“The entire tokenization infrastructure that’s put in place by the payment networks is also a business model. They’ve tied their model to Apple so that transactions and enablement of mobile payments has to go through Visa, MasterCard, AMEX and the like.” Tim Sloane, Mercator Advisory Group

1. Preparing For Rapid
Payments
Innovation.
1

2. Tim Sloane
Vice President, Payments Innovation
2

3. Forecast Apple Pay
Volume Based on
Adoption Model
Source: Mercator
Apple Pay:
Off &
Running
3

4. Android:
Waiting in the Wings
• Multiple hardware device implementations
• Multiple versions of OS
– Android One
– AOSP
• Microsoft / Cyanogen
• 40 Apple iPhone Variations, 90,000+ Android Variations
• Google Wallet V1, Google Pay, Samsung Pay …….
4

5. Android Devices - 2013
Source: OpenSignal
5

6. Android OS Versions - 2015
Source: OpenSignal
6

7. APPLE PAY
Operation
Apple Wallet Implementation
Branded Network NetworkBranded
Issuer
Merchant
Acquirer
TOKEN
TOKEN
PAN
TOKEN
LookupPANAuth Request w/TOKEN Auth Request w/PAN
1
2
4
5
6 7 8
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
3
1) iTunes user provides card number (PAN) to iTunes.
2) Apple forwards request to enable Apple Pay to the bank that owns the card for permission.
3) When bank approves the request, the PAN is communicated to the appropriate network for token generation
4) Network and Apple insert token into Secure Element of device
5) Consumer presents Apple Pay device to POS using Touch ID
6) Token and other payment relevant data are sent to the POS, which forwards via acquirer to the network
7) Network receives token and looks up PAN. PAN is inserted into the authorization request and sent to the issuer
8) Issuer receives the authorization request and approves or denies the transaction.
(Note that several special fields are in the authorization request and other activities not described here (such as provisioning NFC device)
= NFC
7

8. APPLE PAY
Operation
Apple Wallet Implementation
Branded Network NetworkBranded
Issuer
Merchant
Acquirer
TOKEN
TOKEN
PAN
TOKEN
LookupPANAuth Request w/TOKEN Auth Request w/PAN
1
2
4
5
6 7 8
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
PAN
3
1) iTunes user provides card number (PAN) to iTunes.
2) Apple forwards request to enable Apple Pay to the bank that owns the card for permission.
3) When bank approves the request, the PAN is communicated to the appropriate network for token generation
4) Network and Apple insert token into Secure Element of device
5) Consumer presents Apple Pay device to POS using Touch ID
6) Token and other payment relevant data are sent to the POS, which forwards via acquirer to the network
7) Network receives token and looks up PAN. PAN is inserted into the authorization request and sent to the issuer
8) Issuer receives the authorization request and approves or denies the transaction.
(Note that several special fields are in the authorization request and other activities not described here (such as provisioning NFC device)
= NFC
8

9. APPLE PAY is
PROPRIETARY
9
• Few networks have access to
Apple Provisioning function
• Provisioning is contractually coupled
to compensation & settlement
• Tokens alter how merchants find &
use alternate networks
• Tokens alter merchants back end
processes (disputes/returns/etc.)
• EFT networks must share transactional
data with MC/V to participate
• No solution exists to enable Bank
Mobile Apps or ATM access

10. EMVCo
HCE SUPPORT
1) Multiple Mobile Environments
2) Each with unique security capabilities
3) Each with unique identity support
4) HCE cloud (Open to Buy Limits / One Time Use Tokens.
2) Apple forwards request to enable Apple Pay to the bank that owns the card for permission.
3) When bank approves the request, the PAN is communicated to the appropriate network for token generation
4) Network and Apple insert token into Secure Element of device
5) Consumer presents Apple Pay device to POS using Touch ID
6) Token and other payment relevant data are sent to the POS, which forwards via acquirer to the network
7) Network receives token and looks up PAN. PAN is inserted into the authorization request and sent to the issuer
8) Issuer receives the authorization request and approves or denies the transaction.
(Note that several special fields are in the authorization request and other activities not described here (such as provisioning NFC device)
5
Branded Network
Network Branded
Issuer
Merchant
Acquirer
TOKEN
TOKEN
PAN
Lookup PANAuth Request w/TOKEN Auth Request w/PAN
1
2
4
5
6 7 8
3
SE
HCE & DF
HCE & DF & Bio
ID&V Method 1
ID&V Method 2
ID&V Method 3
Token Service Provider
(TSP)
Softcard
Google
Google/Samsung
10

11. Tokenization Challenges:
• What will be the long term fee structure?
• How will EFT networks participate?
• What is the role of issuing processors?
• How will credentials be passed to ATM or is alternate needed?
• How and when will the bank app be payment enabled?
• Token Value prop in Mobile Apps is weak.
– Card on File preferred by most merchants
• Merchants question Tokenization Durbin Compliance.
• Is Apple A Good Long Term Strategic Partner?
• How is a portfolio switched when Token Vault is held by the network?
11

12. Too many stove pipe solutions
BANK NETWORK
& APP CHALLENGES
M-App
M-Browser
Banking App
RDC, Etc. EFT PIN
P2P
12
mPOS
Bank Solutions,
MC/V Solutions,
EFT Solutions,
Mobile Apps, ID
Social, Cloud…

13. Innovation will surround
the Payment utilizing
m-POS and Smart Apps
mPOS WILL DRIVE
CHANGE &
COMPLEXITY
13

14. • New Data Types
• New Transaction Types
• New Network Interactions
• New Networks (e.g. MCX)
14
Innovation will surround
the Payment utilizing
m-POS and Smart Apps
mPOS WILL DRIVE
CHANGE &
COMPLEXITY

15. New methods of Identity Verification
combined with a complex mobile
platform (hardware, OS, multiple
comms carriers in both the handset
and the POS) all riddled with
vulnerabilities, makes a payments
platform only a entrepreneur can
love.
INNOVATION ON
MOBILE HAS ITS
RISKS
- Credentials in memory
- Credentials on file system
- Data stored on file system
- Poor cert. Management
- Etc.
- Clear text credentials
- Clear text data
- Backdoor data
- Data leakage
- Etc.
- SQL Injection
- Cross Site Scripting
- Local File Inclusion
- Authentication
- Etc.
Client Network Server
15

16. New methods of Identity Verification
combined with a complex mobile
platform (hardware, OS, multiple
comms carriers in both the handset
and the POS) all riddled with
vulnerabilities, makes a payments
platform only a entrepreneur can
love.
INNOVATION ON
MOBILE HAS ITS
RISKS
- Credentials in memory
- Credentials on file system
- Data stored on file system
- Poor cert. Management
- Etc.
- Clear text credentials
- Clear text data
- Backdoor data
- Data leakage
- Etc.
- SQL Injection
- Cross Site Scripting
- Local File Inclusion
- Authentication
- Etc.
Client Network Server
Remember this?
16

17. New methods of Identity Verification
combined with a complex mobile
platform (hardware, OS, multiple
comms carriers in both the handset
and the POS) all riddled with
vulnerabilities, makes a payments
platform only a entrepreneur can
love.
INNOVATION ON
MOBILE HAS ITS
RISKS
- Credentials in memory
- Credentials on file system
- Data stored on file system
- Poor cert. Management
- Etc.
- Clear text credentials
- Clear text data
- Backdoor data
- Data leakage
- Etc.
- SQL Injection
- Cross Site Scripting
- Local File Inclusion
- Authentication
- Etc.
Client Network Server
Remember this?
17

18. COMPETITIVE
REVIEW
 Apple
 Must deliver more value to merchants. Expect loyalty & BLE innovation as mechanism to
engage consumer and pass credentials at POS. Passbook gets interesting.
 Google / Softcard Technology
 Softcard technology isn’t what Google needs, it needs low cost access to the SE by
MNOs. It is unclear what business model networks will adopt to enable Google Wallet.
Google must change existing pooled account model to encourages bank participation.
 MCX / CurrentC
 Introduces a cross merchant loyalty agent that lowers payment costs for merchants.
MCX isn’t impacted by card networks, it lives or dies on its own ability to execute.
 PayPal / Paydiant
 Current services implemented using private acquiring infrastructure and merchant
relationship slows deployment. PayPal needs greater merchant adoption before Apple,
and must implement a business model that drives bank participation.
 Financial Institutions
 FIs promoted Apple Pay to gain top of wallet without knowing Apple’s or Networks long
term strategy. Without Android, banks can’t satisfy customers and can’t enable existing
bank apps. Networks create new revenue source from issuers and protect market.
 Samsung / LoopPay
 Will a smaller LoopPay still be effective? Is interim solution likely to cause problems at
POS? Unclear how Samsung will drive adoption by banks or what business model
Networks will implement.
18

19. INNOVATORS
APPROACHING
FROM ALL
DIRECTIONS
19
• Deliver engaging and complete
financial services to your
customers.
• Review adjacent markets that
add value or threaten your value
proposition.
• Acquire partnerships and
technologies that strengthen
your value proposition and level
of customer engagement.
• If you don’t others will!

20. Tim SloaneMercator Advisory Group
tsloane@mercatoradvisorygroup.com
781-419-1712
20