In the wake of a flood of retail data breaches, the U.S. payments industry is looking to beef up payment card security with tokenization technology, which replaces card data with a secure token.
But what is somewhat up in the air is which tokenization standard issuers and retailers will ultimately use and how such a service would be deployed. The uncertainty has merchants concerned about how the technology will be implemented in the U.S., says Mark Horwedel, CEO of the Merchant Advisory Group.
"They are familiar complaints [from merchants] because they also apply to EMV [smart cards]," Horwedel says. "Tokenization is now a proprietary specification and not an open standard."
A token is a unique string of characters that can be used only in limited situations to enable payments. If a fraudster steals an account number, it can be used anywhere, but a stolen token is nearly worthless.
The Clearing House and EMVCo have both established tokenization standards for issuers to consider. American Express, Discover, JCB, MasterCard, UnionPay and Visa collectively own EMVCo, which establishes operational standards for the use of EMV chip-based smart cards.
"EMVCo has been working on the draft [tokenization] standard proposed back in October of 2013 by Amex, Visa and MasterCard," MasterCard spokesman Seth Eisen says. "When EMVCo introduced that proposal in the market, it was looking for a standard that would work across the globe."
In January, EMVCo announced it was seeking input about the global security standard for tokenization. Two months later, the organization released its tokenization standards for online or mobile payments. It is also working on a tokenization standard for the physical point of sale, Eisen adds.
EMVCo's efforts took place a few months after The Clearing House, which establishes payments systems for the banking industry, released its own tokenization standards.
As such, the card brands sent a clear signal about their preference for the EMVCo standards, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"Ive spoken with a number of large issuers that are actively coding to these standards and thus far only one is coding to the TCH standard, and the majority are going with the EMVCo standard," Conroy says.
Though some expect The Clearing House to ultimately adopt the EMVCo standard, it is not clear if any type of collaboration will take place, or if two standards will differ in such a way as to give issuers a choice they find beneficial.
The Clearing House, which did not respond to inquiries for this story, has not publicly declared support of the EMVCo standard. MasterCard has not heard of any change in The Clearing House's stance on tokenization standards, Eisen says.
Visa did not respond to inquiries for this story.
Merchants fear that accepting tokenization standards established through EMVCo could lock out input from other developers or consumer groups that could provide valuable input, the Merchant Advisory Group's Horwedel says.
But merchants likely won't face added fees as a result of issuers' decisions, Conroy says.
"As I understand it, the issuer-side tokenization standard will not cost merchants anything at all," Conroy says. "It's the tokenization services sold by acquirers that merchants need to pay for."
The benefit to the issuer is that the compromise of a token will not force it to reissue any cards, Conroy adds.
However, if a merchants want "holistic protection for their own environment," they will need to purchase tokenization services offered by acquirers, Conroy says.
Merchants realize they may not have to pay for tokenization through EMVCo, but they remain "skeptical of any process where competition is limited, it becomes a requirement and it's not an open standard," Horwedel says. "We've been burned plenty of times in the past, and we can see this train wreck coming."
At the moment, the U.S. market is not flooded with tokenization options. As such, it is too early to say which standards organizations are going to gain support from the rest of the payments industry, says Randy Vanderhoof, director of the EMV Migration Forum and executive director of the Smart Card Alliance.
"Certain large financial institutions are capable of setting up their own tokenization networks, since they issue the account PANS and also acquire them for settlement purposes," Vanderhoof says.
Other financial institutions might prefer joining a consortium to operate a semi-private network that they collectively own and operate as a service, he adds.
"Still other issuers just want to subscribe to a tokenization service on a fee-per-use model," Vanderhoof says.
For now, the card brands are not tying tokenization with the EMV liability shift scheduled to take place in October 2015. At that time, the party not capable of handling EMV transactions bears the fraud burden.
"Tokenization can exist with or without EMV and tokenization does not replace EMV," Vanderhoof says.
However, tokenization also benefits magnetic-stripe card issuers and mobile payments providers, Vanderhoof adds.