Short arcane post. Dual routing of debit in ecom is much more complex than I thought. A puzzle and my head is spinning. Hang with me here as I don’t want to write a novel. This only applies to debit in the US.
The key take away? Competing PIN networks have new headwinds in tokenized PANs. Tokenization with a liability shift will protect Visa debit.
-
- Durbin requires dual routing, and the FRB announced it applies to eCommerce
- A debit card has 5 basic forms in eCom
-
-
- Untokenized PAN (ex consumer entered debit card online)
- Tokenized by acquirer and held by merchant (ex FISV Transarmor)
- COF tokenized by network services and held by merchant (majority of tokenized cards)
- Tokenized debit held in a wallet (ex Device Pan – DPAN in Apple Pay) . Note that there was an IDV process with high degree of issuer involvement here.
- BNPL or Wallet balance with debit as funding instrument (ie Staged Digital Wallet)
-
-
- Some alternative PIN debit networks have built “dual message” authorization into certain acquiring banks (without PIN) with member banks willing to implement this feature. The retailers group and PIN debit networks were hoping that the FED mandated all issuers enable this dual message like function. This did not happen.
-
-
- See MAG Fed note page 7, and footnote 11 on FRB rule.
- Final clarified rule “§ 235.7(a) does not require the condition to be satisfied for each method of cardholder authentication”
-
-
- There are 5 key challenges for eCom dual routing
- Merchants need to detokenize to perform least cost routing
- Merchants that tokenize cards on file with network tokenization services may receive a liability shift. If a card is detokenized, it is the merchant that holds responsibility for fraud.
- Debit cards tokenized within a wallet are more complex, as IDV and a 3 way match of consumer, card and phone is performed during the provision of the into the phone. All this costs money with many external parties involved. It’s like locking up your card in a brand new vault. The FRB makes clear that there must be detokenization processes available to merchants. Allowing any merchant to detokenize the DPAN held in a secure wallet is problematic and costly. Thus wallet detokenization may result in more of a temporary FPAN (to protect the provisioned card), where COF detokenization may provide the FPAN.
- The responsibility to detokenize sits with the token service (ex VTS/MDES). For TCH banks, the token vault is held separately. All token vaults have an approval process for the endpoint issued the token (merchant or wallet). Some of these tokens have a liability shift (ex when provisioned to GooglePay IDV is performed), some do not (ex PAN-DPAN exchange of COF).
- The issuers must have processes for approving and tracking detokenization. For example, if a wallet debit is detokenized it should be reissued.
- There are 5 key challenges for eCom dual routing
Value of Tokenization
As a reminder, everyone agrees on the need to protect consumer privacy, stop data breaches and provide enhanced security around PANs. Elimination of funding PANs (FPAN) through Tokenization is a no brainer. Additionally the benefits are
-
- Potential liability shift
- Authorization of Transaction (vs PIN-less PIN single message)
- Sync of card updates with banks
- Reduced fraud
- Reduced cost of fraud operations
- Better consumer experience (detokenized DPANs will have higher declines)
The Merchant Decision
Dual routing or liability shift. Large merchants are saving 10-15bps on POS debit processing through dual routing, but eCom is a different animal. Only the very largest merchants can manage fraud adequately. 95% of merchants would prefer the liability shift (and other value points above).
As I related in my post M2020 blog – Merchants Tokenize, top tier merchants that have invested in dual routing prefer to stay away from network tokenization altogether. In 2021, Kroger had $132B in sales, assuming 70% debit and 10bps savings which equates to almost ~$100M. But this is becoming more difficult as consumers prefer contactless and particularly ApplePay. So while COF are held separately, and tokenized Google/Apple payments are managed separately (ie for dual routing).
Visa owns debit in the US. This complexity is driving the 7 competing PIN networks bonkers, now add processor volume incentives, FANF and network tokenization .. all of which further solidifies Visa’s debit dominance.
Post FRB Actions
I see the following FRB activities following last months FRB Durbin rules in eCom
-
- MA will detokenize eCom
- Visa will follow MA in US with liability shift for tokenized cards that go through IDV process. Note ROW has this in place for all networks.
- V/MA will work to educate both merchants and processors of the benefits of network tokenization and liability shift
- V/MA Issuers will immediately support all detokenization of COF, and will ensure liability shift is tracked by fraud ops for both transaction and merchants performing the detokenization. For example detokenized debit cards are placed on tighter review
- V/MA will establish processes for detokenizing debit cards provisioned to a wallet (ex temporary FPAN issuance)
- Merchants and Processors will perform cost benefit analysis of tokenization (ie liability shift) vs dual routing. Deibt use within eCom is very low in most verticals other than grocery. I believe very few merchants will see a benefit of dual routing.
You wrote that “COF tokenized by network services and held by merchant” is the “majority of tokenized cards” – but are you sure? In my experience I’ve seen the “Tokenized by acquirer and held by merchant” as the lion’s share. Not all PSPs/acquirers/processors support network tokenization and return the true network tokens back to the merchants, and very few merchants have direct integration to VTS/MDES.
Great point Jake.. I held that view as well until I spoke with top 5 processors. There are incentives being created that appeal to mid tier merchants. Top tier merchants ARE NOT tokenizing with networks and proceeding as you outline.