EMVCo., the international standards body for chip cards based on the EMV specification, is fast-tracking a specification for card-number tokenization in the wake of recently disclosed data breaches at major retailers, including the theft of card and other information on 110 million customers of Target Corp.
The chip card organization expects to have a so-called tokenization architecture document ready in four weeks and a first draft of the specification done by June, the director of operations for EMVCo revealed on Wednesday at a payments conference in Salt Lake City, Utah.
“For us, that’s rocket-ship speed,” Brian Byrne, the EMVCo executive, told the audience at the Payments Summit, sponsored by the Princeton Junction, N.J.-based Smart Card Alliance, a trade group concerned with the Euuropay-MasterCard-Visa chip card standard and efforts to implement it in the U.S.
Speaking to Digital Transactions News, Byrne indicates concerns at the card networks have heightened EMVCo’s sense of urgency regarding card tokens. “It’s an extremely high priority at the card networks since the [news about the] Target [breach],” he says.
Tokenization replaces the primary account number, or PAN, involved in a card transaction with a string of digits that can be re-associated with that PAN by the card issuer for authorization and other purposes but is otherwise useless to hackers. Unlike the case with encryption, tokens are not derived mathematically from information associated with the card.
While tokenization is not new, EMVCo’s approach to the concept will mark a departure from common practice, Byrne said. The new spec will mask PANs as they flow through network pipelines for authorization and settlement, rather than while they are stored by retailers or other organizations. Typically, tokenization is regarded as a method of protecting data “at rest,” that is, stored data. “We are purposely not looking at data at rest,” Byrne tells Digital Transactions News.
“With our model, if a merchant is compromised, its exposure is substantially minimized,” he told the Salt Lake audience.
The new spec also represents a turning point for EMVCo, a 15-year-old organization that up to now has concerned itself with specifications for chip card infrastructure. “We no longer refer to ourselves as a chip specification company,” Byrne said. “We’re a payments-security body.” As an international standards body, EMVCo is uniquely positioned to draft a tokenization specification that can have worldwide application, he added.”We want a solution out of the gate that addresses international interoperability,” he told the audience.
EMVCo's tokenization effort comes just months after American Express Co., MasterCard Inc., and Visa Inc. announced last fall they are working on a common token standard for card credentials used with digital devices.
Founded by Europay, MasterCard, and Visa, EMVCo has since added four other owners (Europay was absorbed by MasterCard in 2002): American Express, Discover Financial Services, JCB, and UnionPay. Its original EMV specification is now in version 4.3.