The case for an open standard to replace dated payments technology
To free the payments industry from seven decades of standards and legacy operations, the Secure Remote Payment Council is asking more stakeholders to embrace the concept of an open operating standard for security and transaction routing.
The Open Secure Payments Standard is designed to invite more innovation, while also presenting a framework that would support interoperability with existing payments infrastructure.
"We're not saying systems that have been around for 75 years have not changed over time, but the fundamental building blocks of them have stayed the same, with just some patchwork on them," said Paul Tomasofsky, president of the SRPC, an industry trade association promoting debit-based internet, e-commerce and mobile channel payment security that exceeds card-present methods.
The council has its roots as the Debit Network Alliance, a group of independent PIN debit networks that engaged in a years-long debate with the major card brands over EMV debit transaction routing. Three years ago, the SRPC began its push for open standards, focusing on the need for tokenization development to occur through an open market and standard, rather than result in more edicts from the card networks and large processors. It recently published a research document outlining its more wide-ranging open standard proposal.
The Open Secure Payments Standard is an option to accelerate improvement over security options such as Payment Card Industry security standards, EMV, 3-D Secure and others the council says have not kept pace with the capabilities of cybercriminals.
"We know it is painful and it is a big task, but it is time we start developing systems and standards that will be able to take into consideration where we are today and how we authenticate transactions now and in the future," Tomasofsky said.
At its core, the new standard is not suggesting an overriding new technology. Rather, it seeks more of an open marketplace for discussions and implementations of what banks, fintechs and merchants feel works best for them. All stakeholders would agree on the best way to implement and deploy methods ranging from encryption, tokenization, payment account reference or person-to-person and in-app technology.
The council says the key differentiator in its proposed framework would be the ability of an open standard to support numerous transaction message routing methods. In that way, more stakeholders would have a say in how to protect their data and route it to a network of choice.
In addition, bank identification numbers can ride on the existing rails, or alternative and/or direct routing could also use URL tags, routing transit numbers or mobile phone numbers to access the issuer for authorization. The framework also enables direct routing capabilities to access any processor or debit network for authorization, based on the preferred transaction address.
The council also feels implementation of the EMVCo tokenization specification creates issues with debit routing choices, mostly because current implementations of tokenized card-not-present transactions such as in-app, card-on-file, and e-commerce transactions don't allow such choices.
Therein lies a bit of a rub, according to Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"Whenever I see these types of position papers from any organization, I'm looking for the hidden agenda," Conroy said. "The section on tokenization makes it pretty clear what some of the driving motivation is."
However, because fraudsters are rapidly evolving their attacks on the payments infrastructure, there are "certainly opportunities for improvement to our current payment security regime," Conroy said.
"A more nimble approach to evolution, based on open standards, could be one possible path — if it is in fact faster and more nimble," Conroy added. "Standards bodies aren't necessarily known for turning on a dime either."
In that spirit, the council's pitch for the Open Secure Payments Standard simply gets the concept out in the open for discussion.
"It ignites the necessary debate," said David Keenan, senior vice president of card products for technology provider Fiserv Inc. "We are still at the forefront of the digital revolution that will reshape how we search and shop for the next 50 years."
The standard's real power lies in the fact that "it leverages available technology and open standards to envision a better model for long-term security and efficiency of all commerce constitutions," Keenan added.
As planned, it would drive solutions and methods based on market demand and what works best for everyone involved, not just a few. And that might mean the PCI Security Standards Council and EMVCo, both operated and governed through the card brands, would have a shorter shelf life.
"PCI, a proprietary standard, was implemented over a decade ago, but card-based fraud has never been higher," Keenan said. "Open standards represent a proven model for developing the most resilient, robust solutions."
Still, it's a long journey, one in which both Visa and Mastercard could argue they are already fully engaged in as it applies to developing advanced authentication technology and foreseeing the industry's needs. Plus, the card brands have the secure rails, bank networks and coding standards already in place, as well as open platforms for software development.
The Secure Remote Payments Council won't go so far as to say that the card brands and their various organizations and guidelines should ride off into the sunset, but a vision of operating without their security compliance constraints and associated costs is certainly part of the council's pitch.
"This isn't asking the card brands to set all of that guidance aside, but it would work within the construct of the open framework," Tomasofsky said. "PCI tries to take a card number and protect it, and through the open standard we would protect it through encryption, tokenization and a variety of other means so that the personal account number is never known to the bad guys."
If banks, merchants and providers can agree on the methods that work best for them in today's world and implement those methods in an open standard framework, then the need for PCI's oversight and associated costs becomes moot, Tomasofsky added.
An open standard would not derive profit by mandating certifications, nor limit those who offer testing tools and methods, the council's paper states. It would defang the industry's dominant players to enable innovation and interaction.
In that sense, it is taking a page out of the PSD2 directive in Europe that encourages more fintech innovation and data sharing, and forces banks to be more open in accepting it. It's a position designed to deliver better security and lower the costs of transaction routing.