Ulf Mattsson, Chief Technology Officer, Protegrity: Multiple Tokenization Schemes Meet the Merchant
March 2015 by Ulf Mattsson, CTO, Protegrity Corporation
Tokenization is used to solve many different problems, which explains the existence of several models. Merchants who tokenize their card data need to map the different token schemes to each other. Merchants utilizing a proprietary tokenization system and also use Apple Pay or other EMV token payments will store multiple tokens for the same card number. This is in conflict with an important reason why merchants adopted tokenization initially.Open standards standard for tokenization can be a solution to this problem. An open and universal tokenization standard can also help ensure sensitive personal information beyond just payment card account-level data will be more adequately secured across other US commerce channels.
Current Tokenization Standards Initiatives
Tokenization is currently in standards definition in ANSI X9. X9 is responsible for the industry standards for financial cryptography and data protection including payment card PIN management, credit and debit card encryption and related technologies and processes. The PCI Council has also stated support for tokenization in reducing risk in data breaches, when combined with other technologies such as Point-to-Point Encryption (P2PE) and assessments of compliance to PCI DSS guidelines. Visa Inc. released Visa Tokenization Best Practices for tokenization uses in credit and debit card handling applications and services. In March 2014, EMVCo LLC released its first payment tokenization specification for EMV.
EMVCo Payment Tokenization Framework
In October 2013, MasterCard, Visa and American Express proposed a new standard for digital payments. The purpose of the standard was to provide detailed technical specifications for an interoperable payment tokenization solution benefitting Acquirers, Merchants, Issuers, and Cardholders. The initial version of the specification was published in March 2014. The standard will be managed by EMVCo, the global organization that oversees EMV specifications. EVMCo is a payment industry standards setting organization operated by MasterCard, Visa, American Express and other payment networks. EMVCo seeks to facilitate interoperability and to develop more secure payment technologies while maintaining compatibility with the existing payment infrastructure. The standard is building a more secure, interoperable system for replacing card account numbers for conducting commerce via various devices, channels and types of merchants. But the tokens would also provide a foundation for enabling proximity payments at the physical point of sale without secure elements. The move to standardize tokens by the major payment networks has broad implications for how mobile commerce, including NFC payments, will be rolled out.
A Need for a Broader Tokenization Standard
EMV tokens are based on different protocols than the tokenization systems merchants’ use. It may potentially create incompatible token implementations. There are no industry standards for tokenization, such as for encryption. This means that each vendor product has its own protocols and it can be hard to replace it with another product.
Open standards standard for tokenization can be a solution to this problem but it may take several years to form a nonproprietary interoperable open tokenization standard for payment cards. The Food Marketing Institute, Merchant Advisory Group, National Association of Convenience Stores, National Grocers Association, National Restaurant Association, National Retail Federation, and Retail Industry Leaders Association have come together to call for the creation of a set of open standards for tokenized payments that would be managed by an independent body such as ISO or ANSI — rather than by the payments industry. An open and universal tokenization standard will also help ensure sensitive personal information beyond just payment card account-level data will be more adequately secured across other US commerce channels. Tokenization will also be a valuable tool to secure data in other aspects of commerce, such as age verification identity checks, and storage and transmission of electronic health records and pharmacy prescriptions. Ensuring an open standards process for the development of tokenization technology will result in a final standards product appropriate for other aspects of US commerce beyond just payments, and will be more easily and efficiently integrated into all hardware and software business environments.
Evaluating Tokenization Solutions for Merchants
Consider to use tokenization products and host the tokenization server on-premises, to meet performance and architectural requirements, or for tokenizing personally identifiable information (PII) and other sensitive information. Performance, scalability and collision avoidance are important aspects for organizations with large or decentralized operations. Ensure that a payment card number consistently will produce the same token value, without collisions. Some tokenization products require a highly available master database or replicated databases. Other approaches are based on static mapping tables that can operate in a distributed network with a need for replication between tokenization servers. Tokenization implementations must be secure and should be evaluated by at least two independent experts. Organizations that are managing encryption products already have the skills needed to operate tokenization and tokenization can be a cost effective alternative or complement to existing encryption solutions.