The Secure Remote Payment Council wants a more open process in the development of a standard for tokenization, with the goal of ensuring a single token can be handled by multiple parties to improve security.
Tokenization is a process that replaces sensitive account details with a secure value that can be restricted in how it is used. The Council, which was formed by independent debit networks with an emphasis on e-commerce security, wants a common application programming interface for all parties to access for the conversion of tokens.
However, the Council has taken issue with the approach that EMVCo, the EMV standards body, is taking with tokenization. EMVCo began seeking input on a global standard in early 2014.
"This is virgin territory because tokenization is not widespread in the industry right now," said Paul Tomasofsky, president of the Secure Remote Payment Council. "Let's get this done right the first time."
EMVCo's effort may eclipse an older tokenization project by The Clearing House, which establishes payments systems for the banking industry. The Clearing House has indicated that it might fold its own efforts into those of EMVCo.
"As long as [EMVCo's] framework meets the safety and soundness requirements of consumers, banks and merchants then we would not publish anything separate," said David Fortney, senior vice president at The Clearing House, in an earlier interview with PaymentsSource.
EMVCo did not provide answers to questions from PaymentsSource by deadline, saying every global member needs to vet its response. EMVCo's members are American Express, Discover, JCB, MasterCard, UnionPay and Visa.
The Secure Remote Payment Council wants a tokenization system that works end-to-end, across multiple companies. Like encryption, tokenization operates most securely when the secure data does not have to be converted back to an account number to be processed. The Council also wants support for one-time or limited-use tokens.
An open standard would allow vendors' existing tokenization systems to stay in place or make their tokens compatible with the standard when the data moved downstream to a card brand's network.
"If it is not an open standard, then First Data or Heartland and others would have to use the real account number because the other players downstream don't participate in their tokenization system," Tomasofsky said.
An open standard would not mean proprietary systems would go away, but it would allow them to be compatible with other systems, Tomasofsky added. "That's the beauty of an open standard."
Independent networks are competing against the major card networks, so it is natural for them to be concerned about any standards that might stifle that competition, said Nathalie Reinelt, analyst with Boston-based Aite Group.
"It is smart for the payments industry to come up with specifications that make sure everything is secure and there is some continuity in regards to tracking purchasing behavior," Reinelt said. "There are a lot of moving parts, so without any standards, tokenization could become really messed up."
In that regard, the Secure Remote Payment Council is wise to insist on open standards, but someone has to take the lead, Reinelt added. "The greater good outweighs the fear of no competition, and I don't think that this is a competitive advantage to come up with a more open standard as opposed to making sure tokenization is effective," she said.
For their part, merchants remain leery about any edict coming down from the card brands that does not resemble an open standard, Mark Horwedel, CEO of the Merchant Advisory Group said.
"There is a very high degree of concern about it in all of the associations I have spoken to, if tokenization becomes the domain of just one or two networks," Horwedel said.
The Council prefers that a major standard body in the payments industry, such as American National Standards Institute or the International Organization for Standardization, govern an open tokenization standard.
The Accredited Standards Committee X9, designated by ANSI to develop financial industry standards in the U.S., has been working on tokenization standards as well.
ASC X9 is concentrating on tokenization that creates zero-value substitutes to replace credit card numbers stored and processed in merchant and processor systems, said Steve Stevens, interim director of X9.
The new standard would extend X9's previous work on point-to-point encryption to cover tokenization, helping merchants and processors "remove live credit card number data from back-end applications," Stevens added.
By comparison, EMVCo and The Clearing House are seeking tokenization standards for payment mechanisms, such as mobile wallets, Stevens said.