The Clearing House Payments Co. LLC, which last summer announced its effort to tokenize payment card numbers, is now mulling a related system that would similarly mask sensitive consumer information related to automated clearing house transactions, and may have a proposal ready by year’s end.
“It’s something we’ve spent a lot of time on,” David Fortney, a senior vice president at the New York City-based company, told attendees at an electronic-payments conference Monday. Speaking later to Digital Transactions News, Fortney said TCH has had preliminary conversations with member banks, adding the effort is in its early stages. “It’s not baked yet,” he says. “We’re exploring the concept. We’d love to announce something by the end of the year.”
News of the ACH tokenization effort comes nine months after the company, which is owned by 22 financial institutions including money-center banks, disclosed it was developing a server-based switch that will replace consumers’ card numbers in any particular transaction with so-called tokens. These are randomly generated, single-use numbers that can be used by banks and merchants to track transactions but are useless to data thieves. Originally called Secure Cloud, the system is now known as Secure Token Exchange.
What TCH now proposes to do is to similarly mask consumers’ bank account numbers and banks’ routing numbers with tokens in any given ACH transaction. “The ACH has the same fundamental problem [as the card networks] because of the static account number,” Fortney told the audience of bankers attending Payments2014, an annual conference sponsored by NACHA, the governing body of the ACH. “But it’s even worse because it’s your bank-account number. It’s not as easy as re-issuing a card to re-issue a bank account [after a breach].”
TCH, which is one of only two ACH operators, or central switches, for the ACH and also runs a major image-exchange network for checks, will likely adopt a “format-preserving” token for ACH numbers, Fortney said. These are strings of digits that ape the length of the actual number but are randomly determined, so they can’t be linked to the actual number.
A tokenized card number, for example, might contain 16 digits, as does the original, and might even contain the actual last four digits. With format-preserving tokens, the replacements “would look like a routing number and account number.” Fortney said, easing processing for bank systems accustomed to handling the real things.
The ACH token could also be either static or dynamic, he said. A merchant taking recurring payments, for example, might want to opt for static tokens. As for dynamic tokens, these could be either single-use or limited-time use, according to Fortney.
This isn’t the first time the ACH has looked into the notion of tokenizing data. Indeed, in 2002 TCH introduced codes that mask routing and account numbers for commercial payments. The tokens, created under a protocol known as the Universal Payment Identification Code (UPIC), apply to ACH credits only, meaning payments intended by a payor to pay another party. They have also not been extended to consumer payments, though TCH spoke of doing this as early as 2007.