Introducing Toucan: Fast and Secure Credentials + Fewer Declines = Happier Customers
E-commerce is over 20 years old now. It is a prominent part of how we purchase goods and consume services, and the trends are clear that this is going to continue. The advent of e-commerce was a major disruption not only for how to sell and to buy, but also how to pay. For the first time, payments were untethered from brick and mortar stores and moved into a virtual space. This disruption created unanticipated challenges to commerce: new types of fraud as well as greater needs for secure storage of personally identifiable information (PII) and staying up to date on ever-changing payment methods. These challenges still exist for the e-commerce industry and its players; merchants, fraud providers, acquiring banks, and the payment networks are all focused on making the ability to pay much safer and more efficient.
One solution to these challenges is network tokenization. Network tokenization is a system of network-provided (e.g., Visa, Mastercard, Discover, AMEX, etc.) payment tokens that replace credit card primary account numbers (PANs) and other card details. Because these tokens are provided by the network, it provides a streamlined way to move information through the transaction lifecycle. Benefits of the network token include improving authorization approval rate and increased security of sensitive data. In fact, companies using network tokenization see an average authorization approval rate lift of 3.2%.
Enter Toucan by Pagos, a central connection point to access the network tokens for all the cards in your vault. One simple integration with Toucan allows you to tokenize cards across all major networks, without having to change anything about your current payments stack. This makes Toucan the easiest way to address payments security and customer experience.
Let’s start with payment security: Every day, more credit cards are being stored on file in company databases to make buying online easier. The more cards on file, the bigger the target for theft and fraud. A personal account number—your PAN—that was once locked in your house, or in your pocket is now duplicated and stored as a way to deliver a frictionless online checkout experience.
Customer credit cards can be stored in many databases. Some cards are stored within payment service providers (PSPs), some are stored in company-owned databases—even with the increasing cost of PCI certification, infrastructure to secure the data, and the cost of fraud prevention—and some are even stored with third parties. This ubiquitous storage of credit card information was driven by mobile-first brand experiences. As mobile usage became a primary way to interact with brands, stores and purchase, so did the need for cards to be everywhere.
Eventually—at the behest of its card network brand members—the industry body EMVCo stepped in to come up with a specification called network tokenization in order to reduce the number of real card numbers stored in the ecosystem and to create additional ability to secure credit card credentials. Network tokenization began as a way to allow mobile wallets to safely and easily store cards. Later, it was applied to the card-on-file e-commerce use cases.
The standard increases security in three simple ways:
- Real card data is no longer everywhere: Card numbers (PANs) are no longer stored directly. Instead, the networks (Visa/MasterCard/Discover/JCB) generate a token that represents the real card number.
- Tokens are provisioned before they are used: The companies who store the card must contact the issuing bank when they capture and store the card. This allows the bank to know where the card is being stored,even before it is used. In some cases, it also allows a company or wallet to authenticate the user. (This is what ApplePay uses.) The data that can be exchanged during this step is much richer than what is typically shared on a transaction.
- Tokens have a secure ID in addition to the token itself: With some exceptions, every time a company wants to use the token the bank is asked for a unique ID (cryptogram) to attach to the transaction linking the original provisioning context in step #2.
To augment the security benefits of Network tokenization, a key benefit of the standard is that tokens are active even if the underlying PAN changes. Nearly 30% of issued cards in the US are reissued every year. A network token, however, will stay up to date and will not disrupt your customers’ checkout experience. Companies using network tokens receive the new details automatically, ultimately reducing churn.
Toucan allows you to integrate network tokens and either replace or augment your current vaulting strategy to begin using network tokens in the place of PAN. We make it easy to access the network services directly and control how and where you deploy it, without having to change anything about your payment stack.
More than the security features of network tokenization, this technology also improves customer experience—it will drive additional sales and address declines. This is because the token provides transaction context that, when missing, is more likely to lead to a decline.
Let’s remember why some transactions are declined. As we explored in Improving Bank Decline Reason Code Management and Why It Matters, one of the challenges when the customer and the company are not in the same location is that transactions get declined. In card transactions, some declines happen for unquestionable reasons. For example, when a debit card is linked to a checking account with a $0 balance, it is clear that this is a “real” decline. On the other hand, a large number of declines (30-40% in some cases) are returned by banks due to risk assessments, bad data (expired cards) and economics. These are much more complex to understand. Issuing banks are trying to make real-time approval and decline decisions based on only a few pieces of information. Usually they have the card number and expiry date and usually they have some identification number and location for a merchant. They make quick judgments based on context: the business type of the business (commonly known as the MCC), any history they have about the seller (as identified by a merchant identifier), the location of the business and then what they know about the consumer. They have no way of knowing if the relationship between the consumer and the seller is a one-time purchase, nor do they have a way of really knowing what products are being sold.
I like to say that the context is very transactional: it is what is presented to issuing banks in real time and on the transaction message. The consequence of this is that there are more declines for risk reasons based on little information, or context, and this is a problem for everyone in the industry. Network tokens are able to securely provide additional context that can influence approval and decline decisions that may otherwise be lost on the issuing bank.
Toucan also gives you the benefit inherent in the “safety” of network tokens of being able to share more context with issuers. That way they understand beyond individual transactions, and can observe the pattern and relationship between the company and the customer. By implementing Toucan, you can use network tokens to tell issuing banks that each transaction has been secured via network token provisioning and via the transaction cryptogram. This is the additional context that banks need to reduce the risk associated with authorization. Furthermore, since a network token can remain up to date even if a card is being reissued, the card on file credential needs less updating. Less updating means happier customers since they can click-to-buy faster, and spend less time typing card numbers on a form.
In short: authorization rates will go up, your customers will be happier, and you’ll be more secure. All enabled through Toucan.
If you are interested in addressing declines, increasing your approval rates, reducing costs, and transacting with more safety but you don’t want to rip out your current payment providers, try us out!