What are these, and what does this mean for the payments ecosystem?
Ever wondered how your Apple Pay transactions happen smoothly without your card number ever leaving your phone?
It's all thanks to tokenization. Think of it as a secret code that replaces your card number to keep sensitive payment information (PCI data) safe.
The Situation Today: Device PANs (DPANs)
Behind the scenes, adding your card to Apple has some hidden magic. Instead of your actual card number (FPAN), a unique network token called a DPAN is created and stored on your phone. This token acts as your stand-in for purchases and keeps the raw card number safe. Even if someone steals your phone, the DPAN is useless on another device.
Downsides
Losing your phone means getting a new DPAN, and using the same card on multiple devices creates different tokens for each, multiplying your token management needs.
In the past, Apple Pay relied on DPANs to ensure secure transactions. Although effective for security purposes, DPANs presented challenges when it came to using the same card across multiple devices or replacing a phone, especially in subscription scenarios. The complexity often led to confusion for merchants and created headaches for users.
Presently, Apple lacks a mechanism for merchants to update credentials. So when a card changes due to loss, theft, or routine updates, your Apple Wallet reflects the update, but any card-on-file arrangements with merchants, such as a recurring subscription to Wall Street Journal (WSJ), may encounter transaction failures. This occurs because the actual card number (FPAN) associated with the device PAN (DPAN) has changed, but the merchant (WSJ) isn't aware of it. So, when WSJ submits the payment authorization with outdated credentials, it potentially leads to transaction failure.
The Fix: Merchant PANs (MPANs)
To fix this, Apple is introducing MPANs (Merchant PANs) - see an excellent summary from Marcel Van Oost at this link here.
With MPANs, you will have a unique DPAN assigned to each merchant to make secure transactions with ease. DPANs and MPANs have domain restrictions, but MPANs have more granularity as they are specific to a merchant, whereas DPAN is unique to a device. This means your Apple DPAN will work across multiple merchants, whereas an Apple MPAN will only work for a specific merchant.
If this sounds familiar, it is. Similar tokenization already exists in the e-commerce world, where merchants register with networks through their Token Service Providers, such as VGS or their Acquirers/PSPs. The MPAN setup is similar to Apple becoming a "Token Service Provider" (TSP) - similar to VGS or an Acquirer/PSP - by registering merchants and issuing MPANs (Merchant PANs) instead of DPANs.
Apple's implementation of MPAN marks a positive step towards broader adoption of network tokens. This move raises awareness among merchants and issuers and holds the potential to address existing concerns and propel the tokenization movement forward.
PAN - ****4657
PAN - ****4657
Digital wallets:
- Apple Pay network token (DPAN) - ****9865
Digital wallets:
- Apple Pay network token (DPAN) - ****9865
TSP (VGS) / Acquirer:
- Merchant network token - ****5674
Digital wallets:
- Apple Pay network token (DPAN) - ****9865
Digital wallets:
- Apple Pay network token (MPAN) - ****6432
TSP (VGS) / Acquirer:
- Merchant network token - ****5674
Ecosystem Impact
- Merchants:
- Effortless Adoption: Many merchants might not even realize they already possess Apple MPANs, making the transition to network tokens seamless.
- New Benefits: By maintaining MPANs, merchants can unlock the benefits of tokenization, like:
- Enhanced Security: Network tokens offer robust protection against fraud compared to traditional card numbers.
- Reduced Risk of Stale Cards: Tokens remain valid even when physical cards expire, minimizing disruptions.
- Simplifying Operations: Merchants will see one unique identifier for their card, reducing confusion and improving customer service.
- Issuers:
- Improved Visibility: MPAN provides valuable insights into merchants they collaborate with, enabling stronger business relationships.
- Increased Authentication: The MPAN framework fosters an environment with more authenticated credentials, boosting security and trust.
- Payment Acceptance Ecosystem:
- Enhanced Security: As tokens become more widely adopted, the overall security of the payment landscape strengthens.
- Long-Term Growth: Increased token awareness paves the way for broader adoption and future iterations of even more secure tokens, as the Digital Authentication Framework (DAF) envisioned.
- Users:
- Working across devices: Use the same card seamlessly on all your Apple devices with one MPAN.
- Surviving phone replacements: No need for new tokens when you upgrade your phone, making things smoother.
"Securing Payments: Card Numbers (PAN) to Digital Wallets (DPAN) and onto Merchant Tokens (MPAN)"
Note: All the tokens are different types of network tokens.
The VGS Vault secures all token types across PII and PCI, and offers VGS Network Tokens to unlock enhanced security, mitigate fraud, and achieve cost savings. Tokens continue to get more popular across a variety of payment use cases, and we talk every day to multiple organizations in the payment acceptance ecosystem who are figuring this out. Let us know if we can be a sounding board for you.