The push provisioning concept - how to push cards to wallets

The push provisioning concept - how to push cards to mobile wallets, merchants and wearables

18/02/20217 Minutes

**Let’s begin with a brief introduction to push provisioning and why this is relevant…**

Since the implementation of EMV based payment tokens by Visa and Mastercard through their respective token platforms, the list of token requestors (a.k.a digital wallets) has grown substantially. Cardholders today have the possibility to add their cards to several third-party digital wallets such as Apple Pay, Google Pay, Netflix and similar.

A cardholder who adds a card manually through the digital wallet interface (e.g., a mobile app) will require all involved parties (wallet provider, scheme, issuer, and the cardholder) to follow up with a more tedious and time-consuming verification process to ensure that the “card add” is legit and requested by the real cardholder.

A manual process of adding a card directly through the wallet interface may lead to a higher threshold for the cardholder to engage. Reasons could be less trust in the system, worrying about making mistakes, and failure to follow up on the required step-up ID&V process.

The push provisioning concept is here to remedy this in order to boost the card issuance to digital wallets by making it simpler, faster, and more trustworthy for the cardholder. The push provisioning concept provides the card issuers a tool that allows them to push their card on-top of multiple wallets and the wallet providers a new channel to acquire new customers.

Cool, yeah? So how can we get you up & running with this in no-time?

Our Mea Push Provisioning platform (shortened MPP) enables card issuers, program managers and fintech companies to provide their cardholders a list of all available digital wallets together with a one-click instant issuance experience directly through the issuer’s mobile app or website.

The MPP platform enables:

Secure and effortless experience for cardholders to connect their cards with digital wallets and eCommerce merchants, by
- Providing a list of trusted and certified digital wallets and merchants available to accept “card push”
- One-click issuance experience through the card issuer’s own trusted channels
- Very fast and error-free process managed without the need of cardholder step-up authentication

Support for all certified wallets within days, by
- Providing a service that is live and used by multiple institutions, tips and best practices, eliminating the customer’s need to spend time and effort on analysis and implementation
- Fully managed backend service that includes integration, maintenance, cryptographic keys, and managing PCI data
- Providing the service through APIs/SDKs and dev-guides that reduces the implementation time from several man-months to a few man-hours

So how does it work in general?

The Mea Push Provisioning platform removes the unnecessary part that involves implementing and maintaining all the different combinations of schemes and wallet requirements. It provides the issuer’s developers with a clean and straightforward agnostic interface that hides away the complexity of qualifying the push request and constructing the digital payloads to be sent to the selected digital wallets. The solution supports the whole process which can roughly be divided into five parts:

1. Generate the list of available wallets

The first step is to get a list of available wallets that can be presented to the cardholder within the app or website, so the cardholder may browse through wallets and merchants he can add his cards.

2. Decide if the card is added to the wallet already

This is an important check to make before any instant card issuance can take place. The mobile app or website must know if the card, that is currently viewed by the cardholder, is already added to the selected wallet(s) or not. In other words; qualifying the push to decide if to show the “Add to wallet” button or show a message saying something like “the card is already added”.

3. Provide the card data to be pushed

The next step is to get the card details of the card that is to be pushed to the wallet. The MPP solution supports mainly two secure ways to receive this card data; through a backend-to-backend transfer or via the mobile client.

4. Fetch needed data and build the payloads and cryptograms

This part happens behind the scenes by the MPP core. It includes fetching data such as card data, wallet IDs, token requestor IDs and apply the required logic to build the payload and the pre-authorized values to be sent to the digital wallets.

5. Push the “digital card” to the digital wallet

The last step is to push the payloads to the targeted mobile wallet. This push of data is done e.g. on the mobile phone through app-to-app communication or cross devices. The receiving wallet will take over from here and function as a token requestor towards the scheme token service provider.

Step 5 results in an active card added to the wallet. The cardholder will be directed back to the issuer interface, and should now see his card added and in an active state within the wallet

I hope this blog post helps you get the idea of push provisioning and how we can help. Let me know what you think in the comments below, and if there is anything special you would like me to write about or highlight in my next post 🙂

18/02/2021

By MeaWallet

Interested in learning more about this topic or how we can help you? Then don’t hesitate! Reach out to us at contact@meawallet.com. We are always happy to have chat, and let see where that brings us ?

by MeaWallet

How recurring payments improve with network tokens

How recurring payments and subscriptions improve with network tokens

Card-based recurring payments/subscriptions have become a widely used payment method for many businesses and consumers. Many global internet services like Netflix, Spotify, and Dropbox operate with this payment method. Additionally, many physical services, such as gyms, libraries, public transportation companies, base their businesses on subscription and recurring payments. This gives merchants the benefits of consistent cash flow, and the consumers the ability to store their card once at the merchant but then forget it and just enjoy the provided services and goods. Predictability, consistency, and simpleness are very likely reasons why this type of payment has grown (and is still growing) so rapidly in popularity.

Read about how Netflix improved its eCommerce business with the adoption of Visa network tokens (external page)

This post will highlight two essential aspects of recurring payments and subscriptions that can be improved by replacing cards on file with network tokens from Mastercard (MDES) and Visa (VTS). Let’s begin looking at the pain points first:

#1 Interrupted payments due to expired cards

Expired cards are merchants’ worst enemy when operating with recurring payments and subscriptions. An expired card means that the merchant will need to bother their customer to update the card before continuing with the payments. In the best case, this will only cause a delay, and in the worst case, lead to a customer quitting their account or subscription with the merchant. The merchant is in this situation at an unnecessary risk of losing a needed income.

#2 False declines

The second possibility of losing a payment is through a ‘false decline’ made by the card issuer due to fraud suspicion. This decline may occur even if it is a legit transaction that is being carried out. Such false declines are common in eCommerce due to the insecure nature of online transactions where the card is not physically present. Card issuers’ fraud monitoring systems are tuned to handle such transactions more strict than for card + PIN presented in a physical store. For a legit eCommerce merchant, this means lost revenue.

What are network tokens?

Network tokens are virtual payment cards created by the payment schemes, and they replace the original card in the digital space. This allows for several network tokens to be created per card, and they function in the same way as the original card when storing and transacting with them. However, their digital nature allows them to possess several properties and functions that significantly makes life better and more robust for merchants in the eCommerce space.

“Network tokens are virtual payment cards created by the payment schemes, and they replace the original card in the digital space.”

A network token will never expire the same way as a payment card. A merchant who replaces cards for network tokens will enjoy the benefit of having tokens that will always be kept valid by the payment scheme and card issuer. But what if the card issuer issues a completely new card to the cardholder? Well, that is the beauty of it! The cardholder will receive its new card in the mail but does not need to do anything with any of his subscription services at merchants that utilize network tokens behind the scenes. Active tokens are kept up to date automatically as long as the cardholder’s bank account is active. Cardholders will in this way avoid the hassle of updating services with the new card, and the merchant will not need to delay payments, bother their customers or in the worst case lose them.

“Active tokens are kept up to date automatically as long as the cardholder’s bank account is active”

What about false declines to transaction requests because of fraud suspicion? How are network tokens supposed to help here? Well, EMVco and the schemes developed network tokenization to (among other things) heavily strengthen the security of eCommerce payments to accommodate modern fraudulent attacks. To keep it brief, let’s mention two main reasons why network tokens battle false declines better than cards. Firstly, the card issuer has greater visibility around network tokens since they participate in creating this token for the merchant. A network token used in a transaction provides card issuers’ fraud monitoring systems with more reliable and known information to validate before approving or declining. Secondly, a tokenized transaction has a higher assurance level than a card transaction due to several imposed security mechanisms, e.g., domain control and cryptography. It means, in other words, that only the merchant requesting the token can use it, and it is always secured cryptographically.

“…network tokens battle false declines better than cards.”

All this sounds great, right? But who should consider enabling network tokenization? And how is the availability in my markets? If you store cards today and use them for recurring payments or occasional shopping, then this is relevant for you. We would be happy to have a chat if you would like to know more about how this works and on the availability in your markets. Please reach out to contact@meawallet.com.

by MeaWallet

Tokenization vs. Digitization - What is the difference?

Tokenization vs. Digitization

Tokenization and digitization are two central elements in mobile payments which are easily mixed when talking about them. Many are confused about their meaning and therefore use them interchangeably. Let us have a look at what the difference is:

Tokenization

Tokenization is simply the act of generating a device token (also called payment token). This will function as a representation of the funding primary account number (PAN) and expiry date given on your payment card. A mapping between the PAN data and the payment token is then created in a secure token vault for use in subsequent transaction processing.

It is possible to have several device tokens mapped to the same underlying funding PAN. This will be the case if you have two or more devices in which you want the card to be stored and be able to pay with:

If the device is lost or stolen, the mapping can simply be deleted from the token vault in order to make the device token invalid. The device will then no longer be able to perform transactions.

Digitization

The process of card digitization optionally includes tokenization (however required by Visa and Mastercard), but in addition embraces all other subprocesses needed to make a complete digital card ready and provisioned onto a device. These subprocesses comprise of important tasks such as identification and verification of the cardholder, card- and device eligibility checks, tokenization approval, provisioning of the digital card and initial key replenishment.

The figure below shows it very clear that tokenization is just one element of digitization and handles only the part with token creation and mapping. When speaking of digitization, we are referring to the complete process starting with the digitization request from the consumer’s device, to the card is fully digitized (gone through every one of the subprocesses listed) and provisioned onto the device with key credentials. When the digitization process is complete, the device is ready to be used for payment.

MeaWallet has made all of this simple with its Mea Token Platform that handles both digitization and tokenization, by connecting Issuers to AmEx, Mastercard and Visa’s respective token platforms. Get in touch with us if you are interested in learning more about how this works and how we can help you get started with mobile payments. Just leave a reply to us on our contact page, and we will contact you shortly.

Our mission at MeaWallet is to help our clients simplify mobile payments and support implementation. Our team is passionate about the subject and continually looking at the evolution and trends in the mobile payments space. We welcome your comments or invite you to get in touch directly with us at contact@meawallet.com

by MeaWallet

Digital Payments: QR Codes or HCE?

QR Codes or HCE?

There are myriad definitions of digital payments, depending on the nature of the payment, and what types of interfaces are involved in the payment process. In this blog post, we will define a digital payment as a cashless payment process that is executed through digital channels and digital devices. For example, using your mobile phone to pay in a physical or online store through an OEM Pay App, using a proprietary app on your mobile phone to transfer money to your friend -- all of these can be considered as digital payments in this context.

Nowadays, there are many payment apps available for end-users to choose from and execute a payment. Those apps can be from your own banks, third-party fintech companies, or financial institutions. I will discuss two digital payment methods that are quite popular amongst users: QR code and Host Card Emulation (HCE) payments. If you want to learn more about the HCE ecosystem, you can read a previous blog post about that here.

The key advantage of QR-code mobile payments is its flexibility of not being constrained to certain types of mobile phones. As long as the handset has a built-in camera that can read/scan the QR-code to execute the payment. This technology will require the point-of-sale (POS) to display a QR code which users can scan to execute the payment or require the POS to scan or read a QR code that is displayed on the user’s payment app/handset. This means that building a vast merchant acceptance network within the QR-code payment ecosystem is a compulsory pre-requisite so that end-users will be able to use that form of payment app, otherwise, they will be limited in where they are able to use that QR-code mobile payment app to only certain POS. A few examples of QR-code mobile payment based apps are, Alipay, WeChat Pay, Seqr, Payconiq, and others.

In the case of Alipay, they have succeeded building their merchant acceptance network due to their strong customer base and easy integration to the cash register where the merchant can read the QR code or barcode displayed on the user’s mobile device, to authorize the payment. WeChat Pay is a good example of a successful and widely used QR-code mobile payment app.

However, the situation is different for other players. Seqr - a European mobile wallet launched in 2012 and currently active in 17 countries - as an example, started as a QR-code only mobile payment app that had been facing challenges to widen their payment acceptance network throughout the countries that they are active in. To enable Seqr in a POS, an integration is required. In case of a physical store, an integration with the cash register system, and setting up a unique QR code as an identifier of the cash register, are two crucial tasks for the merchant in cooperation with Seqr and the cash register supplier. This can sometimes be a tricky and long process.

In summer 2016, MeaWallet helped Seqr (now rebranded as Glase) launch an HCE payment solution that has enabled contactless EMV payments directly in the Seqr mobile app, meaning that Seqr users with Android mobile devices can pay anywhere in the world, as long as they pay at contactless enabled terminals. The HCE technology has helped Seqr solve a limitation with relation to the payment acceptance network. Seqr can now grow their user base by providing NFC payments in their payment app for Android users. Unfortunately, iPhone users are limited in that they can only use Apple Pay for contactless mobile payment.

Back to the question - QR code or HCE? We believe the answer will differ from one market to another depending on the maturity and degree of adoption, contactless terminal penetration, payment behavior, apps’ user base and many other factors. However, considering the convenience from the implementation side and the future of NFC-enabled terminals, my vote goes to HCE and OEM Pays, where MeaWallet has been instrumental in helping various banks and financial institutions globally implement the service both as a managed services and under license agreements.

Leveraging our MeaToken Platform, MeaWallet has delivered digital payments technology to banks and financial institutions around Europe providing a technical platform for card issuers to digitize and payment enable their cards in mobile wallets. Through our services, card issuers can enable payments in-store, in-app and online using their existing wallets or be part of OEM Pays (e.g., Apple Pay, Android Pay or Samsung Pay). MeaWallet is also a Mastercard Engage Gold partner, part of VTS Ready Program and an Amex GNS partner for Amex Pay.

by MeaWallet

What is Secure Remote Commerce? (SRC)

SRC - a new era of e-commerce?

The published press release in late April on Secure Remote Commerce (SRC) by EMVCo from the major schemes proves that the payment industry has already begun to direct their focus on eCommerce. Online shopping has become a vast industry that keeps on growing together with the digital evolvement. This increasing trend makes it a paradise for hackers and people with fraudulent intentions, especially since the security related to storing and processing card data have not been evolving equally fast to meet every new modern fraud methods.

The EMV security standards utilized at physical point-of-sales have shown to be successful in decreasing frauds and thefts. Together with the concept of tokenization where a token replaces the PAN makes this a solid security wall for keeping out anyone who wants to steal and misuse payment credentials from a cardholder. The introduction of SRC within the eCommerce domain would mean that we now can expect to achieve the same level of security for online shopping as we have in EMV chip and contactless payments.

Security is a large part of SRC; however, it also aims to simplify the shopping experience for consumers which in turn should decrease the number of abandoned shopping carts. One standard interface for all card schemes, no more manual entry of card data or home addresses, and simple checkout with just a few clicks. Having only a few steps together with convenient authentication, such as biometric/face recognition using technology like 3DS2.0, will give the shoppers with a whole new and easygoing experience.

Convenience and security are two elements in online shopping that have been on opposite side on the scale in eCommerce. The more security the merchant adds to its checkout process, the more cumbersome for the consumer to complete the process. This leads to an increased abandonment of shopping carts. Merchants are forced to accept a higher risk to gain more customers. This problem will be solved by SRC which offer both security and convenience in the same package.

SRC introduces the concepts of tokens and dynamic cryptograms which the merchant obtains during a checkout process from a token service provider through the SRC system. The token data will then be processed in a regular transaction flow, increasing the security and lowers the potential fraud for merchant and PSP.

One significant advantage for the merchant is the promise of a standard interface for all the card schemes participating in the SRC program. That will considerably simplify implementation and enablement. These services will further be available to the consumer through a common ‘checkout button’ on the merchant page and will be able to access all their stored cards (tokens) and shipping details with just a few clicks at every checkout.

But what about ID&V? How do we make sure that this is the rightful owner that is doing the checkout? After the first login, the SRC utilizes cookies to recognize re-visiting consumer which allows them to complete a checkout process. However; the issuing bank may choose to enforce ID&V smoothly and efficiently by using 3DS2.0 in the checkout process. 3DS2.0 supports authentication and authorization through issuer’s mobile banking application using device capabilities such as fingerprint and face recognition, in addition to existing methods from 3DS1.0.

Issuers must participate

For consumers to tokenize and store their cards with SRC, the issuing bank must connect to the card schemes’ token service provider (TSP). All of the major card schemes (Visa, Mastercard, American Express) have developed their own TSP which offers services that allow for creating, provisioning and managing digitized cards. This issuer-to-TSP connection will be a prerequisite for enabling SRC.

Getting started with SRC, card tokenization, token management may be a high barrier for many issuing banks. Understanding the concept, acquiring technical knowledge and developing support for one or multiple schemes can become costly and time-consuming. On top of this are the frequent changes in technology which will require follow up on new updates, re-development and potential strict and expensive certification tracks. However, the issuing bank has other possibilities than doing this by themselves.

SRC and card tokenization are within MeaWallet's core focus. We have built a pre-certified platform (referred to as Mea Token Platform) for those issuers who want to enable digital payments in a simplified and secure manner. All is provided through a single interface for integration which simplifies the complexity and reduces workload for the Issuer. The product comes together with the knowledge and guidance of our team and thus gives a short, easy and low-risk path to digital payments.

by MeaWallet

A New Generation of Payments

A New Generation of Payments - How payment methods differ across generations

It can be hard to keep track of all the new payment methods which seem to keep popping up. Over
the past few years, there’s been a growing interest in contactless, wearable and mobile payments as
well as the significant hype around cryptocurrencies. But different demographics each have their own
take on how they view and how they’ve adopted these new ways to pay.

Sainsbury’s Bank recently examined the financial habits of three generations; the Baby Boomers,
Generation Xers and millennial generation in the UK. The preferred methods of payments varied by age group but there is an evident decline in cash payments across all three with 23% of millennial generation carrying less than £5
in their wallets at any given time. Indeed, current estimates suggest that debit card payments will
overtake cash by 2025 and it’s likely that by then the majority of these payments will be electronic.

Our recent blog post discussed the growing market and benefits of mobile payments in the UK, yet Sainsbury’s found that only 30% of people across all three generations are happy to make contactless payments using their phone. As we discussed, this figure would likely increase if trusted banking apps offered mobile payments.

So what does the future hold for payment methods? With Millennials being a generation of digital
natives and as a new generation, Generation Z comes of age, we can expect that electronic
payments will soon reign supreme. However, more needs to be done to increase trust around
emerging payment options.

Check out the visual below for more details on the findings of Sainsbury’s Bank:

by MeaWallet

DSRP - The magic behind those four letters

Since you have found the way to this blog post, the assumption is that you already know a bit about the concepts of card tokenization and dynamic cryptograms and how these enhance security within payments. Contactless payments with HCE enabled devices already leverages these security concepts, but have yet to be put to use for online payments.

A google search on e- and m-commerce gives clear indications that predict a significant increase over the next couple of years. There are over three billion internet users in the world today, and it is expected to be conducted around 195 billion m-commerce transactions annually by 2019. These numbers suggest that the two security concepts mentioned above should be applied to enhance secure online shopping as well. Mastercard has introduced a solution to this called Digital Secure Remote Payment (DSRP), which is tokenization and dynamic cryptograms brought to e- and m-commerce.

Card-on-file transactions
Card-on-file transactions are the most common methods to perform payments when shopping online in a browser or in-app. These types of transactions use static card data (such as a PAN, expiry date, and CVC/CVV), provided by the consumer, merchant or a third-party service at the time of checkout*. The card data is combined with payment details from the merchant and then transferred to the issuer over the appropriate network for validation.

*Card data may come from three different sources during checkout:

1. Consumer: Manually inputs the card data

2. Merchant: If the merchant is certified, the consumer can choose to store card data at the merchant after the first visit. This enables the merchant to retrieve the card data whenever the consumer is ready for checkout.

3. Third-party service: Consumers may create an account and store card data using services such as PayPal or a Amazon Pay. Card data will then be retrieved during checkout at merchants who have implemented this as a payment option.

Security mechanisms (e.g., 3D-secure) are present to conduct safe and reliable online transactions. However, as it is the same static data which is sent over the network for each transaction, the vulnerability and the risk of fraud increases.

This is where tokenization and cryptograms come into play. By using dynamic cryptograms unique to each transaction, prevention of anyone re-using the transactional data applies. The generated cryptograms will only be valid for one single transaction, and can not be reused once it has been utilized.

A contributing factor to transaction vulnerability is the direct connection between the PAN and bank account. This is why substitutions with device tokens through tokenization will help reduce the risks. A device token is not affiliated with anything considered to be sensitive information, and will not be of any value to others but the schemes own token service provider. They have the property of being easily invalidated and discarded if the situation requires it.

Digital Secure Remote Payment
Digital Secure Remote Payments bring tokenization and dynamic cryptograms to online shopping in order to achieve the same level of transaction security as held through a contactless HCE transaction in-store. The transaction flow utilizes the mobile device capabilities and includes elements such as authentication, token retrieval, and cryptogram generation. Facilitating this requires the online merchant and wallet application to communicate, and both parties will need to implement the relevant APIs and SDKs from Mastercard.

All DSRP transactions need to go through the mobile device in order to retrieve the tokens, in addition to the consumer who is required to apply their mobile PIN for payment authentication. Successful authentication leads to the sending of the token and generated cryptograms from the device to the online merchant, who will process these as a substitute for card-on-file data.

DSRP brings EMV security to online payments using the consumer’s own mobile device as a point-of-sale. An intriguing part is the absence of a terminal throughout the transaction process. When it is possible to achieve the same security level without physical terminals, why do we need them in stores? An important reason is that DSRP requires the device to be online. This will obviously, not be possible everywhere, so we need them still. But who can tell what the future will bring?

If the focus is on a digital mobile strategy, the next steps will be to start with tokenization and Masterpass, which are the foundations that must be in place to achieve DSRP.

by MeaWallet

Swedbank launches mobile payments powered by MeaWallet

Mobile payments continue to grow in popularity as this major bank launches tap-and-go payments in their app. Utilizing MeaWallet’s token platform, Swedbank has enabled their clients to perform digital contactless card payments (tap & pay). This news means that Swedbank's customers can get that “Apple Pay feeling” from their Swedbank app; saving time in checkout lanes at the supermarket or coffee shop.

Swedbank is the biggest bank in the Baltic market and they have 2,0M digitally active users daily. We are very proud that they have selected our technology and services for maintaining and strengthen that position. The HCE technology with MasterCard MDES support is delivered as a managed service, integrating MeaWallet´s tokenization* platform with Swedbank’s mobile banking application. You can download or upgrade the app for Latvia here, Estonia here and Lithuania here. Swedbank is the first live project fully certified on MCBP 2.0.

Tokenization*
Payment tokenization is a security technology specified by EMVCo where sensitive card information is replaced with a unique digital identifier called a token. In this way, payments can be processed without exposing card data. Watch this video if you want to learn more about tokenization.

As one of the first vendors globally, MeaWallet has received full approval of the Mea Token Platform and SDK for MCBP 2.0 (Mastercard Cloud Based Payments). To our customers, this means they can enable card digitization and tokenization supporting all the latest features – while they can rest assure that the security, functionality, and performance is in place.

This achievement adds to the list of steps MeaWallet has taken the last months to become a true world leading company in digital payments enablement. In October 2017, Mea was recognized by Mastercard as a Gold level vendor in their Mastercard Engage program. Mastercard Engage helps Mastercard’s customers and other interested parties in identifying technology partners – such as MeaWallet – that can help them translate their digital payments agenda into reality and bring their digital solutions to market easily and quickly.

The technological solution in Swedbank’s application is a product supplied by MeaWallet. It is advantageous to use the Mea Token Platform and Mea's certified SDK if you want products delivered on time and at budget. Comment from Swedbank confirming this ?? And logo.

Swedbank adds to the list of banks providing innovative payment services to their users. Another selected customer and partner of Mea, Budapest Bank, has been live with mobile payments since June 2018 and their numbers keep on increasing. At the time of writing the bank has close to 5.500 active cards, a whopping 32 % of eligible users! According to Budapest banks customers, the NFC payments works great and is much appreciated.

We wish to congratulate our customers on providing the service of digital contactless card payments. We appreciate your opinion - If you have any questions or comments you can direct them to sales@meawallet.com