No doubt merchants and the payments industry understand the value of removing valuable cardholder data from merchant payment systems via tokenization. Doing so, however, may complicate merchants\' data-security practices and carry costs, suggests Avivah Litan, vice president and analyst at advisory firm Gartner Inc., in a blog post.
Tokenization replaces the actual primary account number (PAN) with a string of data that has no discernible relationship to its antecedent. Tokenization has captured attention thanks to its inclusion in the high-profile debut of Apple Pay, Apple Inc.’s mobile-payment service, which relies on tokenization provided by Visa Inc. and MasterCard Inc.
The dilemma, as posited by Litan, is that many merchants use other tokenization services, such as those offered by payment processors, acquirers, and gateways, which have no access to the actual card number tokenized in Apple Pay.
A merchant may need to get the actual card number so it can create a token for use within its system. There is no easy way to map a tokenized card to another tokenized card, leaving many merchants with having to find a way to get the actual card number, Litan says. These tokens are used to make recurring payments and to have as cards-on-file in the consumer’s account.
In the case of Apple Pay, a token is created that mimics the actual card number. But the numbering system used to create these tokens, which are based on a specification developed by EMVCo, the standards body for Europay-MasterCard-Visa (EMV) chip-card transactions, has not been released by either Visa or MasterCard, Litan says in her post.
“[T]his system collides with the merchant or acquirer-based tokenization systems the merchants have spent so much money on over the past years in order to secure card data and limited the scope of their PCI [Payment Card Industry data-security standard] audits,” she says.
The issue is alleviated somewhat if the merchant’s processor is connected to the card networks or participating issuers, Litan says. Presumably, these relationships could aid the situation. “It’s a problem that no one has really thought through,” she says.
As a for-instance, an organization in the payment chain could securely produce the actual PAN for a fee for the merchant to use to create its own token, Litan says. Merchants that use a tokenization service without those connections likely could pay for that access, too, she says.
But she doubts any service that maps a token to the actual card number will come cheap. “What’s going to happen is the card networks or processors are going to make money selling translation services to merchants,” Litan tells Digital Transactions News. “They will have to have a way to identify an EMV token and some way to get back to the card number.”
The fix may be a mapping table, Litan says. “Someone, likely the acquiring processor or even the card brands, is going to have to provide merchants with a tablet that maps their token numbers to the card issuers’ token numbers,” she says. “This doesn’t bode well for on-premises solutions unless they can be tied directly somehow into these monstrous mapping tables.”
For more on tokenization, look for the December issue of Digital Transactions magazine next week.