The major card networks operate from a position of strength as among the first movers in providing tokenization, but they must move with the market if they want to hold that position.
Visa, MasterCard and American Express are currently the only token service providers in the payments market through the use of EMVCo specifications, but many issuers and processors are not convinced they want to rely on the networks to provide the service long-term, according to new research from Celent. However, the card networks may get stronger if they can be more flexible in how they package services to clients, the report states.
Tokenization is the process of replacing cardholder data with a unique set of characters, or token, to protect stored data. Over time, more token service providers are likely to surface, creating a more competitive environment for the data security service, said Zil Bareisis, analyst with Celent and author of the tokenization report.
The EMVCo specifications are meant to support numerous token service providers. Given that a token requestor ID calls for an 11-digit numeric value and a unique three-digit Token Service Provider Code, the number of providers could skyrocket if other issuers and processors want to enter that field.
"I do expect more competition in the token service provider market and note, in theory, there could be as many as 1,000 providers in the future," Bareisis said. "In practice, however, I don't see that many any time soon, if ever."
There's good reason to believe that many processors and issuers, particularly smaller ones, would not wish to jump into the deep end of the pool with other token service providers. Tokenization is a complex process in which a payment token is limited to a specific device, merchant, transaction type or channel. Non-payment tokens, used for loyalty program tracking and other programs, are also possible, the report said.
The surrogate value has to look like a card number and pass basic validation rules of an account number, with payment tokens generated with a designated bank identification number [BIN] range, but cannot conflict with a real account number.
Still, issuers and processors are concerned that if every tokenized transaction passes through the networks, the networks will gain visibility into transactions they previously did not, such as those when the issuer and acquirer are the same, the report said.
Plus, debit transactions that would have routed through a competing PIN debit network, an option under the Durbin amendment, will pass through the major networks even if just to handle the token.
The tokenization service from networks may be offered as a free service now, but issuers fear the networks will reintroduce fees when the services become more established. More than a year ago, issuers and merchants were questioning talk of potential digital enablement fees and mobile wallet fees, under which tokenization services could be grouped.
Plus, networks do charge for every transaction they see. An issuer or processor with large transaction volume that previously did not go through the networks could see processing costs rise because of tokenization, the report said.
Tokenization has proven to be a reliable and solid security measure, but does have a few operational quirks to overcome, Bareisis said.
"If the same card is linked to Apple Pay on the phone and on the Apple Watch, and the user does one transaction via the phone and the other via the watch, even the same provider would struggle to realize it's the same customer," Bareisis said.
That's an important distinction, especially for transactions taking place on something like the Transport for London, which needs to aggregate transactions in order to apply daily limits, Bareisis said. During Apple Pay's early deployment in the U.K., this issue led to some commuters being double-billed for individual rides.
"Having said that, we should expect to see more clarity over time in how tokenization will be implemented," Bareisis added.
The Celent report does not touch on merchants' concerns with tokenization as established through EMV standards body EMVCo and operated through the networks.
Much like independent debit networks and some issuers, merchants have been quick to suggest tokenization should be an open standard, not a service managed and operated through the networks.
At its recent conference, the Merchant Advisory Group spoke favorably of the tokenization service provided by the networks because it takes card data out of scope for Payment Card Industry data security compliance.
However, MAG also described tokenization as currently offered as a bad overall process because it does not "entertain input from industry stakeholders."
In addition, the EMVCo specifications for tokenization work only with card brand BINs and not with proprietary solutions, the MAG said.
In general, merchants would prefer tokenization standards being managed by industry standards bodies rather than the card brands.
But the networks' quick move into the market opened the door to support other payments form factors such as mobile wallets, Bareisis said.
"The networks deserve huge credit for stepping into the token service providers role and delivering tokenization," Bareisis said. In making that move, the networks assured that digital services such as Apple Pay, Android Pay and others would become available, Bareisis added.
Apple Pay was the first solution to benefit from the EMVCo tokenization framework, with Apple operating as the token requestor and Visa, MasterCard and American Express acting as token service providers.
While the industry will see more tokenization providers surface, and the debate over management and governing of those services will continue, a more likely scenario is that only the largest issuers, processors and some selected national or regional networks will have the "know-how and appetite to become full in-house token service providers," Bareisis said.
For the time being, the playing field for token service providers is a bit murky, with the major card brands currently serving that role. But it is important that tokenization "brings the card rails into the 21st century" and ensures card-based products will continue to thrive and prosper in any form factor, Bareisis said.