The scale and consequences of the recent high profile data breaches are key drivers for pci tokenization proposals. In the last week we have seen a couple of announcements calling for the creation of standards for card data tokenization, to enhance protection of payment card transactions. First, we heard this appeal from a coalition of retail industry trade groups including the National Retail Federation, Retail Industry Leaders Association, National Restaurant Association, Merchant Advisory Group and several others in an open letter to the industry. Then the SRPc, a national association of EFT networks, made the call for development of open standards around tokenization.
EMVCo published their technology framework for tokenization earlier this year (March, 2014). It is the first published “standard” for protection of sensitive payment card data using tokenization. Apparently, the organizations mentioned above do not believe that the EMVCo implementation is sufficiently “open” nor is it sufficiently comprehensive to deal with all payments transactions. They specifically mention that the EMVCo standard does not cover “card not present” transactions.
Some of the criticisms of the EMVCo framework identified in these communications are valid. Static tokens are proposed and card not present transactions are not specifically addressed in the EMVCo technology framework. Both of these calls seem particularly concerned about the proprietary nature of this payment brand-centric organization setting the tokenization standards. They call for an “open” standard set by the ANSI and ISO Standards setting bodies.
However, at present, the only financial industry standards work around tokenization is occurring in the ANSI X.9 (Banking) group (specifically X9.119 – Part 2). This work is in a very early state and no document is yet ready for review. Expectations are that this group is at least 12 – 18 months from completion of a tokenization standard for sensitive card data that is ready for an approval ballot. I am not aware of any similar work ongoing at the ISO level and can find no evidence of it on the ISO web site documenting its various committees’ activities.
So, given the expected timeframe before an ANSI X.9 specification is available, should the industry delay implementation of the EMVCo framework because it is not sufficiently comprehensive? I think it depends on your perspective of what threats can reasonably be projected, and prevented, by the EMVCo implementation now before a more comprehensive implementation arrives perhaps two years from now. Moreover, this must be considered not within the scope of just the breach of card data that we have seen recently, but also the new types of financial transactions, like mobile payments, which are building rapidly.
The financial payments industry has historically taken a layered approach to dealing with new threats to secure transactions. Card security codes, PIN’s, EMV, ISO 8583 data format and now tokenization have all evolved as these threats changed. Adding additional capabilities for tokenization down the road should not prevent us from starting implementation today with what we can protect. EMVCo, ANSI and ISO are all concerned with assuring that international interoperability in payment cards is in any proposed implementation.
(Hear Dave discuss the EMV standard and its implications for card issuers and card acceptors by clicking on the image below,)