When cardmaker American Banknote (ABnote) CIO John Ekers discussed his company's Apple Passbook Android clone last week, he observed that "in the last 3-4 weeks, we're getting a lot more interest in limited use keys (LUK)," which is the first element of tokenization.
This would indicate that a lot of merchants may create their own tokenization, just as the PCI Council recently permitted.
As various processors and card brandsespecially Visa, which has aggressively been pushing two different token effortshawk tokenization as a necessary security move, many merchantswith the new greenlight from PCIare wondering what would be the best long-term token strategy: Buy or build?
The problem with "buy" is lockin, which could be quite painful when a major merchant has 100 million of one vendor's tokens lying around and then gets hit with an exorbitant license hike.
"It's a way to lock someone in. It's giving a lot of people some pause right now," Ekers said. "Tokenization requires a lot of effort."
Buildings not necessarily a perfect choice. Beyond the cost, effort and distraction that comes with creating in-house tokenization, it may not be a permanent solution. What happens, for example, if your employer gets acquired by a larger rival a year from now? If both retailers had rolled their own tokens, they yet again have two incompatible token systems.
Aite Group payments analyst Julie Conroy said retailers todaysome of whom have been using some form of tokens "for close to a decade now"are already seeing the lack-of-perfection in tokenization. Whenever a token is converted back to the PAN, it loses all of the protections that tokens promise. "I see a lot of (retailers) where they are unlocking the datathe full PANfor analytical purposes," she said, adding that it's a particular problem for big box retailers who "have security in a siloed basis and they have two different tokens for online/mobile and in-store," which means they can't be compared without being unlocked.
Much of the problem comes to how merchants view the major brands. "Visa and MasterCard have some big trust issues to build with the merchant community," Conroy said.
Its not merely retailers who have reason to be cautious, said Tim Sloane, vice president of payments innovation for Mercator Advisory Group. "Banks have every reason to be concerned regarding lock-in. By implementing the Visa or MasterCard digital services, the banks commit to using those services to both provision and maintain all tokens deployed in mobile and IoT devices, including appliances and cars the number of devices will be huge," Sloane said. "While Visa and MasterCard indicate the digital services are free, I doubt this is a perpetual contractual commitment."
Then there are the manufacturers, Sloane said. "I would point out that the key lock-in is the contractual relationship that Visa and MasterCard establish with the manufacturers. These business relationships make Visa and MasterCard the exclusive provisioning agents," he said. "This limits the number of relationships a manufacturer needs to enable payment, one for every major network. Clearly this also minimizes the effort for the banks as well."
The intra-industry complexities get far messier when the PIN Debit networks (NYCE, STAR, Shazam, etc.) get involved, Sloane said. "Currently all appearances indicate that device manufacturers are excluding all PIN Debit Networks and banks from directly provisioning their devices. This has put PIN Debit Networks in a very difficult position, Sloane said.
Visa and MasterCard provide the PIN Debit Networks a gateway to the tokenization networks they created. This requires a PIN Debit Network notify Visa/MasterCard when they want to provision a token. Visa/MasterCard puts the token in the device, Sloane said. The token is routed from the POS to the PIN Debit Network, which then must deliver the transaction back to Visa/MasterCard in order to have the token converted back to the original card number so it can be authorized by the issuing bank.
This means Visa/MasterCard become aware of all competitive transactions performed on the PIN Debit Networks, which compete with Visa/MasterCard, Sloane said. As you may imagine, many PIN Debit Networks are unhappy about this arrangement."
Richard Crone, president of Crone Consulting, also sees the vendor lock-in, but he calls it more of "a very high barrier to exit.
"In reality, if I am an issuer, you now have dependency on tokenization, Crone said. This is very good for Visa and MasterCard shareholders and it's a very big challenge for the debit networks."
The card brands' "idea is to find a way to make its product as sticky as possible. Anything you can do to keep a client longer," said Thad Peterson, an Aite Group payments analyst. As for rolling their own tokenization, Peterson said most retailers are hesitant to tackle such a project. "Retailers are not in the business of managing transactions and security. They are in the business of selling stuff. That's not going to overcome zenophobia, the need to protect their own data their own way," he said.
A key challenge with grow-your-own can be found in the CIO corporate culture, Peterson said. On an immediate basis, a token deal with Visa solves the problem. The hiccup won't come for a yearand perhaps 2-3 yearsand CIOs tend tounfortunatelynot worry about problems that will likely be the problem of a successor. "Having that kind of vision to anticipate that kind of problem, to change your token provider in 2 or 3 years?" Peterson said. "My guess is that if I am a CIO at retailer X and I am dealing with 55 different priorities, a token platform that is working OK isn't going to make it to the top of the list."
How can merchants protect themselves? First, use the power of negotiation to work out a longer-term agreementsay perhaps 25 yearswith licensing cost increases that are negotiated before the retailer commits. After all, the big fear of lock-in is price increases or other unreasonable demands. The retailer could simply insist in that contract that the vendor will convert all tokens back to the PAN so that the data can more easily be moved to someone else's token approach, Conroy said.
Of course, lock-in has another implication if the retailer uses a startup: What happens if the token vendor goes out of business? Alternatively, what happens if an acquisition places your vendor under the control of a direct competitor and you suddenly don't want them having access to your data? "You need the ability to go in there and get your IP (intellectual property) back," Conroy said.
Sloane offered a concrete operational choice to better protect banks from future uncertainties. "The EMVCo (token) specification operates only on top of the MasterCard and Visa networks, but tokenization will soon be applied to ACH, Bill Pay, P2P and other payment related networks. This suggests that banks should create a system with its own unique internal numbering system that can be used to manage the relationship between an ABA Routing Number and all the different payment networks that need a token, Sloane said. Such a system will prevent the balkanization of payment networks, provide the ability to identify and manage all of the relationships associated with any one DDA and enable a smoother transition if a token supplier must be replaced."