Tokenization for ACH Transactions
Tokenization for ACH Transactions
Jane Larimer – NACHA George Throckmorton – NACHA Jennifer West - NACHA
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
2
Purpose of Todays Discussion • This group discussion will identify key elements or “takeaways” that will inform a newly formed Payments Innovation Alliance ACH Tokenization Task Force. • The Task Force will develop a token strategy recommendation proposal to NACHA and Stakeholders.
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
3
Discussion Group Assumptions • Participants have a working knowledge of payment tokens and the ACH Network • For today’s discussion, the question of whether tokenization is needed on the ACH Network will be assumed as positive and will not be addressed by the Task Force
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
4
Tokenization Efforts Currently Underway • Most current efforts are related to card payments: – The Clearing House Secure Token Exchange – PCI Security Standards Council – Non-Payment Tokenization Technical Standards to protect data at rest – ASC X9-119-2 defining token generation and security requirements for requesting and generating a token – EMVCo Payment Tokenization Specification
But the ACH environment is very different from card…
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
5
Generalized Token Concept in Card Payments
Mercator Advisory Group © 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
6
The ACH Environment is not the Same as Card • The ACH Network supports both credits and debits (not just a debit model that is supported by cards) • The scale of Direct Deposit of payroll – large number of employers (many small), payroll providers, etc. • The majority of our volume is between known counter-parties and many are recurring in nature • US Government is the largest user of the ACH So how are tokens are relevant to ACH payments?
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
7
UPIC: Static Tokens for ACH Credit Payments
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
8
Potential Benefits of Tokenization for the ACH (i.e. Use Cases) • Benefits will ultimately depend on which model is implemented on the ACH Network. Benefits may include: – Replacing large caches of account data thereby protecting data at rest • Mitigating risks to Originator, ODFI, RDFI and consumer in cases of data breach
– Preventing fraud shift from cards to ACH (as the card systems move to tokenization) – Being able to cut off access to a consumer account by “turning off” the token (depending on model) • Implications for situations when an Originator fails to stop sending transactions to an account
– Some account validation functionality
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
9
Focusing On Today’s Discussion….. • ODFI Model – the originating bank is required to tokenize their originators’ account data and detokenize it before the account data is put into the Network as part of an ACH transaction • RDFI Model – the account-holding bank is required to issue and manage tokens, so that ODFIs and Originators never receive the account number, just the token • Hybrid Model – ODFIs would be required to tokenize their originators account data, but RDFIs could issue tokens if they desire, and those tokens would supersede the ODFI token © 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
Jane Larimer – NACHA George Throckmorton – NACHA Jennifer West - NACHA
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
2
Purpose of Todays Discussion • This group discussion will identify key elements or “takeaways” that will inform a newly formed Payments Innovation Alliance ACH Tokenization Task Force. • The Task Force will develop a token strategy recommendation proposal to NACHA and Stakeholders.
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
3
Discussion Group Assumptions • Participants have a working knowledge of payment tokens and the ACH Network • For today’s discussion, the question of whether tokenization is needed on the ACH Network will be assumed as positive and will not be addressed by the Task Force
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
4
Tokenization Efforts Currently Underway • Most current efforts are related to card payments: – The Clearing House Secure Token Exchange – PCI Security Standards Council – Non-Payment Tokenization Technical Standards to protect data at rest – ASC X9-119-2 defining token generation and security requirements for requesting and generating a token – EMVCo Payment Tokenization Specification
But the ACH environment is very different from card…
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
5
Generalized Token Concept in Card Payments
Mercator Advisory Group © 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
6
The ACH Environment is not the Same as Card • The ACH Network supports both credits and debits (not just a debit model that is supported by cards) • The scale of Direct Deposit of payroll – large number of employers (many small), payroll providers, etc. • The majority of our volume is between known counter-parties and many are recurring in nature • US Government is the largest user of the ACH So how are tokens are relevant to ACH payments?
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
7
UPIC: Static Tokens for ACH Credit Payments
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
8
Potential Benefits of Tokenization for the ACH (i.e. Use Cases) • Benefits will ultimately depend on which model is implemented on the ACH Network. Benefits may include: – Replacing large caches of account data thereby protecting data at rest • Mitigating risks to Originator, ODFI, RDFI and consumer in cases of data breach
– Preventing fraud shift from cards to ACH (as the card systems move to tokenization) – Being able to cut off access to a consumer account by “turning off” the token (depending on model) • Implications for situations when an Originator fails to stop sending transactions to an account
– Some account validation functionality
© 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
9
Focusing On Today’s Discussion….. • ODFI Model – the originating bank is required to tokenize their originators’ account data and detokenize it before the account data is put into the Network as part of an ACH transaction • RDFI Model – the account-holding bank is required to issue and manage tokens, so that ODFIs and Originators never receive the account number, just the token • Hybrid Model – ODFIs would be required to tokenize their originators account data, but RDFIs could issue tokens if they desire, and those tokens would supersede the ODFI token © 2016 NACHA — The Electronic Payments Association. All rights reserved. No part of this material may be used without the prior written permission of NACHA. This material is not intended to provide any warranties or legal advice and is intended for educational purposes only.
