Seeking to improve the security of digital payments by making card data tokenization operate the same way around the world, EMVCo plans to establish new standards.
EMVCo, a global technical body that establishes standards for chip-based EMV card payments, says it will shift its focus to tokenization to introduce the first draft for new specifications later in 2014.
Tokenization is the process of replacing a card account number with a unique string of characters that is restricted in how it can be used. These tokens can be assigned for use with a specific device, merchant, transaction type or channel.
The new specifications will complement existing EMV specifications to establish a global payments framework that covers mobile phones and tablets as well as personal computers or other smart devices in both card-present and card-not-present ecosystems, EMVCo says.
EMVCo is currently the governing body for the EMV standard. American Express, Discover, JCB, MasterCard, UnionPay and Visa collectively own EMVCo.
"In the same manner that EMV chip specifications have brought fraud protection measures to the card-present space, tokens can provide similar protection in the card-not-present and mobile environments," says Christina Hulka, current chairman of EMVco board of managers.
Even though Target Corp.'s recent data breach brought discussions of security and tokenization to the forefront, EMVCo is not reacting to the Target incident or any other breach, she says.
"It was decided that global specifications were required, as existing tokenization systems are proprietary in nature and are not interoperable," Hulka says. MasterCard, Visa and American Express had already announced a plan to establish tokenization standards in October.
"But the breaches have certainly emphasized the need for a better solution to card data security," says Julie Conroy, a senior analyst and fraud expert with Boston-based Aite Group.
"However, this particular tokenization standard is focused on the online and mobile environment, and tokenization at the point of sale is widely available today," she says. "We just need more merchants to make use of the technology thats out there."
Various other U.S. entities, such as the Secure Remote Payment Council, have wanted more say as migration moves along, Conroy says.
A global specification to address tokenization will provide all stakeholders with a consistent, secure, reliable and interoperable environment for digital payments, Hulka says. In turn, enhanced security can lead to improved consumer confidence when making digital payments, she says.
"It will also increase confidence for merchants when they launch new technologies because they will build on a common framework that will be scalable to future industry requirements," she adds.
EMVCo plans to collect input from its members and the payments industry as a whole, building on the call for industry collaboration proposed by MasterCard, Visa and American Express.
As EMVCo starts the process, a new task force will define the scope and action plan for the tokenization specification, Hulka says.
EMVCo focuses on technical advancement of EMV specifications and is not directly involved in EMV mandates or regional adoption as established through individual payment systems, Hulka says.
EMVCo will work closely with the Payment Card Industry Security Council, which maintains the standard that describes how companies must protect card data.
"The two organizations coordinate on multiple work efforts and tokenization will become another area for alignment and cooperation for the benefit of the payment industry," Hulka says.
New tokenization specifications will help the overall cause for EMV cards, says Al Pascual, senior analyst for Javelin Strategy & Research.
"It makes a better case for EMV, which stops fraud at the point of sale, but the biggest issue has been that card-not-present is not better off," Pascual says. "But a token issued to a phone or mobile device can protect card-not-present."