September 24, 2014
The Mobile Payments Industry Workgroup (MPIW), convened in January 2010 by the Federal Reserve Banks of Boston and Atlanta through their Payment Strategies and Retail Payments Risk Forum groups, comprises a select set of key players in the mobile payments ecosystem in the United States. The workgroup sees need for interoperable standards as well as common terminology in the area of developments around tokenization.
In a summary of a June meeting released yesterday by the Federal Reserve Bank of Boston, the Mobile Payments Industry Workgroup (MPIW) found that developments in tokenization should instil confidence in a payments environment challenged by frequent data breaches and other payments fraud activity, but some hurdles to broad industry adoption of tokenization remain, particularly around standards and coordination of the different solutions.
According to the MPIW, payment tokenization is defined as the process of randomly generating a substitute value to replace sensitive information. When used in financial transactions, tokens can replace payment credentials—such as a bank account or credit/debit card numbers. Removing these sensitive credentials from the transaction flow improves the security of the payment and is a key benefit of tokenization.
The security of mobile payments has always been a top concern and one of the main barriers to widespread adoption of certain mobile and digital payment technologies, said Marianne Crowe, vice president of Payment Strategies at the Federal Reserve Bank of Boston and chair of the MPIW.
With the recent introductions of new platforms that use tokenization technologies including ApplePay, we are even more convinced of the need to evaluate the optimal approach to tokenization and determine how the payments industry can better coordinate efforts to protect consumers and businesses alike.
Among the additional benefits the MPIW identified in the adoption of tokenization for payments is the ability to limit the spread of cardholder data throughout a business or enterprise, the issuer’s ability to turn off a token and reissue a new one within seconds should fraud occur, and the inability to reverse tokens back to original values (for example, to reveal credit card or bank account numbers).
While tokenization is not a new concept, emerging proximity and remote payment types have accelerated the demand for payment-related token usage, according to the group’s findings.
What is new about tokenization is the need for interoperable, open standards, and the increasing desire to replace payment card or bank account numbers with tokens for point-of-sale, online, or mobile payments, said Susan Pandy, co-author of the meeting summary and director of Payment Strategies at the Federal Reserve Bank of Boston.
In the report, MPIW members noted the challenges to developing common standards for tokenization, especially given the variety of models under development (among them: EMVCo, The Clearing House, the Payment Card Industry Security Standards Council, and the Accredited Standards Committee X9) as well as the lack of consistent terminology around tokenization. The MPIW intends to further investigate these challenges as part of a newly-formed tokenization subgroup.
The report finds that tokenization can solve a number of problems with respect to mobile and electronic payment adoption; hence the need for a number of tokenization models. EMVCo, The Clearing House, and card networks, for instance, are focused exclusively on payments, while others—such as the Payment Card Industry Security Standards Council and the Accredited Standards Committee X9—are designed to protect stored card data or data at rest. The subgroup will focus on the payment tokenization models and will assess issues related to the use of static versus dynamic tokens, how to prevent creation of fraudulent tokens, use of token risk assurance levels, as well as impacts to infrastructure, interoperability, and consumer usability.
The subgroup will also conduct a multi-stakeholder assessment that will include mobile payments industry perspectives on the challenges and opportunities surrounding payment tokenization initiatives. Deliverables will include a comparison and gap analysis of the current models, and recommendations for possible solutions to address the gaps.
We wrote a lot about tokenization in 2013 highlighting its importance.