The Tug of War Over Tokenization

 

Apple Pay made it famous, but the technology to mask card credentials isn’t new. Now, though, a battle is brewing over standards, fees, and just who gets to do the tokenizing.

In the world of payments, having no value has become very valuable.

The payments industry is quickly evolving into one that prefers to hide its data to make it less attractive to ever-persistent and cunning criminals who reap havoc on merchants, consumers, banks, and payments companies when they break into networks and steal cardholder data.

Known as tokenization, the maneuver swaps out data criminals typically seek—namely the primary account number and expiration date—with a string of characters that represent the card data but bear no relationship to it outside of the token provider’s secured system.

That means merchants can use tokens as stand-ins for cardholder data for transactions as they happen and for recurring payments, such as monthly gym-membership fees. A criminal getting into a system rife with tokens could steal the data but he would not have access to the systems that turn that meaningless data into usable information.

Now, buoyed by prolific media coverage of Apple Inc.’s Apple Pay mobile-payments service and its use of tokenization, interest in the technology is at a high point. Mobile-payments technology, including near-field communication (NFC), digital wallets, and card-on-file practices, have spurred much interest in tokenization.

With that has come scrutiny of the available services and differing opinions about crucial matters such as standardization and control.

Troublesome Affiliation

“What is new about tokenization is the need for interoperable, open standards, and the increasing desire to replace payment card or bank-account numbers with tokens for point-of-sale, online, or mobile payments,” notes the Mobile Payments Industry Working Group in a report released earlier this year. The group’s members come from the Federal Reserve banks of Boston and Atlanta, and private-sector payments and technology firms.

Merchants want a tokenization service, but—given that there is no unified standard—they have to select from a pool of varied choices. That may or may not be an issue later should a standard be adopted and their systems face a data migration.

“In order to provide a solution that issuers, merchants, and processors can utilize on a large scale, there’s a need for a consistent framework for what those tokens are going to look like and rules for how they’re generated and how they’re processed,” says Randy Vanderhoof, executive director at the Smart Card Alliance, a Princeton Junction, N.J.-based trade association. “Right now, there’s a lot of trial-and-error, but very few implementations.”

Payment companies want to sell a service that offers security, but also is easy to implement on their systems and can work with multiple merchants, and in some cases, issuers. From the merchant’s perspective, tokenization presents plusses and minuses.

The battle, however, is that while merchants understand the value of securing their payment systems, they don’t want to relinquish complete control of tokens to issuers and the companies that serve them. Apple Pay, for example, is touted as a good example of how to implement tokenization, says Avivah Litan, a security expert at research firm Gartner Inc. But merchants, aside from Apple, may not like the deep involvement of the card brands in Apple Pay’s tokenization scheme, she says.

“Retailers are tired of Visa and MasterCard calling the shots,” Litan says. “Merchants are tired of investing millions in securing credit card data. They want their own schemes. They want lower prices. They want to control their own destiny.”

Though merchant acquirers and other vendors have long offered tokenization services, it was only in 2014 that Visa and MasterCard launched their tokenization services backed by a specification developed by EMVCo. EMVCo manages the Europay-MasterCard-Visa (EMV) chip card standard and is supported by the card brands and banks.

That affiliation has proved troublesome to merchants.

“I’m afraid the way this is being proposed by the card brands and EMVCo is going to lead to more merchant fees,” says Mark Horwedel, chief executive of the Merchant Advisory Group, a Minneapolis-based association representing merchants’ payments interests.

“Tokenization should really be about security and not another big revenue stream for the networks,” he says. “Security needs to be addressed with the best solutions.”

In July, Horwedel’s organization, along with half a dozen retail organizations—the Food Marketing Institute, NACS (National Association of Convenience Stores), National Grocers Association, National Restaurant Association, National Retail Federation, and the Retail Industry Leaders Association—issued a statement calling for an open and universal tokenization standard. The merchants “strongly encourage” payment stakeholders to incorporate a standards-setting body into their efforts to build a tokenization standard.

Similarly, the Secure Remote Payments Council, whose members include large debit networks, issued a plea last month for an open approach to tokenization. “Standards must be open, enabling all to compete equally,” a press release stated.

“If not developed in an open-standard environment, not everyone can weigh in,” Horwedel says. “Anything that takes sensitive cardholder data out of the transaction processing flow is a good thing. That’s being done today by a number of merchant acquirers and merchants are already paying for this service.”

The issue, as merchants see it, is that the card brands want to make tokenization their domain, he says. “They’re the only ones at present that can act as token-vault providers. That lack of competition will inevitably lead to higher merchant fees.” Token vaults are used to store tokens. They also link the token to a cardholder’s primary account number.

Aiming for Simplicity

A big plus to tokenization is that the payment data are better secured than simply storing them within a password-protected network or in the clear. On the downside are a couple of factors. One is cost and another is that many merchants have built their loyalty and rewards programs around using the payment data as the primary identifier for consumers.

Because a token is substituted for the card’s primary account number, the merchant no longer can use the PAN to identify the consumer.

“This is probably one area where having more than one standard is probably not optimal,” says Cherian Abraham, a mobile-payments and fraud expert at Experian Decision Analytics, a division of Ireland-based Experian Information Solutions Inc. “The market expects consolidation and less ambiguities. Merchants certainly want to see some clarity there.”

If a consumer’s payment card is tokenized, that means the primary account number, or a portion of it, no longer is available to merchants with vast databases of loyalty-program participants.

But consumers are less concerned about that than about knowing that their payment data are secure, especially in an age of frequent breaches, Abraham says. He places the onus on merchants. “The merchants should have been able to leverage some other information to transmit a loyalty token between the customer and the merchant,” he says. “There should have been other methods that were under the merchant’s control, rather than piggybacking on the payment data.”

For its part, EMVCo says its tokenization specification can be applied as a best-practice protocol for non-payment tokens, such as with closed-loop loyalty cards offered by merchants. In the past the “card networks have resisted the idea that the payment instrument can be used as a form of identity. It seems clear from the EMVCo specification that identity—and how identity is tracked—is now a separate data element from the payment token itself,” says Tim Sloane, vice president of payments innovation at Mercator Advisory Group, Maynard, Mass. “This presents an important new opportunity for banks and the networks to become the consumer agent for managing identity credentials, further expanding the benefits of tokenization.”

Other issues for merchants include cost and what tokenization solves for them.

With multiple services to choose from, merchants, many of whom are ready to use tokenization, face a quandary: which one to choose and what that choice might mean for customer-service matters.

“They’re inclined to favor tokenization as a technology because it reduces their PCI [Payment Card Industry data-security standard]  exposure, but it also may mean there’s going to be a new fee for handling tokenized transactions versus non-tokenized transactions,” says Vanderhoof. “They all will agree that getting rid of the PAN is a good thing. But is it going to be replaced by something that’s going to be costly for them, and do they have much input into how that tokenization is going to be developed?”

Current network pricing is restricted to issuers. MasterCard, for example, has a 10-cents-per-PAN fee, billed monthly, for its digital enablement service, along with a 50-cent “digitization” fee each time a mobile device is provisioned with a token, and 2.5 cents for calls to its “alternate network application programming interface.” But MasterCard is waiving token fees for 2015.

Visa has not disclosed the fees for Visa Token Service, but also says it has waived all issuer-related Visa Token Service fees for Apple Pay transactions through the end of 2015. “We are working closely with our clients and partners to ensure the appropriate overall commercial framework for the Visa Token Service, and we expect to implement issuer-related Apple Pay-initiated token transactions pricing in 2016,” a Visa spokeswoman says.

In November, Visa chief executive Charles W. Scharf said the network wants to see tokenization adoption. “The reason why we built [the token service] wasn’t to create a new [revenue] stream,” he said, according to a Seeking Alpha transcript of a Bank of America Merrill Lynch investor conference. “It was to insert ourselves into digital commerce in a way that we and our clients control our destiny, and that’s huge.”

Another issue for merchants is what problems tokenization solves for them.

It’s in the realm of online commerce that tokenization can really pay off for merchants, says Abraham. “Being able to tie together the consumer identity, the payment device, and a token really comes together to drive down fraud for the merchant,” he says. Merchants turning to tokenization would welcome two elements, he says. One is a shift of fraud liability to the issuers from the merchants.

The other enticement is if adoption of tokenization, especially for e-commerce, would bring some interchange relief. “That would truly make the case for merchants,” Abraham says.

Simplicity should be the goal, says Gartner’s Litan. “Merchants have been putting in tokenization for a long time on the card-acceptance side and the merchant-acquiring side,” Litan says. “Some of the processors have been tokenizing their own environment.” This could mean merchants have tokens based on multiple standards to contend with, she says. “The solution is one standardized system, but it’s not that easy to put in unless you get all the issuers agreeing and all the merchants agreeing.”

Panoply of Providers

The card networks aren’t the only providers of tokens. Within the payments industry, tokenization services are also available from processors and data-security firms. Some use standards developed in-house, while others rely on independently developed ones.

Major providers include Cupertino, Calif.-based Voltage Security Inc., Las Vegas-based Shift4 Corp., Atlanta-based First Data Corp., San Jose, Calif.-based Verifone Inc., and Prince­ton, N.J.-based Heartland Payment Systems.

Of course, tokenization services are not new, despite the impression apparently generated by the hoopla surrounding Apple Pay’s use of tokens. Shift4 launched its service in 2005, for example, and First Data in 2010.

In the case of Apple Pay, users will be able to select a payment card from their Passbook wallets and send payment credentials, masked by tokens and one-time cryptograms, to the point of sale. The Visa Token Service and MasterCard Digital Enablement Solutions services are integral elements of Apple Pay.

“The initial implementation is with Apple Pay,” says Brad Greene, senior business leader at Visa in its digital solutions group. He is responsible for the commercialization and rollout of the Visa Token Service.

Similarly, there are competing standards specifying how tokenization should be done. The Visa Token Service incorporates the EMVCo-produced tokenization standard. The U.S. migration to the EMV chip card standard is under way.

Visa “very purposely” built Visa Token Service around the EMVCo tokenization standard, Greene says. “We thought it would simplify things for merchants and processors and issuers.”

In addition to the EMVCo standard, other efforts include those of The Clearing House, a bank-controlled organization that began working on its measure in 2013, the PCI Security Standards Council, and the American National Standards Institute Accredited Standards Committee X9.

‘A Great Start’

Shift4, a payments gateway, says it has created more than 5 billion tokens since 2005.

“What we’ve tried to do for tokenization is solve issues on the very front edge of payments,” says J.D. Oder II, senior vice president for research and development and the company’s chief technology officer. Shift4 handles the tokenization and data storage for its own clients. “That’s important to do,” Oder says. “My core competency is securing and processing cardholder data.”

While Shift4’s model is built on processing via its gateway, payment processor First Data is taking a different tack beginning next year. First Data will update its TransArmor tokenization service in 2015 to make it platform-agnostic, while expanding the number of sales channels it is available through, says Paul Kleinschnitz, First Data senior vice president of cyber-security solutions.

Launched in 2010, TransArmor provides merchants a way to mask sensitive cardholder data by replacing it with a string of characters, called a token, that bear no resemblance to the original data. If stolen, the token is meaningless without access to the technology to decode it. First Data has produced almost 4 billion tokens, he says.

“We will be able to serve those merchants with dual acquiring relationships or with no acquiring relationships,” Kleinschnitz says. That means merchants won’t have to be First Data payment-processing clients. “The intent really is to get [TransArmor] outside of acquiring dependencies,” Kleinschnitz says.

That will make the processor’s tokenization scheme available to more retailers. It is part of a trend that appears to be growing. “It’s an idea whose time has come,” says Terence Spies, chief technology officer at Voltage. “Or maybe an idea whose time should have come a little earlier.” Spies also is chairman of the X9F1 subcommittee that maintains the X9 Registry of Approved Security Standards and Standard Techniques, which contains standards and techniques developed outside of X9, but now approved for X9 use.

“There’s probably a wider proliferation of standards than would be perfect,” Spies says. Within X9, an open standard is highly valued, but it must enable people to contribute and exchange information about it, he says. Spies calls the EMVCo tokenization specification a “great start.”

Various groups will interact with that specification. “Standards efforts are never done,” he says. “We’ll see other standards groups get involved in contributing with some of that effort,” Spies says. “The EMVCo standard is the primary effort right now, but that may not be the way things play out in the future.”

Acquirer Merchant Warehouse appreciates efforts to agree upon tokenization standards, says Marc Castrechini, vice president of product management at the Boston-based payments company. “What’s most important is that people are doing it and doing it correctly,” Castrechini says of tokenization. Merchant Warehouse offers a tokenization service for payments and one for securing non-payment data. “We need to accommodate all those schemes,” he says.

That is partly why he is excited about the dialog surrounding tokenization. “It’s almost like the early days of encryption,” he says. “You’re seeing the conversation approaching the appropriate parties,” including The Clearing House, EMVCo, and the PCI Security Standards Council.

The payments industry is headed on the path toward some sort of unified tokenization specification, but Castrechini is uncertain if that will happen.

He can see that merchants would like it. Merchants would have an easier time understanding a unified tokenization standard, he says. With disparate tokenization programs, some providers may be less inclined to share the underlying structure. “That’s where the standardization is missing,” Castrechini says.

How soon might this future arrive? It is hard to know. As Abraham says, “We’re still a long way in terms of having a unified specification. The merchants haven’t been fully involved in this.”

Inside Visa’s Token Machine

Visa Inc.’s tokenization service is meant to protect data in transit more fully than sevices that traditionally masked stored payment data, says Brad Greene, senior business leader at Visa in its digital solutions group. “What we’ve done is built a service around the payment-token standard,” he says. “It’s really around tokenization of account credentials as they move around the payment ecosystem.”

Visa’s service is set up to meet the needs of card issuers and other organizations that request tokens, Greene says. Token requestors might be mobile-device manufacturers, app developers, or e-commerce merchants, he says. “They have a relationship with a consumer who happens to be a Visa cardholder. They want the consumer to think about it as a digital account number to protect their actual account number,” Greene says.

On the operational side, that token requestor supplies information to Visa about the use case that it can share with the card issuer, Greene says. “Visa reaches out to the card issuers, gets their approval to generate the token, and then provides it back to the token requestor,” he says. “When we see it come through we’re able to de-tokenize it and apply validation logic to it, and pass the authorization request back up the issuer.” Following the authorization response, Visa reapplies the token protocol and sends the transaction back to the acquirer, and ultimately to the merchant.

Diving deeper into how the authorization step works with tokenized transactions in the Visa scheme, Greene explains that each transaction that passes through Visa’s network receives a risk score.

And any messages associated with that token, such as whether it’s assigned to an NFC payment or an e-commerce transaction, is passed along to the issuer, too. “When we see the authorization message come through we look in the database to see what the intended purpose of the token is,” Greene says. “Then we validate if the domain matches the intended purpose. We pass along the information to the issuer and identify whether the domain is valid for the token and the transaction.”

Tokens are secured by a cryptogram, which is part of the EMV chip card standard, too. “Whether it’s a chip on the plastic card or in a mobile phone, that logic generates a cryptogram for each transaction and it uses a key for the issuer,” Greene says. “The key is only verifiable by Visa or the issuer’s host system.”