By John Stewart
As dramatic as their joint tokenization announcement was on Tuesday, key officials with Visa Inc., MasterCard Inc., and American Express Co. cautioned on Wednesday against far-reaching industry speculation about how the announcement might affect or relate to other standards, including near-field communication (NFC) and the Europay-MasterCard-Visa (EMV) chip card specifications.
Speaking to Digital Transactions News in a conference call, the network executives stressed that their proposal for a new standard is narrowly intended to safeguard card credentials whenever a consumer uses a digital device rather than the physical card itself to conduct a transaction. “I don’t think any of us is trying to shape the future,” said Jim McCarthy, global head of innovation and strategic partnerships at Visa.
The executives also acknowledged that similar work under way at The Clearing House, a New York City-based processor owned by 22 major financial institutions, reflects a widespread concern among issuers about the potential for fraud stemming from stolen credentials. And they said that while the three networks plan to develop a tokenization standard that will ultimately be submitted to a governing standards body, they don’t intend to set up a separate network-controlled organization to manage the standard, in the manner, for example, that EMVCo manages the EMV standard. Nor do they have a specific timetable for the new standard’s development.
Reaction to Tuesday’s announcement has been swift and largely favorable, the executives said. “The feedback across the industry has been tremendous,” said Ed McLaughlin, chief emerging payments officer at MasterCard.
Expert observers say on balance the proposal is a welcome development. “I think the sentiment behind this announcement is encouraging, i.e., the recognition that digital commerce is a very attractive target for fraudsters,” says Julie Conroy, a senior analyst who follows security at the Aite Group, Boston, in an email message. “As with any broad changes to the payment systems, the devil will be in the details, and in this case there are a lot of details to think through. That said, the right players are at the table driving this.”
The three networks, whose systems collectively traffic the bulk of card-based transactions worldwide, propose a standard calling for a so-called token, essentially a string of digital code, to replace the primary account number tied to a credit or debit card when a consumer buys something at the point of sale using a smart phone or tablet or performs an online transaction. This card credential has been a favorite target of fraudsters, who can combine it with the card’s expiration date to commit online fraud. The token, by contrast, would be useless to criminals.
That vulnerability worries card issuers, leading in part to the decision at The Clearing House this summer to work on a server-based tokenization system tentatively called Secure Cloud. The Clearing House, which operates a major image-exchange network as well as a switch for the automated clearing house network, is controlled by some of the country’s biggest banks, institutions that are also clients of Visa, MasterCard, and, in some cases, AmEx.
“We recognize our clients are very concerned with how their credentials are being used,” said McCarthy.
He, McLaughlin, and Mike Matan, head of global network business at AmEx, say the network-led token initiative will work with the Secure Cloud project in developing a standard. “We want to incorporate the best ideas,” said McCarthy. For its part, The Clearing Houses says it stands ready to cooperate. “We have had productive dialog with [the networks],” David Fortney, senior vice president and product development manager for TCH, tells Digital Transactions News in a separate interview.
Besides pressure from client banks, the networks were also spurred to move on tokenization before e-commerce and mobile-commerce volumes grew large enough to create a huge fraud potential. “We’ve all seen the same thing, increased interest in digital payments,” said Matan. “It makes sense to work together now before volumes increase.”
Monday’s announcement was dramatic in that, while token technology has been available for some time, this is the first time the nation’s three largest card networks have cooperated to develop a standard for it. The trio of network executives, however, stop shy of making the announcement out to be anything more than the “framework” for a standard that will specify a way to use tokens to flow data into the card networks. That method, they argue, could be deployed within any number of digital communication technologies, including quick-response codes and NFC, a short-range communication standard used with some mobile-payments deployments.
“NFC will be an example of how [a transaction could be conducted],” said McLaughlin. “There will be lots of ‘hows.’”