By Jaikumar Vijayan, Computerworld | August 1st, 2014
Tokenization spec being developed by credit card companies is too proprietary, retailers say.
A coalition of retail industry trade groups this week called for the creation of an open tokenization standard for protecting credit and debit card data from theft and misuse.
The call stems from concerns over an effort by credit card companies to develop a method for tokenization that many in the retail sector fear would be too proprietary in nature.
In a letter, the National Retail Federation, Retail Industry Leaders Association, National Restaurant Association, Merchant Advisory Group and several others said an open tokenization standard offered the best approach for protecting payment card data.
“An open, interoperable platform will also ensure merchants can support the technology across multiple providers and make back-end security processes seamless for the customer experience,” the groups said.
A universal method for tokenization will benefit not just the payments industry but also sectors such as the healthcare industry, which also handles huge amounts of sensitive data, they added.
Tokenization is a method for protecting card data by substituting a card’s Primary Account Number (PAN) with a unique, randomly generated sequence of numbers, alphanumeric characters, or a combination of a truncated PAN and a random alphanumeric sequence.
Tokens are randomly generated and are usually the same length and format as the original PAN, so it appears no different than a standard payment card number to back-end transaction processing systems, applications and storage systems. The token acts as a substitute value for the actual PAN and can be used for all transaction-processing purposes but is valueless by itself if stolen.
Security experts consider tokenization a great way to protect credit and debt card data.
EMVCo, an organization created by American Express, Discover, MasterCard, Visa, JCB and UnionPay, and supported by dozens of banks, is developing a tokenization specification for the payments industry.
However, there is concern within the industry about the specification being too proprietary, said Mallory Duncan, general counsel of the NRF.
“We understand there are efforts in the financial sector to develop a proprietary standard that is much more limited and focused purely on financial activity,” Duncan said.
According to Duncan, EMVCo has indicated its willingness to consider ideas and suggestions from all stakeholders in the payment industry. But they have also made it clear that all decisions will be solely their own, he said.
Rather than have EMVCo define a tokenization specification for the entire industry, it’s better to have the effort handled by an accredited standards body, such as the International Standards Organization (ISO) or the American National Standards Institute (ANSI X.9).
The focus should be on developing a technology neutral platform based on broad participation from all stakeholders and that works in multiple payment environments, including e-commerce and mobile commerce, Duncan said.
The Secure Remote Payment Council last week echoed similar sentiments in a position paper it released. The council has “serious concerns” with ongoing developments being put forth by EMVCo and recommends the development of open tokenization standards, the position paper states.
EMVCo has positioned its effort as one that will benefit the entire industry. In comments to Computerworld earlier this year, Christina Hulka, chairwoman of EMVCo’s board of managers, said its tokenization specification will provide all stakeholders with a consistent, secure, reliable and interoperable environment for digital payments.
“For consumers, enhanced security can lead to improved confidence in conducting digital payments. For merchants, this will enable them to confidently launch new technologies, knowing that they are building on a common framework that will be scalable to future industry requirements.”
EMVCo will build the framework with collective input from all its members and the payment industry as a whole, Hulka had noted.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar’s RSS feed. His e-mail address is email@example.com.