Visa and MasterCard created the concept that is referred to as tokenization. This is the process of substituting a proxy account number for the consumer's 16-digit card number, with a less sensitive equivalent, referred to as a token. The token serves as a reference that maps back to the consumer's primary account number through the networks' tokenization system.
The tokenization system is built to map the tokens back to the primary account number securely both for creating the instance of the token in the phone (or in the cloud) and for payment authorization. As the consumer completes transactions in a retail environment, the 16-digit token is used, which also passes additional information in the authorization stream that is uniquely tied to the mobile phone, thus making the token unusable if manually keyed into a website, or presented via mag stripe.
Carriers upgraded SIM (subscriber identity module) cards to include secure elements on them, allowing for Visa, MasterCard, American Express and Discover credit cards and debit cards to be stored on the secure element that resides on the SIM card. In a related move, Visa and MasterCard endorsed host card emulation, basically moving the secure element into the cloud, which is now supported on Android and Windows.
Since host card emulation is now compliant with payment network rules, any bank or digital wallet solution like Samsung, Apple, Google or PayPal can now host payment credentials in the cloud and interact with them at the point of sale. This fundamental change in technology has caused banks to move away from carrier-based solutions. Many carrier-based solutions are either being shut down or shelved prior to launch.
A strategy is needed for all participants in the ecosystem to provide a safe and secure method for a customer who loses a phone, gets a new phone, changes operating systems, or even changes mobile operators.
The key players that need to coordinate this process include payment networks, payment processors, banks and mobile wallet operators like Google, Apple, PayPal, Samsung and others. Businesses entering into the mobile pay arena need to manage the life cycle events regarding a consumer and ownership of his or her smartphone while still protecting the consumer's sensitive card information, whether stored on a secure element or in the cloud.
Each of the individual wallet operators has a different business model. Some of them charge directly to key players, most notably the banks. Others are interested in collecting data from the payment transaction. Yet others are just looking to build advertising solutions on top of the payment transaction itself. Then underpinning all of that, each of the wallet operators has a variation of the technology implementation.
As a bank or any key player prepares to interface with mobile wallet solutions, they need to fully understand the business, the technical and strategic risk associated with cost per transaction, and sharing information that has historically been the domain of the banks with companies like Google, which comes with a risk. To put it simply, each player needs to fully understand the operating landscape before just jumping in. Knowing what questions to ask and what information to research before entering a business arrangement in mobile payments is essential.