Select Page

Cracking Tokenization for BNPL Player Tabby

Feb 20, 2023

Buy Now, Pay Later (BNPL) has taken the e-commerce world by storm in the past few years. Driving a 30% increase in conversions and an 85% rise in average order value, BNPL has earned merchant confidence and customer trust.  

With 97% smartphone penetration, the UAE is one of the avid adopters of BNPL and contactless payments in the Middle East. And Tabby Pay is a leading BNPL platform in the UAE, that caters to over two million buyers and 4000 top brands and small businesses. Tabby issues virtual cards which customers can activate and use on the Tabby app for free. Shoppers can add the card to their favorite digital wallet and tap at the POS terminal to divide their payments into installments. 

But one key issue plagued Tabby’s operation.  

It was card data security. 

Let us quickly give you more context into the challenge.  

As a tech-savvy population, the UAE residents are not fans of using physical cards while shopping. Contactless cards and mobile wallets like Apple Pay are preferred options for a frictionless payment experience.  

In fact, over 80% of consumers in the UAE prefer using iPhones and other Apple services and gadgets over Google and Android. So, when they receive a new card from Tabby, they add it to the Apple wallet on their iPhones to tap and pay using NFC. 

Now, security is a critical concern in this digital era. Even though contactless payments have one of the lowest fraud instances, there is still a fair possibility of card data and sensitive information getting stolen and misused. Data breaches could cost companies millions and billions in losses.  

To avoid these vulnerabilities and to keep cardholder data safe, Tabby enabled tokenization for Google, Android, and Apple wallets. Now Tabby’s payments run on M2P prepaid stack. And we also handled the responsibility of tokenization for the BNPL player. 

What is Tokenization?

Tokenization is a security process that helps protect card data by masking the card account number with a single use randomized alphanumeric character of the same length called a token. Associated with a card, platform, or device, the payment tokens are issued in real-time and used during payment, after which they are discarded. To know more about payment tokenization, click here. 

In mobile wallets, a single card can have multiple unique tokens associated with specific shopping channels and issuing banks. Token Service Providers (TSPs) play a significant role in managing the lifecycle of a token via statuses such as requested, active, inactive, suspended, and ended. 

How M2P Cracked Tokenization for Apple Wallet?

M2P acted as the Issuer Token Service Provider (ITSP) and processed the authentication layer for Tabby, which included demographic checks, card authentication, and issuer configuration. Our ITSP solution has been designed to do all the heavy lifting of the tokenization process and makes life simpler for the issuer when it comes to program management, technology, security, compliance, reporting, and token Life cycle management, among many others. Even the rules were made configurable as per issuer convenience.

Handling tokenization protocols for Google and Android wallets is simpler when compared to Apple wallets. The Apple wallet tokenization process is complex and challenging as there are multiple stringent protocols that are difficult to understand and comply with. 

To activate tokenization for prepaid cards, we had to enable seamless integration between the card payment network – Visa, BNPL player – Tabby, and the digital wallet provider – Apple/Google/Samsung. As backend integrations are our stronghold, we managed the process without hassles. Our existing Visa certification gave us further edge in managing tokenization with ease. 

Here is a glimpse into how tokenization would happen every time a customer adds the Tabby Card to the Pay wallet. 

  • When a customer adds a Tabby card to their Apple/Google/Samsung wallet, the request is sent from Visa’s in-app SDK in the Tabby Mobile Application to the Visa network. For this, all the secure data required for the request is sent as a secure message from M2P to Tabby with a unique message identifier. 
  • Visa, the Token Service Provider, identifies the Bank Identification Number (BIN) from the payload (through their Visa SDK) and sends it to the issuer processor. 
  • M2P is the Issuer processor (also, a token service provider) that authenticates the card details along with the identity of the cardholder. 
  • Then, M2P instructs Visa to issue or not issue tokens. Visa acts in accordance to the instructions and sends the token information to the digital wallet to store 
  • M2P keeps Tabby updated on everything (every step involved in the token creation process as a notification) happening throughout the process. 
  • The tokenized cards can now be used by cardholders without their card information getting exposed. 

The process is done only for the first time when the customer adds the card to any digital wallet/ wearables. Once complete, the cardholder can use the card for any purpose with total and seamless control over the card. 

M2P ITSP solution not only makes the tokenization process simpler but also helps Tabby provide the necessary reports to Apple and Visa on all the required information by the latter. 

If you want to know more about tokenization, and how it can help your business?  

Write to us at 

Subscribe to our newsletter and get the latest fintech news, views, and insights, directly to your inbox.

Follow us on LinkedIn and Twitter for insightful fintech tales curated for curious minds like you.


Submit a Comment

Your email address will not be published.

You May Also Like…