. However, as cardholder data will no longer be stored in the environment, a dedicated firewall is not required to protect it.

2. Requirement – Protect stored cardholder data Reason: The responsibility of protecting cardholder data would reside with the provider of the tokenization services.

3. Requirement – Encrypt transmission of cardholder data across open, public networks Reason: The provider of the tokenization services would tokenize the data and be responsible for transmitting the data across a secure network.

4. Requirement – Restrict physical access to cardholder data Reason: With tokenization, cardholder data would be stored with the token provider. Merchants would no longer be able to physically access the data

To help merchants benefit from tokenization, several third party organizations and payment networks are providing Tokenization-as-a-Service (TaaS) solutions. For example, CyberSource offers Hosted Payment Acceptance, which allows merchants to accept and process payments without payment data entering their systems. CyberSource hosts the payment data fields so that data is captured and transmitted outside of the merchant’s environment, then sent directly to the payments network. Others, such as SafeNet, also provides similar such TaaS solutions.

RS Software has focused exclusively on the payments industry since 1991 providing the expertise and solutions its clients require to address an industry undergoing a transformation. That is why when the world’s largest payments network wanted to be a Token Service Provider (TSP), they turned to RS Software to introduce Tokenization-as-a-Service to its issuers and merchants.

Complex Issues That Needed Industry Leading Expertise

The client’s goal was to establish itself as a TSP, providing tokens to its customers in compliance with EMVCO specifications. By tokenizing the card PAN, consumers gain additional security and protection while issuers are relieved of the costs associated with security breaches. However, to implement this approach required an expertise focused on understanding the complex message orchestration across multiple stakeholders, token depletion or token conflict and the impact of tokenization on downstream applications such as clearing, settlement, dispute processing, risk and fraud management, and the data services that must be tuned to clear the PAN only. Providing the necessary functionality and processes with an off-the-shelf solution was not viable for the client as seldom are these offerings built with an understanding of these complexities.

Project Success Required Knowledge Across Project Lifecycle

Engaged as the key partner in tokenization solution development and implementation, RS delivered a tokenization solution to the network that included token provisioning, overall lifecycle management, token vault setup and maintenance, service monitoring and reporting, and detokenization. Our company worked with the network’s key stakeholders on the business and architecture teams to identify, design, develop and implement the changes required in the core processing applications. The core processing applications addressed included authorization, clearing and settlement, risk prediction and fraud reduction member configuration management, data services and dispute resolution.

RS was involved in the entire project lifecycle implementing TSP functionalities, making changes to the core system, modifying the downstream systems required for handling tokens and testing the system and its integration to other systems.

Two use cases were implemented by RS as part of this project – card on file e-commerce transactions and NFC POS transactions. RS was responsible for demonstrating the ability to authorize and clear both types of transactions. This required significant involvement by RS in the testing and implementing of these services.

RS delivered a comprehensive line of services towards realization of the Token Service Platform, key highlights of which are listed below:

    • Comprehensive test program management including determining effort, schedule, budget, resource planning, issue monitoring and status reporting. Extensive co-ordination and planning with diverse teams was necessary to successfully achieve this component.
    • Testing and validation of the several encryption services involved in the different stages of provisioning a card. This involved usage of RSA-2048, TDES, CBC (Cipher Block Chaining), AES-128, and ECC-256 encryption in the different stages of checking the card, authenticating the consumer, linking and provisioning the token and applying the provisioning scripts through SEI-TSM.
    • Test design and planning for network message flows, cryptographic functionalities and token life cycle management.
    • Test execution across various risk rules and profiles, data feeds and update-to-rule profiles.
    • Functional testing using a simulated issuer in the test environment and On-Behalf-Of (OBO) services to issuer during provision requests.

Business Benefits

The network was eager to become the primary payment TSP in the industry, allowing it to grab the majority market share within a very aggressive timeline. To achieve this while undertaking a very complex and large project that had far reaching impacts across multiple business functions, the network needed a partner that had expertise second to none.

RS helped the client achieve its business objective rolling out its tokenization service well ahead of its competitors and capturing the majority market. As a subject matter expert in tokenization, RS contributed to the architecture and design phases to ensure compliance with EMVCO guidelines and fulfill internal application related constraints. RS also provided reusable assets including message flows for tokenization and detokenization and the prevention of token depletion or token conflicts. These assets were used in the implementation phase to expedite the project lifecycle with minimal or no rework. Implementation of tokenization as a service also helped the network in the immediate launch of secured element based tokenization service through the leading mobile phone manufacturer, allowing the network to process Apple Pay transactions.

About RS Software

rslogo copy

Since its inception, RS Software has been focused on providing solutions to leading companies in the e-payment industry. As an organization, we have more than 200,000 person years of experience exclusively in providing technology solutions to the payments industry, making RS Software a partner of choice for the world’s blue chip payment brands. Our reach has allowed us to provide solutions to these payment stakeholders across multiple geographies on three continents.