Banks push for tokenization standard to secure credit card payments

Tokenization addresses gaps in EMV smartcard standard, says indsutry group

A group representing 22 of the world's largest banks is pushing for broad adoption in the U.S. of payment card technology called tokenization, citing shortcomings in the planned migration to the Europay MasterCard Visa (EMV) smartcard standard over the next two years.

The Clearing House Payments Company (TCH), whose owners include Bank of America, Citibank, Capital One and JP Morgan Chase, is working with member banks to see how tokenization can be applied to online and mobile payment environments to protect against fraud.

The effort stems from what the group says is the need to address gaps in the EMV standard involving mobile and online transactions.

"EMV has been out there for close to 20 years" and has served its purpose well, said Dave Fortney, senior vice president, product development and management for The Clearing House.

Debit and credit cards based on the EMV technology use an embedded microchip, instead of a magnetic stripe, to store data and are considered almost impossible to clone for fraudulent purposes. Though the rest of the world moved to the technology years ago, the U.S. has lagged behind for a variety of reasons.

However, after the recent Target breach that exposed data on 40 million debit and credit cards, calls to adopt the standard in the U.S. have become more strident. MasterCard and Visa have said they want merchants and banks to be ready to start accepting EMV cards by October 2015.

While the planned migration has its benefits, EMV is not quite the panacea that many assume it is, Fortney said. "The downside with EMV is that it was created when there was no Internet, no online commerce, no smartphones and no tablets."

While EMV is great for securing card transactions at point-of-sale terminals, it is less useful for online payments and other card-not-present transactions. That is one of the major reasons why payment card fraud has migrated from point-of-sale systems to online channels in Europe and other places that have already adopted EMV.

Payment card tokenization is one way to address this gap, Fortney noted.

Tokenization is a method for protecting card data by substituting a card's Primary Account Number (PAN) with a unique, randomly generated sequence of numbers, alphanumeric characters, or a combination of a truncated PAN and a random alphanumeric sequence.

The token is usually the same length and format as the original PAN, so it appears no different than a standard payment card number to back-end transaction processing systems, applications and storage.

The random sequence, or "token," acts as a substitute value for the actual PAN while a transaction is processed or while the data is at rest inside a retailer's systems. The token can be reversed to its true associated PAN value at any time with the right decryption keys. Tokens can be either single use tokens or multi-use tokens.

Tokenization eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks, said Fortney.

With tokenization, credit and debit card data is encrypted at the point where it is captured and sent to the merchant's payment processor where the data is decrypted and the transaction is authorized. The processor then issues a token representing the entire transaction back to the retailer while the actual card number itself is securely stored in a virtual vault.

The retailer can use the token to keep track of the transaction and handle refunds, returns, exchanges and other transactions. The token itself would be of little value to data thieves because there would be no way to link the token back to the PAN without the decryption key.

Customers would do nothing different when paying for purchases using a credit or debit card. The card data is encrypted when the card is swiped through the payment terminal, sent to the processor where it is decrypted for transaction approval processes, and a token issued to the merchant all without the customer experiencing anything different.

Tokenization can also be implemented on-premise with the merchant itself hosting the server that does the decryption and token issuance.

Tokenization also offers a great way to secure emerging mobile payment applications, Fortney said. A mobile wallet operator like PayPal or Google could use the approach to store one-time use tokens in a consumer's virtual wallet rather than actual credit and debit card numbers. Consumers could use the tokens to make purchases like they would with an actual payment card while merchants would be able to complete a transaction without touching or storing actual PAN data, he said.

One major advantage with tokenization is that it does not require merchants to make major changes to their current payment acceptance systems, like EMV does, Fortney said. Tokens are formatted in the same manner as card information so merchants have to make relatively minimal changes to their payment systems, he said.

The real heavy lifting would happen at the banks, or other entities that store PAN data, generate tokens and keep track of them through the entire transaction chain.

Tokenization is not new. The Payment Card Industry Security Council, which administers a set of security standards for payment systems, recommends it as an approach for reducing the work that companies have to do to become PCI compliant.

A growing number of retailers already use tokenization as a way to reduce PCI scope, and several vendors sell tokenization products and services.

The Clearing House effort is aimed at fostering standards that everyone in the payment industry can use to implement tokenization in a consistent manner, Fortney said. "Our desire is to have an open standard across the whole industry," he said.

The Clearing House is not the only organization looking at tokenization.

Following the Target breach, EMVCo, an entity owned by American Express, MasterCard, Visa and three other credit card brands, also announced plans to develop a tokenization standard for securing credit and debit card payments made via mobile handsets, tablet computers and online channels.

EMVCo did not respond to multiple Computerworld requests for comment on their effort. But a press release from January said the new specification would complement the existing EMV smartcard specifications that all merchants and banks are required to migrate to by the end of next year.

EMVCo's specification will describe a "consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement," the statement noted.

The biggest benefit with tokenization is that it helps merchants remove payment card numbers from systems that don't need it, said Terrence Spies, chief technology officer at Voltage Security, a provider of encryption and other data masking technologies.

Since tokenization is done in a central way, only a small portion of the network knows how to generate and reverse a token. As a result, it is easier for banks and other third parties to protect that process, Spies said. He is also chairman of the cryptographic tools group at the X9 standards body responsible for developing cryptographic standards for the financial services industry.

Like EMVCo and The Clearing House, the X9 standards body is working on developing tokenization standards for the U.S. payment industry, Spies said. The X9 effort is focused on developing standard definitions for tokenization and for the processes for generating and validating tokens, he said. "There's a lot of energy being putting into getting tokenization right," Spies said.

This article, Banks push for token standard to secure credit card payments, was originally published at Computerworld.com.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about data security in Computerworld's Data Security Topic Center.

Tags visaCitibankTargetCapitamobile paymentsFinancial ITCapital One

Show Comments