Friday , March 29, 2024

The PCI Council Sets Security Rules for Token Service Providers as their Role Grows

With the coming of mobile payments and their attendant security issues expanding demand for so-called token service providers, the PCI Security Standards Council has issued rules intended to keep the tokenization environment safe.

The Wakefield, Mass.-based PCI Council in December quietly released a 92-page document titled, “Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens), Version 1.0.” The new requirements supplement what’s already in the Payment Card Industry data-security standard (PCI DSS), the main set of security rules for card-accepting merchants and processors, and other PCI Council documents addressing security practices involving tokenization.

Tokens are quickly taking on a more important role with the growth of EMV chip cards and especially mobile payments. With tokenization, a string of numbers replaces a credit or debit card’s 16-digit primary account number (PAN). A PAN is necessary for a criminal intent on committing card fraud, but a token is worthless to a fraudster.

The generation and management of tokens is a booming and complicated industry. Today, card networks such as Visa Inc., MasterCard Inc. and American Express Co., serve as the primary TSPs. But payments-industry executives and researchers expect the number of TSPs to grow now that EMVCo, the network-controlled standards body overseeing the EMV chip card standard, has issued a specification that will enable more companies to become TSPs. The EMVCo spec defines technical requirements for handling payment-token requests, and the provisioning and processing of such tokens.

In addition, TSP functions can be divided up, which means more companies will be involved. At the moment, however, probably only about a dozen companies would be directly affected by the new TSP requirements, according to Troy Leach, the PCI Council’s chief technology officer.

“In the way we developed the standard, we were identifying entities beyond the card networks themselves,” Leach tells Digital Transactions News. “In a lot of cases, we anticipate entities that will be token service providers, or they would provide a certain function of the TSP requirement.”

The PCI Council says it consulted with EMVCo so that its TSP requirements work with EMVCo’s standard, the goal being to protect the computer and communications environments in which TSPs operate. Leach adds that the council took input from processors, merchants, and other entities as it developed the requirements, but so far hasn’t received much reaction. “I would expect that we will probably get more feedback in the spring,” he says, noting that the process of developing PCI DSS version 3.2 will be under way by then.

There are various types of tokens, but the new PCI rules apply to only a certain kind—the “payment token” created by an EMVCo-registered TSP, issued to a cardholder in lieu of a PAN, and presented to the merchant when the cardholder makes a purchase. An example would be a consumer using an iPhone enabled for the Apple Pay service to buy lunch at McDonald’s.

The rules do not apply to two other types of tokens not generated by TSPs. One is the “acquirer token” created by a merchant acquirer, the merchant itself, or a processor. Acquirer tokens are proprietary tools typically used for card-on-file purposes, such as dispute resolution and chargebacks, and recurring payments.

“We recognized that some organizations have already invested in taking the PAN and creating acquirer tokens,” says Leach. “The TSP is really for the focus on mobile, so we can successfully and securely have mobile-payment transactions. The security eliminates the value that would be on the phone.”

The second is the “issuer token,” which, as the name suggests, comes from the card issuer and functions as a virtual card number used for specific consumer and commercial card purposes. Issuer tokens resemble PANs, so much so that acquirers and merchants may not even realize they’re dealing with a token, according to a PCI Council document.

Nor, according to Leach, do the TSP requirements affect another new spec coming from EMVCo, this one called the Payment Account Reference, or PAR. The purpose of the PAR is to match all the various tokens associated with a single PAN.

The PAR has no value in making a payment, according to Leach. “We are not planning any requirements [for PARs]; our focus will be on where sensitive data can be re-used for fraud,” he says.

Check Also

Buying Groups Might—or Might Not—Give Merchants More Negotiating Power with the Card Networks

Card-acceptance costs and network rules weren’t the only subjects covered by the sweeping settlement revealed …

Digital Transactions