Is tokenisation a force for payment good, or is it a scam?
As a solution to payment card fraud, tokenisation might not be the most cost-effective answer to what is essentially a “manufactured” crisis, but it is the most profitable.
The widespread application of tokenisation across the card payment landscape is the result of some smart (or sharp) investment decisions. A series of vested commercial interests have managed to secure a return on initial investments in tokenisation technologies that might otherwise have been lost, and the payment card schemes have since managed to extend the reach of the money-making machine by portraying tokenisation as the must-have solution to the ever-growing problem of escalating payment card fraud.
Rather than thinking collectively and working towards a pragmatic response to the problem of increasing card fraud, the industry has been sold tokenisation as the cure for all payment-related ailments … and the people buying it love it!
I lay no overall blame, so follow the argument and have a think …
UK Mobile Operators and Financial Services
Back in the dim and distant, the UK mobile operators recognised – rightly so – that mobile telecommunications were becoming commoditised. They could see their future business becoming defined as little more than the provision of discount data pipes and because of this, they were desperate to move into Financial Services. An entirely reasonable aspiration given that they were cash-rich with a business built almost entirely on modern, interoperable technologies.
The mobile operator immediate business imperative was based on the continuous earning potential of being an integral part of the card payment process. The operators realised that if they could embed themselves into the yet-to-be-defined mobile contactless payment ecosystem, they would be embedded for good!
The mobile operators were driven by the potential for earning a tickle from every transaction and saw a future where they were an integral part of the global payment infrastructure.
Storing the Card Data on the SIM
At the time, the mobile operators were in a strong position as they issued and controlled the access to the SIM, and they had plenty of available cash. The phone manufacturers also had cash, but none were really in a position to take up the challenge … and they also had other priorities.
The SIM card was already used as a secure storage medium for the mobile network access credentials, and the technology was similar to that of the chip card, manufactured and personalised by the same organisations.
It came as no surprise, therefore, that the SIM card was going to be used as the “secure element” for the storage of the EMV keys, and that these keys would be used to facilitate the full-strength EMV contactless transaction. Interestingly, this could have been the first step towards ubiquitous EMV protection. It would be a simple step from EMV credentials on a SIM card to those same credentials being available for e-commerce (which was still in the early days of growth).
The availability of compatible telephone hardware was little considered as the purpose of these initial exercises was to prove that EMV card data could be delivered to the SIM card over the air, and then used in a contactless transaction. The mobile phone hardware developments would follow inevitably once the UK mobile operators had succeeded in showing that the concept of the mobile contactless transaction was a viable one.
So, not only were the phone manufacturers out of the picture, but the mobile operators were starting from a position halfway there. They already had the means of storing payment card data safely … in a “Secure Element” (SE) embedded within the SIM card.
Developing a single end-to-end issuing process
The UK at the time was well advanced with the necessary infrastructure and technologies, but the initial pilots all had one thing in common: they were each the product of a single end-to-end issuing process.
It was noticable that each pilot service consisted of:
- a single mobile operator
- a single handset
- a single financial institution.
Payment credentials are generated at one end of the chain (the Financial Institution) and then delivered to the other end of the chain (the SIM card) via some sitting-in-the-middle server acting for the Mobile Operator. It was simple in principle, but the process worked from end to end, the mobile phone could be used for making payments and the Financial Institution could receive and authorise the payment requests. The mobile operators had proved that EMV credentials could be delivered over the air … and could then be used in the phone, to make the phone act as a card.
Although access to contactless terminals was a bit limited, feedback from the pilots was always positive and CEOs were always keen to roll out the services.
The success led to lots of pilot schemes, and the consumers loved them, but all the pilot schemes were the same. The issue was that the pilot schemes proved the concept but had ignored the real challenge.
Rolling back from the roll-out
Every pilot scheme was a collaboration between a single card issuer, a single mobile operator and a single handset manufacturer … and so here, before the roll-out, the first real problem was already lying in wait: how to make the single end-to-end processes work in a multiple endpoint, interoperable environment.
The technology worked, and it looked clever, but no one had really considered how the single end-to-end process – a process that had been proven many times over – could be upscaled to support multiple financial institutions, multiple mobile operators and multiple phones and SIMs … or maybe they had! Maybe they realised that interoperability was going to be quite hard and so maybe they had concentrated their efforts on winning the “brownie points” for something that was relatively easy.
Just putting it out there.
It’s not unreasonable to assume that any challenge relating to a phone or a SIM – in a single-end-to-end configuration – could be addressed locally as everything was under the control of the respective mobile operator. The big challenge, and the one that eventually cost them the game, was the inability to transfer EMV credentials from any card issuer to any mobile handset (SIM).
Consumers had confirmed time and time again that they loved mobile contactless payments, but mobile contactless payments sadly only worked in specific, pre-defined end-to-end situations. Nobody had considered the mechanism for delivering the payment data from the issuer to the consumer’s phone in a multi-user environment.
The telcos had shown that they could make the technology work with a single bank, but the demonstrations and pilots didn’t explore the element of interoperability. Every roll-out decision was followed closely by the acceptance that there could be no roll-out.
Developing the Interoperability … not!
Historically, the telcos (UK Telcos at least) have been pretty poor at collaboration, with possibly the exception of inter-network text messaging.
However, at this point, EE, Vodafone and O2 (three of the UK Mobile Operators, ironically leaving 3 out) combined their joint capabilities and established a joint venture with the aim of designing, defining and implementing a service that would facilitate the managed exchange of payment credentials. This JV was to be called WEVE … and along with the magic of enabling the delivery of payment credentials, they were also going to be developing a cross-platform marketing proposition at the same time.
I remember listening to the Marketing Director from WEVE at some payment conference: he announced to all that the techies at WEVE were going to deliver a service that would combine the payment and the marketing, and the offers and the coupons, so that they could all be applied at the same time and could all work together … in a single tap.
Everyone applauded … it was like WEVE had cracked it!
Except that given the transaction logic of EMV and the nature of coupons, loyalty and special offers, what he was promising was logically impossible.
Sadly, there was more of the same to come and the UK mobile operators failed to make mobile contactless payments work – they eventually conceded.
Even when the UK mobile operators had had the right idea, which was to adopt a collaborative approach to a common problem rather than follow the usual adversarial route, they were unable to follow through. They knew best and arrogance prevented them from listening to anyone who wasn’t one of the “gang”.
This could have been sooo different
The strategists at WEVE had gone for what was then the shiny new impulse buy in the world of payment technology: the Trusted Service Manager, or TSM. It was true, it had been proven: the TSM approach had been used in the pilots, and in the pilots, the TSM did the job.
So, if you weren’t clued-up on the processes and the alternatives, maybe it was a no-brainer … or maybe you would still ask someone who knew!
There was nothing particularly clever about the TSM and it hadn’t really been designed for what WEVE was trying to do with it, but at the time, that wasn’t important. Since gaining some initial traction in the mobile payments space, for some reason that I cannot understand, the TSM had been quickly catapulted to the dizzy heights of “payment processing panacea” … the Swiss Army Knife of mobile payment processing. At the time, no self-respecting senior payment manager could afford the reputational hit of not having one. At WEVE, there were three of them and they were connected in a row. Historically, it had not been easy making just one TSM work, the chance of getting three to work together was going to be something of a challenge!
The strategists at WEVE knew that they knew best, but their best wasn’t good enough! It cost the UK mobile operators their coveted payment processing place in the world of international financial services.
All they needed to do was step back and give themselves the time to think.
All of this was their own fault!!!
An alternative approach to information switching …
To my mind, there was always a way to make this work … using tried and tested technologies that weren’t TSMs (TSMs hadn’t been designed for this type of work anyway). The TSM might be OK for managing the interaction with the SIM, but TSMs were not really designed for moving data around.
But that didn’t prevent certain people from extoling their virtues, buying them up and then demanding their minions make them work.
The problem with the world is that the intelligent people are full of doubts, while the stupid ones are full of confidence.Charles Bukowski (maybe)
You may think thePaymentMonkey a little harsh, and maybe not in possession of all the facts. Maybe so, but thePaymentMonkey says to you … “show me the SIM-based mobile payment service that the cash-rich telcos were so desperate to show to the world”. I don’t see it.
For many years, payment card systems and ATM systems had been using ultra-reliable switching technologies. At the time of the TSM excitement, these were all being upgraded to support the increased data content of EMV-based messages, but that’s not particularly important. The point about switching technologies is that they are designed to allow chunks of data to be moved securely from one place to another, in real-time and on a transactional basis. Essentially, that was the solution to the mobile contactless conundrum, that was the solution WEVE were trying to develop, and that was where WEVE went wrong … in my humble opinion.
I remember speaking to one of the clever fellows at WEVE and explained the principles behind the switching process and how it might be applied to the delivery of EMV credentials to a SIM card. He agreed that the outline proposal sounded like a good idea, and he felt that it could work. But, and there’s always a “but”, he said that they already had “two rabbits running” and that they weren’t able to support anything more until those first two had run their course and pegged it.
By the time that the rabbits were no more, WEVE had effectively been disbanded, surviving only as a marketing department at O2 – through the front doors, turn left, up the stairs.
At this point the press were of the opinion that mobile contactless payments had failed, so inevitably, mobile contactless payments had failed.
We all make mistakes, but the trick is to surround yourself with people who are prepared to say “Oi! I think you may have made a mistake.” There must have been people around WEVE who thought the TSM path was not the best one, but either they kept quiet or when they spoke, they were lampooned for not sharing the common view.
There was an alternative approach but it was very much kept under wraps.
SIM-based mobile contactless payments were not to be
All this was going around the time that the first contactless cards were issued in the UK. The first contactless cards were meant to be an interim payment option provided to the public to test the roll-out of contactless terminals whilst we awaited the mobile solution … everybody expected the mobile solution!
But … the phones that could do payments never came, and the UK population eventually got used to the idea of using contactless cards. It took some time to get there, but someone working for one of the larger UK retailers told me the other day that 42% of all UK payments were now contactless. It sounds about right, but I wonder how many of those are mobile payments.
Looking back, it would appear that the UK may well have led the world in not developing mobile payments using SIM cards!
Throughout the payment industry, the feeling was that the UK Mobile operators had failed to make mobile payments work, but it wasn’t as bad as it might be … they failed not because they couldn’t do it, but primarily because the challenge was an impossible one. So with very little to show, the results were spun to save face, and the interest in mobile contactless payments dwindled.
Many of the mobile payment visionaries that had promised so much went on to better things and new promises that might or might not be delivered.
Telling people that you know stuff is not the same as knowing stuff!
But on the positive side, the UK led the world in rolling out contactless cards.
The industry press and the spin from the mobile operators all championed the view that designing and developing a contactless payment framework using mobile technologies was impossible … after all, three of the UK’s mobile operators had tried, and failed!
Apple to the rescue
The whole world was enamoured with Apple’s ability to innovate, and it was assumed that Apple would solve the problem … after all, it’s only a payment. How hard could it be?
Apple pulled on the gauntlet slowly and quietly, and began to experiment with ideas for a different kind of ecosystem. Whilst the proposition was still going to be based on EMV, it couldn’t be EMV as no card issuer in the US was capable of issuing cards with EMV credentials … and the fact of the matter is that whatever solution Apple came up with, protocol dictated that it would need to be launched in the US first.
Even though the UK mobile operators had failed to develop mobile payments, they had had a head start: EMV in the UK was well advanced and there were similarities between the chips on payment cards and the chips on mobile phones. The UK mobile operators failed ultimately because they were unable to deliver EMV credentials to individual mobile phones.
Apple, on the other hand, was starting from first principles. The challenge was that the US wasn’t in any great hurry to implement chip technology, and any mobile payment solution developed by the Apple team would need to work in the states (non-EMV) as well as in the rest of the world (just about all EMV).
The envisioned payment process needed an alternative to the card number as there is almost zero security surrounding the US magstripe card number. It was clear that the card number could not be used and so something needed to be added to the transaction process at the beginning of the payment that wasn’t the card number. Once the transaction had been initiated and it was safe to do so, the card number could be swapped back in later before being sent to the card scheme switch for authorisation by the issuer.
The concept of tokenisation was formed.
The same protection of the card number is not needed for an EMV transaction; the card number in EMV is of very little value as it is always protected within a transaction by the EMV cryptogram. Not so for the magstripe card.
The iPhone supported a secure element but the US card issuers could not issue EMV credentials. Replacing the issued card number with an alternative card number meant that this didn’t matter, and the concept of tokenisation was born.
Talking to a geezer from Visa in a pub down Kings Cross
I remember talking to a geezer from Visa in a pub in Kings Cross, in London. I was happy to talk but before we started, he asked for my discretion. It was a long time ago and I’m not telling you it was, so I guess that’s fairly discrete. Anyway, he asked me if the idea of swapping the card number for something else that represented the card number but wasn’t the card number, and then swapping it back later, before it was sent for authorisation, might work. Sound familiar?
We discussed a few scenarios and we walked through some payment journeys and we concluded that it could be something of interest and was indeed worth following up. Although he didn’t tell me at the time who he was asking the question for, I knew where he worked and it was fairly obvious that Apple was probably sitting in the mix somewhere. I now know that Apple was indeed behind the question and my mate was in the thick of it.
It was a long time ago so I guess I can now mention it in despatches.
There was no way that Apple was going to re-invent the whole wheel, and a global payment card acceptance network takes a while to generate traction. It looked like Apple was roping in the card schemes, which made sense.
Tokenisation takes hold
And so the concept of tokenisation in mobile payments was born, and Apple and Visa were the proud parents.
But … it was the unreasonable US disdain for Chip and PIN and a blind adulation of the merits of the magnetic stripe (again, in the US) that fuelled the fire causing the “new” entrant into the “new” payment world to push ahead with a tokenisation model.
If the payment cards issued in the US at the time had been EMV chip cards, taking the tokenisation approach would not have been necessary. Tokenisation was needed only because the card base in the US was magstripe … and the magstripe path is a very easy path to fraud.
To be fair, the tokenisation process worked quite well, and it was especially effective in introducing contactless payments to the US.
The Visa Token Service was absolutely the right approach given the lack of any US relationship with chip cards, but then we all got a bit overexcited and began tokenising chip cards that frankly didn’t need it.
The so-called payment strategists loved it: “Tokenisation” was the new “TSM”.
Here, I’m going to be adopting the inaccurately paraphrased version of the reference: “the simplest solution is usually the best one”.
When the iPhones that were capable of supporting contactless apple pay payments were introduced, they were interesting, they worked and they received a lot of publicity. On the downside, mobile contactless payments didn’t take off in the way that industry commentators had been telling us they should, based on the success of the previous UK mobile payment trials.
To be honest, it was much easier to whip out the payment card and tap it on the till … and to be fair, that’s still the case.
Apple pay, Google pay Samsung pay and the rest of the x-pay bunch are all now established, but contactless cards are still used much more than the mobile alternative. I think that in the UK and the rest of the non-US world at the time, people had already acclimatised themselves to contactless cards.
Contactless payments were on the increase because of the convenience, and people were beginning to like the idea of whipping out a contactless card and making a contactless payment more than whipping out their mobile phone.
A proximity payment made using a contactless card was always a lot easier to execute than a similar proximity payment made using a mobile phone, and that remains true today.
It’s good … but it’s not right.
The tokenisation process enabled magstripe cards to be used for contactless payments in mobile phones.
I am aware of the emergence of the dynamic CVV in the development of magstripe contactless in the US, but it isn’t relevant to this post … maybe something for another time.
The Apple iPhone fairy dust that had been liberally sprinkled over mobile contactless payments in the anticipation of something magical happening had given rise to a solution that worked but, in this case, hadn’t fired the imagination of the payment card-carrying public.
Visa and, by now, Mastercard were left with a high-end tokenisation process that was looking much like it wasn’t going to return the investment, but they couldn’t really bin it as it was driving apple pay.
And there it was.
Tokenisation worked, it worked well but it didn’t work well enough. Tokenisation was now a solution that was in desperate need of a problem.
The e-commerce gift to the card schemes
It may not have worked well enough to establish a presence in the mobile contactless payment space, but the card schemes were quick to spot the tokenisation opportunity in e-commerce. Online purchases across the Internet were coming under increasing pressure from fraudulent card usage due entirely to the incredibly weak magstripe-based security that was underpinning it. The implementation of EMV across the world (not the US) had reduced face-to-face card fraud to almost nothing, but since it wasn’t possible to apply EMV to e-commerce transactions, national and international e-commerce fraud continued to rise.
Clearly … the answer was tokenisation!
Actually, it probably wasn’t, the answer was probably to apply EMV to e-commerce transactions, which could have been achieved using server-side wallets accessed and managed by mobile phones. (There will be a post on how this could work at a later date.) There would still have been complexity, but then there was also complexity in the application of the tokenisation model, and the tokenisation model doesn’t reduce the fraud risks and transaction dependencies associated with the use of the “long card number” (PAN).
If you were to consider the tokenisation proposition and the alternatives described, you may find yourself of the opinion that EMV in e-commerce might have been just a little bit too complicated. If you do find yourself thinking along these lines, I suggest that we all take a step back and consider the case and application of strong cardholder authentication today.
Tokenisation can be applied to card numbers used for e-commerce, but it doesn’t make the underlying problem go away. It does, however, provide a return on the original investment in tokenisation.
A better payment option
Here’s why I think we may have driven the cow into the wrong field:
It seems to me that whilst we may have applied a tokenisation approach to solving the problem of e-commerce fraud, we still need an army of in-line fraud prevention mechanisms to reduce the risk of e-commerce fraud.
The way that I see it is this:
Tokenisation replaces the card number with a number that isn’t a card number. So far, so good … but is it? If swapping out the card number for a token was an effective solution to the problem of card fraud, surely there would be no need for frequency analysis, postcode checks, geolocation, revocation lists, strong customer authentication and the like.
- the card data was of no intrinsic value whatsoever, and
- the “presence of the card” was confirmed for every transaction,
there would be no need for tokenisation or for in-line fraud checks.
In the EMV transaction, the card number is of no value without the cryptogram associated with the transaction, and the cryptogram is only valid for that one transaction. Without the dynamic cryptogram (ARQC), generated specifically for a single transaction, there can be no transaction … and without the card being present, there can be no cryptogram.
The better payment option, IMHO, would have required some more years of development, but it would have brought savings in abundance for the merchants! If all transactions were EMV transactions, there would be no need for separate channels for e-commerce and for face-to-face transactions, and so only one payment service provider would be needed. Also, because of the nature of the EMV transaction, there would be no need for all the in-line, anti-fraud hang-ons that currently occupy the payment transaction pathway.
There were potential money saving strategies everywhere, but the card schemes were looking for a return on their investment.
Tokenisation was presented to the payment industry as the must-have, go-to solution for every payment-related ailment. The marketing worked and it soon became normal, and also expected, for people to berate others for not supporting tokenisation as the shiny, new payment service fashion accessory … the Swiss army knife of fraud prevention.
The use of the term “tokenisation” became synonymous with payment security and took on a life of its own, and I have forgotten how many times I heard the management mantra: “if you don’t believe in tokenisation, you must not believe in security”.
As Jeremy Bentham might have put it: the better fraud prevention option in payments is the one that provides the greatest benefit to the greatest number.
And then there was PCI
The Payment Card Industry Data Security Standard (PCI-DSS) is derived from some long-standing security principles that were recommended, but not mandated, by the card schemes. As a set of general security guidelines, I have never had any issue with them: regardless of the nature of your business, it clearly makes sense to ensure that your business information, which includes customer information, is protected … and payment systems are no different.
However … there is a big difference between generally protecting your business operation and environment, and specifically protecting sensetive card data.
In the United States, card fraud was becoming a big problem, even though payment experts in the US were playing it down. The rest of the world was in the process of implementing EMV and it was well known that card fraud had a tendency to migrate away from EMV areas into weaker geographies. Fraud migration was happening and the reasons behind the fraud migration were well understood.
Implementing EMV reduced card fraud because it rendered the “long card number” useless by itself. Sneaking a peek of the card number and the expiry date and the service code and anything else that might be gleaned from looking at the front of the card, the back of the card or skimming it with a magstripe reader, were all useless in an EMV transaction without the associated transaction cryptogram.
The PCI-DSS wasn’t originally presented to retailers and payment processors as a “mandated” payment service bolt-on … and then it was!
I think this had something to do with the US Department of Homeland Security. Recognising that card fraud was on the increase and that the proceeds of card fraud were significantly contributing to the funding of terrorist organisations, they were sold the PCI solution … and realistically, there was no alternative.
The US Department of Homeland Security was in full support of PCI as a means of limiting card fraud as a means of preventing the funding of terrorism, which is to be applauded in principle. It’s not clear, however, just how this conclusion was drawn, but it looks like it was probably down to the fact that no alternatives to PCI were presented – and to be fair, an alternative EMV solution utilising fraud prevention mechanisms already built into the end-to-end payment processes was unlikely to gain any traction in a nation that was totally uninterested in the “not invented here” chip technologies of the rest of the world.
At one time, now in the dim and distant, you could do a google search and find the evidence for this for yourself in the form of meeting minutes, but it appears to have disappeared … or maybe I am doing something wrong.
The US generally neither wanted nor understood EMV and as a result, took the path of securing every part of the transaction network and every data flow to protect the card data at rest and in motion rather than just eliminating the ability of the criminal to use the card data in the first place.
I’m not saying here that securing networks and data is not necessary, there are many reasons why you would want to secure your networks and your data. What I am saying is that if you remove all value from a given piece of information, there is no need to fret about keeping that information safe and secure – you can then spend your fretting resources on something more worthwhile.
One can only speculate that if the US had been rolling out EMV at the time, the solution to the problem of e-commerce fraud, as well as card fraud in general, would have been different … it would have likely involved EMV rather than tokenisation.
Had that been the case, the general security recommendations may or may not have gained momentum across the payment industry. We can’t know for sure, but looking at this alternative world view, the data at risk would have been customer names and addresses … and not sensitive card data.
Not unlike tokenisation, within the Payment Card Industry Data Security Standard, there was a hint of a money-spinner. Both approaches and solutions were supported by significant sums of money and considerable marketing cleverness.
Who can forget the cleverness that is the PCI Data Security Standards Rock?
Now if that isn’t something to make you reach for the pause button, I don’t know what is.
In an EMV-enabled environment, using the PCI-DSS to secure payment networks and data at rest and data in motion is the industrial, large-scale equivalent of keeping last weeks losing lottery ticket in a safe!
Without a doubt, tokenisation has been expensive to implement, and yet it doesn’t particularly add any value to the merchant. It’s a cost to the merchant rather than being a value add, and as it’s now included inthe PCI standards, it’s a cost that cannot be avoided.
Whilst it would also be true to say that applying EMV to the e-commerce channel would not have been the bargain-basement option, it would at least have at least been of some value to the merchant, with the potential benefit of considerably reducing merchant costs.
In this brave new world of e-commerce EMV, new merchants would be faced with having to pay only for a single channel implementation rather than one channel for face-to-face payments and another channel for e-commerce. Merchants would also be spared the costs and the challenges associated with joined-up marketing by having to resolve the issues associated with sharing tokens across multiple channels.
Tokenisation across multiple channels is far from straightforward and makes most omnichannel service propositions difficult and expensive to implement, if not impossible.
Neither Tokenisation nor the PCI Data Security Standards were inevitable, they were both solutions that were ultimately determined by time and place, and the proximity of vested interests over utilitarianism.
There are lessons to be learned here.
Looking from an alternative direction
EMV does away with the ability to initiate a payment with just a card number and therefore does away with the need for any in-line fraud prevention services that are specifically inserted into the transaction chain to identify the use of fraudulent card numbers. These in-line fraud prevention services are only necessary because it’s still too easy to initiate a payment using little more than a PAN.
Separating the payment initiation from the payment completion would have meant that the completion leg could have been driven by a server-side wallet capable of storing EMV keys and generating the appropriate transaction cryptogram. If this had been the case, then even if card numbers were stolen, they would be of virtually zero value to fraudsters as they would also need the appropriate means of initiating the payment … but all that’s going to be the subject of another post
But we are where we are, and we have arrived primarily as a result of circumstances and situations.
- If the UK mobile operators hadn’t adopted the TSM, the UK mobile operators would now be central to the operation of mobile proximity payments … and none of this would have happened.
- If the UK mobile operators had been driving proximity payments, there would have been no payment void for Apple to fill.
- If there had been no proximity payment void, there would have been no need to develop what turned out to be the tokenisation alternative.
- If apple pay had been adopted significantly at the outset, the card schemes would not have been looking to supplement the minimal return on their investment.
- If the US had adopted EMV along with the rest of the world, the challenge of preventing e-commerce fraud would not have been focussed on PCI.
- If the people driving the PCI standards had put functionality over fortune, the PCI standards would not have been mandated for the Payment Card Industry.
The reality is that corporations rarely act solely in the interests of their customers, but sometimes …
The UK mobile operators were attempting to branch out into financial services. Whilst commendable, they were driven by self-interest and they failed because they didn’t think it through and didn’t review their strategy … an expensive misjudgement.
Apple picked up the baton and raced to the finish line. I think this was an iPhone feature extension policy, for the benefit of iPhone users; I don’t believe that Apple was thinking of moving into the financial services space.
The card schemes responded to the situation and developed a mobile contactless mechanism for magstripe cards. They were caught on the hop as customer take-up wasn’t as anticipated.
The card schemes saw an opportunity to extend the use of tokenisation into e-commerce, and they took it. A nice little earner!
Those guitar-toting, singing cowboys at PCI were quick to climb aboard the bandwagon; they incorporated tokenisation into their standards, and the card schemes mandated it.
The marketing people jumped out of bed and before too long, “do we need tokenisation?” became “how much tokenisation do we need?”