The Green Sheet Online Edition
February 11, 2019 • Issue 19:02:01
Getting everyone on board with tokenization
Security needs to be priority one in payments. The challenge is getting all stakeholders in the matter on board with that imperative. I was reminded of this last month during a panel discussion at the Northeast Acquirers Association annual conference. The panel, which included representatives of Mastercard, Visa, me and another industry reporter, was discussing the benefits of tokenization. And one panelist described how difficult it is to explain tokenization to friends and acquaintances. Most otherwise intelligent people just don't get it, he related.
It got me to thinking: how should the industry position tokenization (or any card security protocol for that matter) so that everybody gets it – merchants and consumers, alike? It may be time to dumb down our terminology on security to more clearly convey its essence. Perhaps we, as an industry, can come up with a new moniker for tokenization. A phrase I've been toying with is "data masking." But I'm open to other ideas.
My concern is that if we don't begin to educate merchants and consumers about tokenization, someone else will do it for us, and that almost never ends well. For example, twenty years ago few people outside the card business understood the concept of interchange. Then someone in the merchant community came up with the phrase "swipe fee," and retailing groups embarked on a massive lobbying campaign to convince consumers and lawmakers that something needed to be done about swipe fees.
What followed was a long-running debate over the cost of card acceptance and a partial legislative remedy in the form of the Durbin Amendment to the Dodd-Frank Act. I'm referring, of course, to mandated caps on debit card interchange.
While the mandate was accompanied by promises that lower interchange would result in lower prices paid by consumers, that never really happened. In fact, a study published in 2012 by the Federal Reserve Bank of Richmond revealed that debit interchange actually rose on small-ticket items in the years immediately after debit interchange was capped. "In response, many small-ticket merchants have tried to offset their higher rates by raising prices, encouraging customers to pay with alternative payment means, or dropping card payments altogether," a Richmond Fed economist wrote.
Fortunately, card data security is not an "us versus them" proposition. (Except, perhaps, that it helps the good guys fend off fraudsters.)
Tokenization, the basics
Like the shift to chip cards, tokenization aims to prevent fraudsters from accessing card account information and creating bogus replacements. However, whereas chip cards protect data on cards used at brick-and-mortar stores, tokenization is intended primarily to protect card data in digital commerce environments. With tokenization, online purchases can maintain card information on file without risking that information getting compromised in breaches.
In a nutshell, tokenization protects a customer's card account number by replacing it with an algorithmically generated number, or token. The tokens then are used to process payments, and the corresponding account numbers are held in secure token vaults, which can be accessed by merchants and their acquiring partners on an as-needed basis. They also help to prevent service disruptions since card information is automatically updated when new/replacement cards are issued. This is a big deal considering half of all online shippers save credit card information on multiple ecommerce sites, according to Mastercard. Securing card data with tokenization diminishes the hassles of merchant compliance with the Payment Card Industry (PCI) security standards, since merchants are not storing customer card information, and card information passing through their POS devices, because it is masked, is of no value to fraudsters.
The idea of "masking" card account information is not new. Banks have been doing it for years. The most obvious example is encryption, which scrambles sensitive information for unscrambling by processors or other authorized parties in possession of special cryptographic keys. To work optimally, tokenization needs to be paired with point-to-point encryption (P2PE), the first time a customer's card is swiped, tapped or keyed in.
"P2PE and tokenization are the one-two punch of data devaluation," said Ruston Miles, co-founder and chief strategy officer at Bluefin. "Thousands of merchants have used this very combination to reduce their PCI compliance security requirements by up to 90 percent, going from 300 required security controls down to 30."
Card brands making headway
For tokenization to live up to its potential, it cannot be a one-off proposition. "All stakeholders need to embrace this," Vidor Datt, vice president, emerging payment solution sales at Mastercard, said during the NEAA panel discussion. Tom Sheridan, senior account executive at Visa, concurred. "It's not just about one party. It's up to all of us," he said.
Visa has been touting tokenization since 2014, when it launched the Visa Token Service. In 2017, Netflix became the first company to begin using the Visa service to protect cards on file, and last year the two firms expanded the service to all 19 countries where Netflix operates.
"As the Visa Token Service and associated frameworks continue to scale, we believe low risk, trusted merchants, like Netflix, can realized authorization approval rates and customer experience on par with the face-to-face environment," Vickie Gonzalez, global head of payments at Netflix, said in a statement.
Mastercard also has been actively pushing tokenization. It said it is working with several leading security payment services companies – including Adyen, BlueSnap, Stripe, Square and Worldpay – to deliver tokenization to thousands of retailers. It is also working with leading issuers to convert cards on file to tokens. Last fall, the company said it aims to enable token services on all Mastercard-branded cards by 2020.
Visa stated it is working with at least 60 acquirers and gateways to support credential-on-file tokenization for those firms' merchant clients in at least 40 markets. In addition to several of the companies Mastercard is working with, Visa also is working with Braintree, Checkout.com, CyberSource, Elavon and PayPal. "This opens up a world of possibilities for our merchants and partners to further evolve and innovate in digital payments," Ansar Ansari, senior vice president for digital payment products at Visa, said of the company's tokenization partnerships.
Clearly, the card brands, acquirers and issuers are on board with tokenization. Getting merchants and consumers on board, however, will require education, and maybe a change in nomenclature. Let's make it simple, so everyone gets it.
Patti Murphy is senior editor at The Green Sheet and president of ProScribes Inc. Follow her on Twitter @GS_PayMaven.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.