The Token Layer Cake

Hey everyone 👋, welcome to Brainfood, the weekly read to go deeper into Fintech news, events, and analysis. Join the 36,167 others by clicking below, and to the regular readers, thank you. 🙏

Hey Fintech Nerds 👋

Divorce of the decade. Apple & Goldman have split. Partnerships are hard. Bank partnerships are harder. These two companies had very different goals. My thoughts in this week’s edition.

Plus, can Robinhood crack the UK?

If you're in payments, you'll hear the word "token." But what the heck is a token?

It can mean almost anything. In payments, however, tokens are becoming a critical battleground for security, privacy, and owning the unit economics.

Chuck was the guy who helped me get tokens. 

So I hope this helps you get it too.

(I can't say "grok" anymore; Elon ruined it).

Also, I couldn't help myself and had opinions on the Apple x Goldman drama and Robinhood coming to the UK (I mean, that's my turf!)

I’m out enjoying time with the healthy, happy and growing new baby still, but I will be back in Mid Dec.

Here's this week's Brainfood in summary

📣 Rant: The Token Layer Cake

👀 Things to Know:

1. Divorce of the decade. Apple & Goldman partnership to end.

2. Third time is the charm? Robinhood is entering the UK after 2 failed previous attempts. 

Weekly Rant 📣

Guest Rant: The Token Layer Cake by Chuck Yu

Tokens make payments more secure but more complicated. Understanding them is critical to any operator in the payments industry.

Traditionally, payments had a simple 4-party model that everyone used: Acquirer, Issuer, Cardholder, and Merchant.  

• Issuers issued cards to consumers and businesses, 

• Cardholders made in-person and online payments using those cards, 

• Acquirers accepted and processed their payments on behalf of Merchants, 

• Networks provided the underlying rails for all payment transactions to occur  

In fact, our colleagues at Finix published a blog post in 2019 titled "The Payments Layer Cake" that laid this out beautifully. Part of my responsibilities when I was working at a global payments network, was to be an expert on Fintech. I am certain I used this visual aid repeatedly to solidify my understanding of the foundations of payments and financial technology. 

We live in an era of complexity. 

Personally and professionally. 

In payments, there are more devices, payment types, and information than we can count. Given this context, the ability to simplify is crucial. 

One area that sorely needs understanding is how tokens work in card payments.

Fintech gets complex

In 2023, the fintech space is more crowded and complex than ever. 

• Incumbent Financial Institutions that once saw fintech as competition have adopted the approach of “if you can’t beat them, then join them” and have been embracing Fintech.  

• Issuers have witnessed a full economic cycle marked by the emergence and struggles of Banking as a Service (BaaS).  

• Payment Service Providers (PSPs) and acquirer processors continue to grow along with rising card-not-present volumes but often sacrifice margin and profitability to win merchant business. 

• Global Networks continue to thrive, collecting their tolls for the pleasure of using their rails.  

Amid all this, the merchants ultimately bear the payments ecosystem's costs. The more things change, the more they stay the same. Despite the changes, the fundamental building blocks of the payments landscape remain remarkably consistent.

Except for one thing. Tokenization.

Introducing Tokenization

When people hear "tokenization" these days, their minds often drift to cryptocurrency and Web3. But my focus here is on tokenization in payments. This is a key means of protecting sensitive card data by replacing it with a unique but unrelated number in the same format.

A common example of payment tokenization is when you use Apple Pay.  

When you add a debit or credit card to Apple Pay and use it to pay, the 16-digit card number (or PAN) gets replaced with a randomized set of digits. This is known as a “payment token” or a Device Account Number (DAN), which keeps the actual PAN (card number) secure. 

Since it’s a random number, the DAN can neither be used to track spending nor make unauthorized purchases. Further, the DAN is specific to a device, so if you add the same card to your iPhone and iPad, those are two disparate numbers.  

For an overview of Apple Pay works, Sardine’s blog here is a great start.  

This is just one example of payment tokenization. There are many more!

Hence, the word “token” and “tokenization” gets thrown around and things get confusing.

We don’t have a way to measure this yet, but I think it’s likely that at least 4-5 tokens are being passed in a single card transaction. If that sounds like a lot, let’s unpack that together by diving into each kind of token.  

1. PSP Tokens

a) What is a PSP token? This generation of digital payment tokenization started in the early 2010s, coinciding with the emergence of Stripe. At the time, digital payments in the US were in its infancy. It was becoming clear that there were benefits to merchants to retain card-on-file information, but this meant they needed to store it securely. However, the secure storage of massive amounts of sensitive payments was a viable option mostly for enterprise merchants who were willing to navigate the costly and lengthy process of achieving PCI compliance.

Stripe offered an elegant solution. Merchants could store cards with PCI-compliant Stripe and receive a token in return. Since merchants were interacting with just tokens, they not only didn’t have to touch sensitive data, but it also meant their time to market decreased significantly. To this day, this form of PSP Tokenization remains commonplace.

b) How do PSP tokens work? A payment service provider provisions PSP Tokens when they replace the Personal Account Number (PAN or the card number) with a token. They are unique to each processor, meaning that if a merchant were to tokenize payments with multiple processors, they would need a different set of tokens from each. Using these instead of PAN to process payments descopes merchants from PCI compliance. But, there are limitations.  

c) What are the challenges with PSP tokens? When PSPs exchange PAN information with tokens, they retain the card numbers. Merchants are then steered towards ancillary services around their processing needs, such as 3D Secure (3DS), Know Your Customer (KYC) checks, and real-time fraud decisioning, provided by the PSP. The convenience of choosing an all-in-one solution means that the token provider also becomes the merchant’s default option for other services. As Stripe, Adyen, Braintree, and other PSPs vie for merchant business, the incumbent token and vault provider holds the commanding position. 

My hot take: The trend for the last ten years has been for PSPs to use tokens to lock in merchants. Merchants can vault card information with PSPs, and the solution appears as if the cards belong to the merchant. But, when a merchant wants to send that card somewhere, it becomes difficult with issues like unavailable API connections and slow compliance processes. Plus, the larger PSPs have been expanding horizontally into value-added services, and tokens are often the mechanism to upsell their other services.  

2. Issuer Tokens

a) What is an issuer token? In 2010, when PSPs embraced tokenization, issuers were lagging. The reason was pretty simple. Issuers were primarily banks and spoke in PANs, so they didn’t need tokens.  

But the situation shifted again in 2015. The early European Neobanks emerged. Independently, Fintech card programs gained momentum with successes in Brazil, India, and the United States. But when Fintechs issued cards, they didn’t want to hold card information and take on the liability - hence, they preferred to speak in tokens. 

Issuer processors and PSPs fared differently in this new paradigm. While PSPs like Stripe, Square, and Adyen adapted, big banks and issuer processors like TSYS, FIS, and Fiserv weren’t as quick to adopt tokens. The tide started turning with Marqeta, which introduced the first issuing programs leveraging issuer tokens. Today, the legacy players have also brought solutions to market. My observation is that they have all figured out the acquiring side of the transaction, but major areas of the issuance journey have spotty coverage.

b) How do issuer tokens work? There are both Issuer Tokens and Issuer Processor Tokens. Issuer Tokens belong to the card issuers and are generated by them for mobile apps, card chips, or digital wallets. Since they belong to a specific issuer, they aren’t as useful for merchants that want to accept any card. Issuer Processor Tokens are tokens utilized by issuers, such as banks or financial institutions, to replace the PAN with a processor token. This substitution is employed to reduce the issuer's PCI DSS scope, relieving them from the responsibility of storing PAN data using processor tokens. 

As an aside, PCI compliance is a framework for securing cardholder information. Although well-intentioned and effective, it is also onerous and time-consuming. Building and maintaining a PCI vault requires expertise, organizational discipline, and the readiness to undergo regular, rigorous audits that require deep expertise and broad participation.  

c) What are the challenges with issuer tokens? Compared to their acquiring counterparts, a unique challenge with issuer processors is location limitations. Geographic boundaries often limit Issuer Processors. If an issuer seeks to issue cards in multiple regions, they often must work with multiple issuer processors and manage multiple sets of tokens.

In the case of issuing processing, tokens can have many different applications - replacing sensitive data with a token for PCI Compliance, push provisioning for Apple Pay and Google Pay, issuing Virtual Cards, obfuscating information for Customer Service personnel so they can service the account without the exposure, KYC/KYB for card issuance, card reveal scenarios for the end customer - there are many scenarios, but they are all really just tokens. At the same time, issuer processors have spotty coverage of these ancillary add-ons needed to run a successful card program. Each issuer processor typically supports just a few. For an issuer to thrive, it will eventually require all of the above and more, but there aren’t many one-stop shops that provide them all. 

My hot take - These are half-baked solutions. Most major issuer processors have figured out how to incorporate tokens but have created large gaps. VGS has boiled down issuing tokens on the issuing side into about a dozen use cases like the ones mentioned above. Still, even the best issuer processor only covers about two-thirds of the needs. In the worst-case examples, they cover only a couple – for example, an issuer processor might tokenize on auth, but their settlement process is still based on PAN - this doesn’t remove the issuer’s compliance liability.

3. Network Tokens

a) What is a network token? Network Tokens replace sensitive card data, like the PAN and CVV, with a tokenized value for security, along with a unique cryptogram for additional security. They are typically issued by the global card networks and stored by the merchant or PSP. Select TSPs (Token Service Providers) like VGS work with card networks directly to provide these to their merchants, while others do so indirectly through white-labeling. Others approved by the networks for network tokens tend to be large merchants and acquirer gateways such as Amazon, PayPal, and Adyen. 

Network Tokens can be an effective and secure PAN alternative for merchants. With Network Tokens, some of the main advantages of the network were realized, such as enhanced security, reduced data exposure, and up-to-date information. For example, the network takes on the burden of checking with the issuer if the underlying card to the token is tied to a valid credential to reduce the merchant risk of failed transactions. 

Network Tokens have been all the rage recently because in large markets like the US, merchants are seeing interchange differences when processing with Network Tokens. New frameworks like Digital Authentication Framework (DAF) and Token Authentication Framework (TAF) from the global networks are adding to the attention given to Network Tokens. Their focus on tokenizing payment credentials to increase the reliability and performance of CNP (Card-Not-Present) transactions will eventually move the industry further to a token-driven future.  

b) How do network tokens work? Consider a CNP (Card-Not-Present) situation like an e-commerce transaction. When merchants receive card information like PAN and CVV, they share it with their PSP, such as Stripe. The PSP requests a network token from the card scheme, such as Visa and Mastercard. The card scheme generates a token, along with a cryptogram for each individual authorization, adding an additional layer of security. Throughout the transaction from the merchant to the PSP onto the card network, the PAN is replaced with the network token. The network then decrypts the token to the PAN and shares it with the issuing bank to verify. Network Tokens are both randomized and specific to a merchant, making them safer to use than PANs. The advantage of network tokens is they aren’t specific to a processor, and hence, they work across the payments ecosystem. 

c) What are the challenges with network tokens? Much like PSP tokens, Network Tokens can also create unintended negative consequences. These are only interoperable within their own networks. We’ve even seen litigation with Network Tokens not being interoperable with domestic schemes. In markets where the global networks aren’t the dominant local processing scheme, this dynamic pressures local schemes that are less resourced to keep pace. Although they are a step in the right direction, they don’t address all needs yet, which results in another partial solution in a complex ecosystem.  

4. Miscellaneous Tokens

There is another category of tokens I’ll label as Miscellaneous Tokens.  

Every digital platform creates its own tokens, while the underlying reason remains the same - safeguard sensitive information while creating stickiness with the platform.  

We’re seeing tokens for everything from 3D Secure vendors to loyalty.  

Another example of miscellaneous tokens is tokens for replacing bank account (DDA) information in open finance. The benefits of tokenization are that sensitive activities like viewing account balances and transferring money can be conducted without handling sensitive information like an account or routing number.  

These miscellaneous tokens will only grow as new use cases are added.  

My hot take: Why do miscellaneous tokens even exist? Over time, the PSPs and Issuer Processors should address these. My best guess is that PSPs are stalling, and Issuer Processors just haven’t gotten there yet. But consolidation will come with time. 

Bottom Line

As you can see, nearly every card transaction comes with multiple tokens.  

Assuming a large merchant working with at least two PSPs, that’s two PSP tokens.  

If they want to reap the benefits of Network Tokens, it adds a third.  

If the consumer wants to use Apple Pay or Google Pay, that’s another token to keep track of.  

Add on Miscellaneous Tokens, and we are at 5.  

And I predict we will keep seeing more tokens pop up in the ecosystem.  

The various forms of tokenization have been intended to simplify processes, enhance security, enable innovation, and speed up time to market. And while well intended, there is no denying that tokenization has become complex.  

There are many providers and solutions to managing these challenges, but the first step is understanding them. 

Chuck.

ST: Mo’ tokens, mo’ problems. Amirite? 

Things to know 👀

1. Divorce of the decade. Apple & Goldman partnership to end.

According to the WSJ, Apple will exit its Apple Card partnership with Goldman. I'm not surprised.

🧠 This is loss-making for Goldman. Apple likes a lot of control over the process. But, controlling onboarding can lead to opening accounts for risky customers.

🧠 Goldman is under profit pressure. They've divested the "BNPL provider Greensky" and are closing multiple consumer and partnership products that lose money. The Apple Card partnership may have been intentional as a loss leader, but that calculus is different when they have to find profit. The bank is also making substantial layoffs.

🧠 Apple is under growth pressure. Apple's top-line revenue growth has stalled. Their growth is driven by services, and they need finance to help drive more revenue from their massive captive audience.

🧠 Apple might not want to partner anymore. In the UK, Apple is using open banking to add features to their wallet without partnering with banks. Will they do the same in the US? Can they start to own economics that way?

For more on Apple, read "Why I think Apple will be a bank in all but name."

2. Third time is the charm? Robinhood is entering the UK after 2 failed previous attempts. 

The stock trading app won't launch with UK stocks and cannot monetize order flow like it does in the US. Will it work? 👇

🧠 Does the UK need another stock trading app? With Freetrade, eToro, and Hargreaves Lansdown, we don't lack options. It's also a feature in Neobanks now. Public .com also launched here in the last 6 months.

🧠 Is the UK an answer for growth? Robinhood has stagnated since the end of the memestock craze. US Fintech companies now look to the UK as "less saturated" for growth. I think that's true in B2B but not consumer.

🧠 Will it succeed? Very few examples of companies from the US making it huge here in finance. Chase is actually the recent notable exception, acquiring Nutmeg, launching a banking product, and is close to profit

That's all, folks. 👋

Remember, if you're enjoying this content, please do tell all your fintech friends to check it out and hit the subscribe button :)

Disclosures: (1) All content and views expressed here are the authors' personal opinions and do not reflect the views of any of their employers or employees. (2) All companies or assets mentioned by the author in which the author has a personal and/or financial interest are denoted with a * (3) Any companies mentioned in Rants are top of mind and used for illustrative purposes only. (4) I'm not an expert at everything you read here. Some of it is me thinking out loud and learning as I go; please don't take it as gospel—strong opinions, weakly held.