Tokens, that is, tokens for securing electronic payments, almost became a household word two weeks ago when Apple Inc. introduced Apple Pay, a mobile-payments service that will rely heavily on tokens when it launches next month. The concept of tokenization, however, has been around for quite some time in the payments industry. Now a public-private group concerned with advancing mobile payments says industry players need to agree on standards and coordinate several different tokenization solutions floating around the industry.
“The security of mobile payments has always been a top concern and one of the main barriers to widespread adoption of certain mobile- and digital-payment technologies,” Marianne Crowe, vice president of payment strategies at the Federal Reserve Bank of Boston and chairperson of the Mobile Payments Industry Workgroup (MPIW), said in a statement. “With the recent introductions of new platforms that use tokenization technologies, including Apple Pay, we are even more convinced of the need to evaluate the optimal approach to tokenization and determine how the payments industry can better coordinate efforts to protect consumers and businesses alike.”
The MPIW, whose members come from the Boston Fed, the Federal Reserve Bank of Atlanta, and private-sector payments and technology firms, this week released a summary of a meeting it held in June. At that meeting, according to an MPIW statement, the panel “found that developments in tokenization should instill confidence in a payments environment challenged by frequent data breaches and other payments fraud activity, but some hurdles to broad industry adoption of tokenization remain, particularly around standards and coordination of the different solutions.”
The MPIW defines tokenization “as the process of randomly generating a substitute value to replace sensitive information. When used in financial transactions, tokens can replace payment credentials—such as a bank account or credit/debit card numbers.” Removing these sensitive credentials from payment transactions can greatly increase data security. But, reflecting other fissures in the payments industry, tokenization is becoming a battleground of competing proposals.
For example, models under development include those from EMVCo, which is controlled by the payment card networks, and The Clearing House, which is controlled by banks. Other proposals have come from PCI Security Standards Council and the Accredited Standards Committee X9.
In a statement summarizing the June meeting, the MPIW said “members noted the challenges to developing common standards for tokenization, especially given the variety of models under development…as well as the lack of consistent terminology around tokenization.” The MPIW plans to address these issues through a newly-formed tokenization subgroup.
The report lists nine key considerations for tokens. Among them are static versus dynamic tokens; tiering of tokens by venue and use; the prevention of fraudulently created tokens; how tokens affect payments infrastructure and interoperability; and the role of tokenization in host card emulation, a newer variant of near-field communication (NFC) technology that has attracted some support by mobile-wallet developers.
The full meeting summary can be accessed here.