In much the same manner as banks use red dye packs to explode in stacks of stolen money, payment network providers expect tokenization will sabotage any hacker's attempts at data theft.
But both methods come at a clear cost with an unclear effect; tokenization matters most only after a hacker has breached a network's other defenses, and may never prove its worth if a bank or merchant is never targeted. The process replaces account data with a limited-use "token" that can't be used to clone cards if it is stolen.
And as more banks consider tokenization, they must decide whether it is worth the expense or whether like a dye pack their investment will simply disappear in a puff of smoke.
"We may be jumping the gun here with tokenization in thinking everyone wants to put in the technology to avoid fraudulent transactions," said Paul Martaus, a merchant acquirer consultant and industry researcher. "But tokenization doesn't stop the hackers from getting into the network."
In particular, MasterCard is under scrutiny for its planned "digital enablement fees" for the process of converting a PAN to a token for payments from mobile devices that will begin Sept. 1. PaymentsSource has obtained bulletins about these fees that MasterCard recently sent to acquirers, issuers and processors.
"I know the issuers are not happy about the [MasterCard] fees, but it is not without precedent," said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group. "Equivalent services are being charged for already in Europe."
It is not likely MasterCard would charge such fees if it is the only network to do so, Conroy said.
"I think it is interesting that we haven't seen Visa come out with an equivalent fee schedule," Conroy said. "If other networks do not follow suit, I am not sure a digital fee will stick."
Visa confirmed via e-mail that it has not established or published any type of fee structure for tokenization services. MasterCard did not make an executive available to speak about the fees by deadline.
The MasterCard bulletin to issuers and processors of MasterCard and Maestro/Cirrus cards cites a "Digital Enablement Service Lifecycle Management" fee of 10 cents per PAN to be billed monthly, effective Sept. 1. The card brand will also charge a 50-cent "digitation" fee when a mobile device accepts a token and 2.5 cents when calls go to MasterCard's alternate network application programming interface.
Another digital enablement fee for acquirers takes hold Jan. 5, 2015, for "select cardholder not present transactions" made through payment cards. The fee, to be billed weekly, is set at 1 basis point, or 0.01% of volume.
MasterCard absorbed negative feedback last year about introducing a "staged wallet" fee for digital wallet services.
Acquirers fear that MasterCard is "trying to play both sides against the middle" with tokenization fees, Martaus said. "They want everyone to be more secure and they want to prevent fraud, but if you want this technology, you have to pay for it."
Tokenization fees raise concerns among independent networks and merchants alike. The networks want tokenization to be an open standard managed through a standards organization, and merchants fear any type of fees to acquirers and issuers will trickle down.
"I support MasterCard's right to set prices for its services," said Paul Tomasofsky, president of the Secure Remote Payment Council. "That's the way things work in our economic system."
However, it is best for customers with many alternatives at hand to determine if "the cost of the fees makes sense for them to use the services," Tomasofsky added.
The Secure Remote Payment Council, representing independent payment networks focusing on e-commerce security, has called for tokenization as an open industry standard.
"True open standards governed by an accredited standards body that would enable all payments networks to compete on equal footing is the best approach to tokenization," Tomasofsky said. "Im hopeful we can get there.
Merchants fear "a train wreck coming" if tokenization becomes a monopoly of the card brands, said Mark Horwedel, CEO of the Merchant Advisory Group.
"The brands seldom miss an opportunity to tack on fees to merchants through the merchant acquirers, so why would tokenization be any different?" Horwedel asked.
Merchants have no problem "paying a fair fee for a service," Horwedel added. "It's that we object to fees unilaterally dictated to us in a system that lacks any form of competition."
But the potential for revenue from converting account numbers into tokens for mobile payments will drive what happens next.
"If you connect the dots, one could say this [charging tokenization fees] possibly would be the start of positioning and anticipation of the activation of billions of pre-registered PANs that are stored in existing e-commerce or digital wallet sites," said Richard Crone, chief executive of San Carlos, Calif.-based payments consulting firm Crone Consulting LLC.
As such, a significant revenue stream awaits companies that convert those PANs to digitized tokens to enable transactions through mobile devices at the physical point of sale, Crone said.
It is simply good for business that MasterCard, Visa, Discover, American Express and others "find the high-water mark" for tokenization services and charge fees for them, Crone added.
For MasterCard and others, it's also a race to see which entity best provides tokenization security at a time when American merchants and consumers are weary of data breaches.
"It's essential for MasterCard and other card brands to develop tokenization for mobile because if someone else creates a viable alternative for mobile security, the card brands would be in a world of hurt," Martaus said.