Fearing that security worries could hinder mobile payments and other digital-payments channels, a handful of major banks are building a server-based switch that will mask consumers’ banking information when they perform transactions.
Tentatively called Secure Cloud, the so-called thin switch is under construction at The Clearing House Payments Co. LLC, a New York City-based processor that operates the country’s only private-sector switch for automated clearing house transactions and an image-exchange network for checks. TCH is owned by 22 financial institutions, including a number of money-center banks.
TCH, which announced the project on Monday, says it expects to start a pilot for Secure Cloud by the fourth quarter that will likely run until next summer. The pilot will embrace third-party wallets as well as banks and processors. The company won’t discuss participating banks, but top executives at Bank of America Corp., BB&T Co., Citigroup Inc., and U.S. Bancorp were quoted in Monday’s announcement and are close to the project. U.S. Bancorp’s Elavon subsidiary, for example, will serve as an acquirer, TCH confirms.
“We’re just beginning engagement with other processors, acquirers, and aggregators,” Jeff Williams, vice president for digital payments product development at TCH, tells Digital Transactions News.
Secure Cloud, which TCH is touting as an open standard for the payments industry, will replace mobile-wallet users’ card and other account information with randomly generated, one-time tokens, or strings of digits. These will be passed on by merchants and merchant processors to acquiring banks, which through the Secure Cloud switch will retrieve from issuers the account data behind the tokens and process transactions as they normally do with card networks and issuing banks. Issuers will maintain the token database in a so-called bank issuer vault.
These tokens “are all that will be stored in the wallet,” says Williams. “Wallet providers and merchants will never have the real credentials.”
In this way, the Secure Cloud standard is seen as a way to combat data breaches and resulting fraud by substituting information that would be useless to hackers. Concerns about such fraud have spread as mobile payments have begun to pick up volume. While mobile-wallet volume in physical stores amounted to just $500,000 last year, that number will balloon to $44 billion by 2017, according to researcher Berg Insight.
“As that [activity] grows, we want to make sure it grows in a safe and sound manner,” observes Williams, adding that TCH member banks began talking more than a year ago about what became Secure Cloud, with efforts accelerating about six months ago.
Still, while the new standard is initially aimed at mobile payments, it could be used with other forms of electronic payment, such as PC-based e-commerce, Williams says.
Secure Cloud “makes a lot of sense,” says Julie Conroy, a research director at Aite Group LLC who follows payments security. “Breaches are only intensifying, so we need to get the data off merchant servers and keep it in the hands of people who are accustomed to securing data.”
While some observers might question why the initiative is being led by TCH rather than, for example, one of the major-brand card networks—given that most wallet-based transactions are linked to cards–Conroy chalks it up to a “competitive play” by the TCH banks. “The banks look at some of the things Visa [Inc.] and MasterCard [Inc.] are doing, now that they’re no longer owned by the banks, and they’re saying, ‘We want a piece of that, too.’”
Both MasterCard, which went public in 2006, and Visa, which followed suit two years later, have developed tokenization technologies, Conroy points out. But she adds that wallets will hold demand-deposit account data, as well, which can be linked to ACH transactions, a specialty of TCH. “Wallets will hold more than card data,” she says.
TCH will not comment on pricing plans or other commercial elements for Secure Cloud. The timing of a commercial rollout, indeed, depends on what the company learns from the pilot, Williams says.
Even the name could change. “Secure Cloud,” Williams stresses, is an informal piece of nomenclature TCH has used internally. “You can call it a thin switch,” he says.