Friday , December 13, 2024

COMMENTARY: Why Merchants Should Embrace Network Tokenization

If you know anything about the payment space these days, you know that the natives are restless. Merchants have been fed up with interchange rates for years, with no shortage of lawsuits to voice their complaints. Even after winning the right to pass on interchange costs to the consumer, merchants remain fervent in their battle to reduce their cost of acceptance.

The merchant community’s latest complaint is network tokenization, the industry’s next paradigm in payment-data security. But what the networks see as a significant gain in protection for merchants and consumers alike, merchant communities see as just another revenue grab from the dominant forces in payments.

At its core, interchange pricing is based on risk. Fraud occurs when somebody’s card number gets into the wrong hands. Rather than using technology to protect an account number, the strategy behind tokenization is to render the account number itself worthless.

Gray: “The gold at the end of the network-token rainbow seems lofty, but it’s achievable.”

Tokenization has been around for decades. Like many other technologies a merchant may use to keep its operations functioning, tokens come from a third-party, usually the merchant’s payment gateway. Known as vault providers, these services allow the merchant to safely store benign tokens, rather than sensitive card numbers, for recurring use. This greatly reduces PCI scope for the merchant, while shifting liability upstream to the merchant’s gateway/vault provider. When tokens are issued by the network itself, liability shifts up again, to the networks and their issuing banks.  

In the world of payment security, obfuscation strategies are far from new. The ACH network is a good example. The routing and account numbers that identify banks and their consumers are alone not enough for a fraudster to move money. They’d need a merchant identity and other factors all aligned before they could perform a fraudulent transaction. Yet, even in today’s world of encryption, EMV, and AI-driven fraud controls, a card number and expiration date are often all a savvy bad guy needs to commit fraud.

Two-factor authentication is a similar proven approach. The PIN-debit world relies on authentication that follows a simple theme: something you have (the card) and something you know (the PIN). Unless you’re a blabbermouth, it’s far more difficult for the fraudster to get your PIN than to get a physical card. Without the PIN, the card is worthless. And if you’re looking for evidence that less fraud equals lower interchange rates, just look at regulated debit rates. Senator Durbin certainly gets it.

As a next stage of the grand plan, Visa announced in April of 2022 a 10-basis-point reduction in interchange for card-not-present transactions using a network token. Some card-present rates were also lowered, reflecting the benefits of encryption and network tokenization used with EMV. Vaulted tokenization rates were raised in several qualification levels, adding further incentives for merchants to use network tokenization.

After being forced to upgrade hardware for the EMV migration, merchants should be pleased that network tokens require no new integration requirements in their own environments. They can reduce their cost of acceptance simply by choosing a gateway or front-end processor that supports network tokenization.

To be fair, there are legitimate concerns about network tokenization. Mastercard recently settled a lawsuit after it used network tokenization to enforce exclusivity, ultimately breaking Durbin Amendment rules by not allowing multiple network options. Mastercard was supporting network tokens, but only its tokens.

The gold at the end of the network-token rainbow seems lofty, but it’s achievable. The endgame is a world where card numbers are obsolete, consumer-account fraud plummets, and interchange rates go down accordingly. Isn’t that what the merchants want after all?

—Cliff Gray is a senior associate at TSG, a payments advisory firm.

Check Also

Visa Direct Will Define Real Time As One Minute—Or Less

Visa Inc.’s move to speed up its Visa Direct service to no more than one …

Digital Transactions