Tokenization explained
What it is, how it works and how you can benefit
On the 9th of September 2014 Apple main linking pins between Apple’s
officially announced the long-awaited announcement and the payment
Apple Pay solution. Apple’s schemes’ follow-up turned out to be the
announcement had a huge impact on use of tokenization. Apple had worked
everything related to mobile payments; it closely with the payment schemes in
basically revitalized the entire ecosystem order to ensure quick and easy access to
and influenced many ongoing discussions. Apple Pay and a high level of security. Easy
For example, the fact that Apple Pay uses access is ensured by allowing member
Near-Field Communication (NFC) to banks to outsource their tasks regarding
communicate to payment terminals was, customer enrollment and transaction
in the eyes of many experts, the final authorization for Apple Pay to the
confirmation that NFC is the de-facto payment schemes, via the MDES, VTS or
standard for such communication. ATS services. And good security, especially
Similarly, Apple Pay’s use of an embedded for in-app payments, is ensured partly by
Secure Element (SE) impacted the ongoing the tokenization services offered by the
discussion in the industry on the merits of payment schemes.
SE-based solutions versus ‘cloud-based’
solutions based on Android’s Host-based Tokenization, at least in the form used by
Card Emulation (HCE) technology. And Apple, was first specified by EMVCo, in a
finally, Apple announced that Apple Pay document called ‘EMV Payment
was going to be the first real-life payment Tokenisation Specification - Technical
ecosystem using payment tokens . Framework’ (ref. [1]). This document was
published in March 2014. This means
On that same day in September, there were only six months between the
MasterCard and Visa announced services introduction of tokenization and its first
called the MasterCard Digital Enablement large-scale implementation by Apple,
Service (MDES) and the Visa Token Service MasterCard and Visa. This is one of the
(VTS). Somewhat later, American Express fastest times to market for a new
followed suit with its American Express technology.
Token Service (ATS). One of the prominent
features of these services is their
capability of replacing sensitive payment
account information found on plastic
cards with a ‘token’. In fact, one of the
page 2 1. The payment industry has used a different form of ‘tokens’ already a long time before Apple Pay. For the difference between these ‘security’ or ‘acquirer tokens’ and the ‘payment
tokens’ used by Apple, see section ApplePay.
White paper - Tokenization explained
page 3 2. Banks and payment schemes have devised a multitude of other ways to increase the security of online CNP transactions, such as the CVC2 code, passwords and dynamic transaction
authorization codes delivered by SMS or generated by a chip card. Solutions based on 3D-Secure also fall into this category. However, transactions protected by such measures are still
considered CNP.
White paper - Tokenization explained
All of these technologies have found payment cards have been under attack CP fraud in brick-and-mortar shops will be
applications in the mobile payment space, from their invention. And due to its central largely solved (Ref. [4]).
both for payments at the point of sale role in identifying the customer’s account,
(PoS) and for online or in-app payments. the PAN has always been at the center of However, because the card is not actively
This proliferation of technologies and attention in these attacks, with thieves involved in CNP transactions, EMV has no
associated security solutions means that trying to obtain PANs and the payment bearing on CNP transactions. Therefore, as
the difference between CP and CNP industry trying to protect them. CP fraud becomes harder, fraud is moving
transactions rapidly loses its significance. On a high level, protection of the PAN can to the CNP space. In some markets the
The boundaries between PoS transactions be done in two ways. We can try to ensure bulk of fraud in the card payment space is
and online transactions are blurring as the authenticity of the card containing the already happening with CNP transactions
well. In fact, the card payment industry is PAN and the cardholder using it, or we try (Ref. [5]). And since the volume of remote
moving towards a future where a physical to protect the confidentiality of the PAN. and in-app payment transactions is
payment cards may disappear. Instead of a In the first approach, we ensure that the growing dramatically, other markets can
card as the prime or only identifier of the PAN is coming from an authentic card and be expected to follow soon. Despite the
customer account, there will be multiple is used by the rightful cardholder. In the multitude of specific measures aimed at
ways of identification, depending on the second, we guarantee that only the increasing the security of CNP
channel used and preferences of both the rightful cardholder and his bank know the transactions, at the moment the only
customer and the merchant. PAN to begin with. generic defense against CNP fraud is to
keep the PAN secret. Consequently, the
The real significance of tokenization can Over the years, many security standards payment industry has put a lot of
only be understood against this backdrop have evolved for the payment industry to emphasis on adherence to the PCI
of ‘non-card-payments’ transactions. But achieve these goals (Ref [3]). Examples of requirements. Businesses have spent an
before we move into the question of what the first approach include cardholder estimated 1 billion dollar on PCI
tokenization is, we must first look into verification methods such as signature compliance between 2006 and 2009
payment card fraud. and PIN. However, also EMV technology alone. Despite this, the recent major
falls into this category. The basic aim of security breaches at Heartland, Target,
Fighting Card Payment Fraud EMV is that a PAN cannot be used for a Neiman Marcus and others exposed tens
card-present transaction without the of millions of PANs. Statistics show that
Threats and Countermeasures: EMV and associated physical card being present. 89% of the organizations suffering a data
PCI The prime example of the second breach were not compliant with PCI DSS at
Despite the technological evolution of approach is formed by the Payment Card the time of the breach (Ref. [6]). For the
payment cards, the main principles of Industry (PCI) Security Standards Council. remaining 11%, clearly the fact that they
card-present transactions have changed All requirements in PCI DSS are aiming to were PCI compliant was not enough to
little over the decades. The customer ensure the confidentiality of sensitive card prevent the data breach. It is fair to say
present his card, which directly identifies data, especially the PAN. that the goal of a worldwide merchant
the account from which the funds to cover and payment industry adequately
the payment will eventually be drawn. To EMV has been proven to be very successful protecting PANs at all times is a long way
do so, the card carries a Primary Account to combat CP fraud. UL is convinced that off.
Number (PAN), which is linked one-to-one once the US market has migrated to EMV
to the customer’s account. Because the and the use of magnetic stripe cards can
possibility to spend other people’s money be abolished worldwide,
has always been alluring to fraudsters,
page 4 3. For an overview of payment security standards, their content and the way they interact, please refer the UL whitepaper ‘Meet The Family - Payment Security Standards’,. 4. For a
detailed discussion of possible fraud scenarios in relation to EMV and PCI, see the UL whitepaper ‘Prevention Is Better Than Cure - EMV and PCI’. Both are retrievable from www.ul-ts.
com. 5. For European countries, a nice breakdown of overall card fraud into several categories, including trends, can be found at http://www.fico.com/landing/fraudeurope2013/.
6. Source: FirstData, 2012.
White paper - Tokenization explained
Cross-Channel Fraud
The problem of the lack of security for CNP
transactions is made worse by
cross-channel fraud which is a type of
fraud in which card details that were
fraudulently obtained via one payment
channel are used to withdraw money from
the customer’s account via another
channel. For example, payment card data
(i.e. PAN) stolen from PoS devices may be
used to initiate fraudulent CNP
transactions over the internet.
Cross-channel fraud is a major worry for
several reasons:
• First, the possibility of cross-channel
fraud means that the security of all
payment channels is effectively
interdependent. Take ‘PIN-and-chip’, which
makes card-present payment transactions Figure 2 - Fraud risk reducation options
more secure by requiring authentication
of the card and the card holder. This conversely, the designers of the new the PAN secret. 3D-Secure-based
positive effect will be negated to some payment channel need to look to possible mechanisms such as ‘Verified by Visa’ and
extent if it is possible to steal the full cross-channel fraud, in addition to making ‘MasterCard SecureCode’ attempt to
magstripe data and use it to perform a sure their solution is secure on its own. reduce CNP fraud by means of cardholder
‘magstripe and signature’ transaction in authentication.
another part of the world. Tokenization: A New Approach
• Second, the security of CNP transactions Fighting card payment fraud is essentially The real novelty of payment tokens, as
has not been solved in a consistent and a matter of risk management. A basic specified by EMVCo, is the idea to reduce
satisfactory way globally, and it probably approach to risk management is to the impact of fraud instead. Even if a
will not happen anytime soon. Because of quantify risk as the multiplication of the breach occurs and payment tokens get
the possibility to cross-channel fraud, this likelihood of a certain security breach and known, the damage done is limited. This is
means that other payment channels will the impact of that security breach. This is achieved by limiting the value of a token,
remain at risk as well. shown in Figure 2. compared to the original PAN it replaces.
The next chapter will describe in detail
It is clear that cross-channel fraud is a Historically, the emphasis for risk how this works.
threat to the emergence of the reduction in the card payments industry
omni-channel payments experience that has been on reducing the likelihood of
we mentioned above. Every addition of a fraud. EMV and PCI are prime examples of
new payment channel means that existing this. EMV reduces the chance of fraud
channels have to worry about the security happening with CP transactions by
of the new channel and the potential for introducing strong card authentication.
cross-channel fraud that it opens up. And PCI reduces the chance of fraud by keeping
page 5
White paper - Tokenization explained
In the context of this whitepaper, the Until recently, there was little or no
high-value credential is the PAN. Even standardization for security tokens,
within this context, it is necessary to meaning that every vendor of such
properly distinguish between two types of systems used their own solution. For
tokens: security tokens and payment example, security tokens can be generated
tokens. The key difference between these using very different methods, such as
token types is that payment token can be random number generation or encrypting
used to initiate a payment transaction, or hashing the original PAN. From a
whereas security token cannot. The next security point of view, these methods are
two subsections describe these types of very different indeed. Recently,
token in more detail. standardization processes were started by
ANSI in the United States and the PCI SSC
internationally. The main thrust of these
efforts is to guarantee a comparable level
of security between different systems for
security tokenization.
page 6
White paper - Tokenization explained
Payment Tokens user must be able to obtain a token for marketing system using the token only as
Apart from security tokens, the other type every location at which the original PAN an identifier for a particular customer,
of PAN tokens is payment tokens. As stated can be used. Security tokens are used only irreversible tokens are fine. For an order
before, EMVCo described payment tokens within a particular merchant’s site or entry system, the token must be reversible,
in their Tokenisation Framework. system. because in the end the payment
• Due to their global reach, payment tokens transaction must contain the real PAN.
Payment tokens are fundamentally cannot be issued by a merchant or acquirer, Payment tokens obviously must be
different from security tokens. The table as security tokens are. A new role in the reversible always.
below shows the differences between payment ecosystem is needed, called the • Payment tokens are used in the same way
payment tokens and security tokens. Token Service Provider. The Token Service as a real PAN and therefore must have the
Provider may be the issuer. same format. In particular, the first digits
The principle difference shown in the table • Payment tokens are generated by a Token of the tokens are used for routing the
is that a payment token must be usable for Service Provider, which may be the card payment transaction to the correct issuer,
initiating payment transactions, while issuer, or a third party on behalf of the and payment tokens must pass the Luhn
security tokens are not. All other issuer. check. In contrast, security tokens do not
mentioned differences follow from this • Security tokens are generated by the need to be in the same format as the
requirement: merchant itself. It may also be that the original PAN. Again, whether or not this is
• Payment tokens may be short-lived acquirer (or a third-party vendor) offers the case for a particular token depends on
(dynamic) or long-lived (static). Security tokenization as a service. In that case, the intended use.
tokens are generally long-lived, as they are however, the merchant and the acquirer • The properties of payment tokens are
meant to be stored and used for different effectively share one distributed defined by EMVCo and allow the token
purposes later on. tokenization system. issuer to limit the value of the token in
• Payment tokens must be usable globally, • Security tokens may be irreversible, several ways according to the token’s
at every location or site where the original meaning there is no way to obtain the domain, storage location and assurance
PAN is usable. Note that this does not original PAN from the token. Whether a level. The properties of security tokens are
mean that every token is usable at each of security token is reversible or irreversible not standardized.
these locations, but that (in principle) a depends on the intended use. For a
page 7
White paper - Tokenization explained
Ecosystem
The EMVCo framework for payment
tokenization was designed to be fully
compatible with existing three or
four-party payment schemes. The table
Figure 4 - EMVCo payment token provisioning
below shows the five familiar roles in such payment token is depicted in Figure 4.
a scheme and the impact the introduction
of tokenization has on each of them.
A cardholder interacts with a Token Based on the ID&V information and
The main ingredient that tokenization Requestor and presents his PAN. The potentially further checks done by him or
adds to the payment schemes-as-we- Token Requestor sends a ‘Token Request’ requested from the Issuer, the Token
know-them are two new roles, called the message to the Token Service Provider. Service Provider determines the Token
Token Requester and the Token Service This message may contain so-called Assurance Level. This is basically an
Provider. These parties play important Identification & Verification (ID&V) indication of how trustworthy the new
roles in the lifecycle of a payment token, information, which indicates how sure the token is. We discuss ID&V and Token
which mainly consists of two steps: token Token Requester is about the identity and Assurance Level in more detail below.
provisioning and token transaction authenticity of the cardholder.
processing.
page 8
White paper - Tokenization explained
The Token Service Provider returns the cardholder’s device will produce a token this transaction. These checks are discussed
token to the Token Requester. Depending cryptogram to authenticate the in more detail further in this document.
on the use case, the Token Requester stores transaction. A token cryptogram is a
the token or forwards it to the Cardholder’s transaction-unique value generated using The Token Service Provider probably will
device. Below, the most important transaction data and cryptographic keys also validate the token cryptogram on
tokenization use cases are discussed. stored on the device. In the case of an behalf of the issuer, although EMVCo leaves
EMV-based transaction, the token open the possibility that this is done by
Token Transaction Processing cryptogram may be a dynamic CVC value or the issuer itself. If all checks are correct,
Figure 5 shows the transaction processing an ARQC (Ref. [7]). the Token Service Provider will replace the
flow in case an EMVCo payment token is token by the real PAN, and will send the
used instead of a real PAN. The payment transaction, including the transaction to the issuer for authorization.
token-specific data, is sent from the During transaction authorization, the
In some use cases, such as NFC payments merchant, via the acquirer, to the Token Issuer may use the Token Assurance Level
in a shop, the cardholder will present the Service Provider. The same protocols and of the token, next to other information,
token to the PoS terminal of the merchant. payment network(s) are used for this as to decide whether or not to authorize the
In other use cases, such as Card-on-File would be for a transaction using a real transaction.
systems, the merchant already knows the PAN. The Token Service Provider carries
token. out a number of checks on the token, for Token Properties and Token Domains
For mobile payment transactions, the example to make sure the token is valid for Payment tokens according to EMVCo have a
number of properties:
page 9 7. Please beware that the word ‘token’ is often used to refer to a token cryptogram, instead of to a surrogate value for the PAN. In discussions between different parties, this can easily
lead to confusion, which can be most easily cleared up by asking or giving a clear definition of what a ‘token’ is.
White paper - Tokenization explained
• A token domain, which indicates the Token Requester and the Token Service Several parties in the scheme may be
environment in which a token may Provider, and is reflected in the ID&V involved in these Identification and
be used. Domains can be based on information that must be present in the Verification methods. The lower-security
parameters such as the merchant where token request. security methods, such as address
the transaction takes place, the digital verification or a zero-amount
wallet in which the token is stored and the Figure 6 shows a number of ID&V authorization, may be carried out by the
channel used to initiate the payment, such methods identified by EMVCo, together Token Requester, who will report on the
as magstripe card, EMV card, mobile NFC with an indication of their relative outcome of these checks in the Token
or card-not-present. strength. Note that EMVCo does not Request message. Risk scoring will be done
• A token assurance level, which is a mandate any particular ID&V methods by Token Service Providers. In case a very
measure of the assurance placed on and gives only a rough indication of how high trust is needed in the relationship
the connection between the token and strong these methods are. between cardholder and token, the card
the rightful cardholder. The different
token assurance levels and the EMVCo
requirements for these levels are discussed
later on.
page 10
White paper - Tokenization explained
Static and Dynamic Tokens Payment Tokenization Use • Apple uses an embedded Secure Element
Although the EMVCo Tokenisation Cases on the iPhone 6 to store the token.
Framework does not discuss this, a • Tokenization is not the only important
distinction can be made between static ApplePay Token Issuance security feature in Apple Pay. In fact, an
and dynamic tokens. Static tokens are Apple Pay card is an EMV card, using
tokens that are meant to be used for many From the figure below, it is clear that Apple cryptography to ensure that the card used
payment transactions. Dynamic tokens, on Pay follows the issuance process for tokens in every payment transaction is authentic.
the other hand, are meant to be used for as defined by EMVCo. The following The cryptographic keys that are stored in
only a limited number of transactions. aspects are noteworthy: the Secure Element to allow this are
Tokens can be made dynamic by setting • Apple itself takes on the role of Token derived by the payment schemes and sent
the token expiry date to a date in the near Requester. securely to Apple together with the token.
future. Alternatively, the issuer can set • MasterCard, Visa and American Express • Apple Pay tokens are static: the same
rules in its authorization system so that a act as Token Service Providers for cards token can be used for multiple
certain token is only valid for a limited carrying their respective brands. For Visa, transactions. Apple refers to a token as a
number of transactions, or even for only a the platform doing this is Visa Token ‘Device Account Number’.
single one. Service (VTS), for MasterCard it is the
Digital Enablement Service (MDES) and
The more ‘dynamic’ a token is, the shorter Amex calls its service the American
its lifetime and the more effort must be Express Token Service.
put in frequently issuing new tokens. • The card issuing banks take care of the
Conversely, a more ‘static’ token needs to Identification and Verification process for
have stricter requirements with regard to the cardholder.
the security of its storage location, unless • Cardholders present their PAN to Apple
other security measures are present to either by making a picture of their card, or
ensure that a stolen token cannot be used. by referring to a card that is already
present in their iTunes account.
page 11
White paper - Tokenization explained
Transaction Processing This is very powerful, but without the use • Replacing a compromised token without
When looking at the figure, one of the of tokenization, it probably would have any effect on other tokens or on the
most promising features of Apple Pay been too risky for Apple. Without underlying PAN. This can be done without
becomes immediately clear: Apple Pay tokenization, Apple would have been the cardholder even noticing.
allows a customer to pay both in a physical forced to store the real PAN of the Other noteworthy aspects of Figure 8:
shop and in an iOS app (Ref. [8]). In a shop, customer on its devices, opening up the • Both for NFC transactions and in-app
the phone uses its NFC interface to risk of cross-channel fraud. transactions, Apple Pay generates a token
communicate with a PoS device, while for Tokenization allows Apple and the cryptogram. Depending on whether an
in-app payments the app connects to the payment schemes to manage this risk, for EMV or contactless magstripe transaction
payment provider of the merchant. example (Ref. [9]) by: is performed, this is an EMV cryptogram or
a dynamic CVC.
• Apple uses the term Dynamic Security
Code for the token cryptogram.
• The cryptogram is validated by the
schemes, on behalf of their card issuers.
Issuers do not validate any cryptograms
from Apple Pay.
For both payment channels, however, the • Using different tokens for NFC payments
security level is identical. And once the and in-app payments, thus preventing
transaction reaches the acquirer, also the cross-channel fraud between these
way the transaction is processed is the channels.
same. Therefore, Apple Pay closes the gap
between traditional CP and CNP
transactions.
page 12 8. Apple makes a distinction between in-app purchases and Apple Pay purchases done via an app. The first category involves goods and services that are delivered within the app, such
as digital books, subscriptions or bonus levels in a game. The latter category involves real-world goods and services that are bought via an app but delivered via another route. In-app
purchases are not paid for via Apple Pay, but via the App Store. 9. These are merely suggestions; it is not known how Apple deals with this in practice.
White paper - Tokenization explained
page 13 10. Interested readers are referred to UL’s whitepaper ‘HCE security implications - Analyzing the security aspects of HCE’ (January 2014). 11. Some vendors of cloud-based payment
systems, as well as other parties such as Google Wallet, use different solutions, such as tokenizing the Application Transaction Counter. 12. Each of the major payment schemes uses a
slightly different name for these credentials and has slightly different methods for limiting their validity. 13. In practice it would lead to problems, because the PAN or token is used to
identify the payment application e.g. in some cryptographic certificates. Using a different token for every payment transaction would require renewal of those certificates for every
transaction.
White paper - Tokenization explained
However, in practice there are a number of interface. However, there is no reason why Watch and therefore are able to use Apple
differences between the two concepts: such applications could not be used for Pay. However, mobile payment systems
• A token replaces a PAN; a limited-use remote and in-app payments, much in the using tokenization will be created also for
credential replaces a cryptographic card same way as Apple Pay does. If that Android phones.
key. happens, tokenization will become more • Currently, Apple Pay cannot be used for
• A token is usually valid for the entire relevant for cloud-based apps as well, for check-out at online web shops. In the
lifetime of the virtual card; a limited-use exactly the same reasons. future, we expect Apple or other mobile
credential is often cryptographically payment systems based on tokenization to
limited to only one payment transaction. Above, we pointed out that MasterCard, support this use case as well.
• Tokenization is primarily meant to battle Visa and American Express each have • A new rate tier for interchange fees for
cross-channel and card-not-present fraud, systems that can act as the Token Service tokenized transactions. The concept of
whereas limited-use credentials solve the Provider for Apple Pay virtual cards. Some “card-not-present” (CNP) will be soon
problem of the lack of secure storage for of these systems can also act as providers outdated. Solutions such as Apple Pay in
payment keys in a mobile device. In other of limited-use credentials for cloud-based combination with the payment schemes’
words: limited-use credentials are there to payment applications. Therefore, banks tokenization services allow a consumer to
secure a specific type of card-present can use the services of these systems to pay over the internet with the same level
transactions, whereas tokens have a much provision virtual payment cards both on of security as in a shop.
broader applicability. iPhones supporting Apple Pay and on • Tokenization of other payment cards.
Android phones supporting HCE Once tokenization is successful for
Despite these differences, tokens may be technology. ‘open-loop’ payment cards, fraud may be
used in a cloud-based mobile payments expected to shift to other payment cards,
system. The major payment schemes What is next for Tokenization? such as private label, voucher, and benefit
currently do not have an obligation to do cards. Consequently, tokenization will be
so, although they usually require that the The use of tokenization has only just applied for such cards as well.
issuer can recognize transactions begun. Even with Apple Pay being fully • Tokenization in other domains, such as
originating from cloud-based payment tokenized, the percentage of payment health care and social security.
applications by their PAN and does not transactions for which a token is used Tokenization can not only be used for
authorize transactions using that PAN over instead of a PAN is still tiny. This goes both Primary Account Numbers (PAN) in the
a different payment channel. If for card-present and card-not-present payment industry, but also for other
tokenization is used, tokens are used next transactions. So what will the future be valuable identifiers, such as social security
to limited-use credentials, not in for tokenization? numbers, patient numbers in medical
replacement of them. records, etcetera. Also for these identifiers,
UL believes the following developments the idea of using surrogate values that are
A major reason for the payment schemes will gain traction in 2015 and beyond: based on the domain in which they are
not to require tokenization of the PAN for • An increasing use of tokenization to used can potentially solve many security
cloud-based payment applications is the secure both internet payments and problems. In these domains, such
fact that these applications currently are in-shop payments. Partly this will happen surrogate values are commonly known as
used (almost) exclusively for paying in because of the increased percentage of ‘privacy-protecting credentials’ or
brick-and-mortar shops over the NFC customers that use an iPhone 6 or Apple ‘anonymous credentials’.
page 14
White paper - Tokenization explained
UL published a white paper on this topic in How UL Can Help • Our test and certification services ensure
April 2012, entitled ‘Comparison of e-ID that your (virtual) cards and acceptance
solutions with privacy-preserving This white paper has shown the reasons infrastructure is thoroughly tested,
characteristics.’ behind the payment industry’s adoption of including the interface to any Token
• Solutions for tokenization’s remaining tokenization and the benefits that Service Providers. Our wide range of
problems. Dynamic tokenization poses tokenization has for merchants and certification services includes terminal and
problems for merchants and loyalty issuers. Eager to explore the possibilities of host protocol certification and network
schemes. Many loyalty implementations tokenization for your organization? UL can interface validations, as well as security
require the PAN to identify the customer help you! testing and load and performance testing.
and assign loyalty points. This is not • UL’s consultants provide expert business • We can also advise you on the latest
possible with a dynamic PAN. Future and technical advice and consultancy security threats and industry
developments will provide solutions for services across the mobile, payment, requirements. UL’s security evaluation
that problem. e-ticketing and government domains. We services are endorsed by recognized
• Ongoing standardization for Security help you to develop strategic insight, regulators and certification bodies, such as
Tokens. Although not the main topic of setting and reaching your goals, evaluate EMVCo and PCI, as well as by all major
this whitepaper, security tokens are very vendor proposals or creating your offering. payment schemes.
relevant to reduce the risk of card data We understand your challenges and know • Finally, utilize our test tools allow you to
comprises in non-payment environments how to address them. You can leverage our demonstrate the quality of your products
such as loyalty and fraud analysis. We extensive knowledge, which goes beyond or systems, or, conversely, to ascertain the
expect the PCI SSC and other parties to mobile payment technology only. UL also quality of a system that you need to
come up with standards to achieve a has an outstanding portfolio of training formally accept. UL has a broad portfolio
common and auditable level of security courses. Whether you need to brush up of off-the-shelve test tools, including many
between tokenization systems offered by your knowledge about Tokenization, NFC, tools specific for the mobile payments
different vendors. HCE, TSMs, EMV, SEPA or any other topic domain. Alternatively, we can develop
related to your business, custom test tools to suit your needs.
page 15
Contact details
UL
Transaction Security Division
www.linkedin.com/company/ul-transaction-security
info@ul-ts.com
www.ul-ts.com www.twitter.com/ULTSnews