As the payments industry attempts to standardize the process of using a token to replace sensitive data, the end result may still involve several different approaches.
The Accredited Standards Committee X9 Inc., directed by the American National Standards Institute to develop standards for the U.S. financial industry, has been working on tokenization standards for data being stored in a network. This is a different project than the efforts of EMVCo, the EMV standards body, to establish a tokenization standard for card data as part of a payment mechanism, such as a mobile wallet.
"There is nothing that says you can't have a standard for payments tokens and a standard for security tokens," said Steve Stevens, interim director of ASC X9 Inc. "The world is going to have both of them one way or another."
A secure token allows payment companies to improve security by eliminating account data from the payment process. A token, used in place of an account number, can be restricted to a specific merchant or transaction.
X9 has made overtures to EMVCo to see if the two entities can work on open tokenization standards together.
"We told them we are happy to work with them, but their response is that they are not in a position to go down that road [of an open standard] right now," Stevens said. "We are hoping to hear something back and are keeping the lines of communication open."
EMVCo is seeking feedback on the standards it is developing. Its members are American Express, Discover, JCB, MasterCard, UnionPay and Visa.
"As a global technical body, EMVCo ensures that its ISO-based specifications are open for use across different markets and in different environments, and can support a truly interoperable global payments framework," said Sean Conroy, EMVCo board of managers chairman, in an e-mailed statement.
EMVCo is seeking input on tokenization, so the framework document "can evolve in line with commercial and technical market requirements," Conroy said.
Conroy did not address EMVCo's interactions with X9 or whether its tokenization standards would address the concerns raised by other groups.
The EMVCo standards focus on limited-use card numbers that enable a mobile wallet to make payments, Stevens said. "That effort is complementary to, but different from the security tokenization work that is being done by X9 and supported by [the Payment Card Industry security standards council]," he said.
X9 is more concerned with creating "zero-value substitutes" to replace credit card numbers being stored and processed in merchant and processor systems, Stevens said. Generally, a stored card is not being used to initiate transactions, but must be kept for instances in which a card number is needed for a chargeback or for other questions related to charges.
The Secure Remote Payment Council, an organization created by independent debit networks, is similarly concerned about using tokens to secure data throughout the payment process. It has urged an open standard to enable technology vendors to make their tokenization systems compatible with other systems.
The Clearing House, which establishes payments systems for the financial industry, has said it may fold its own standardization efforts into those of EMVCo.
Banks and merchants will have guidance and tokenization options, whether it is a proprietary standard or an open one, Stevens said.