/bryan-194x2212d15a7a6-5b0d-46ca-8c9e-94ea096185f2.png?sfvrsn=20a2994b_5)
A lot has been written about tokenization since the first big data breach in 2013. The focus today is to talk about the challenges with tokens and how merchants can affect change.
Tokens were initially used by merchants to secure stored card data, making it harder for cybercriminals to steal consumers’ card information. There is no disputing that masking card information and limiting where the information is stored is very important in the world we live in today. This affords your customers’ data is protected. But tokens continue to evolve beyond card data storage, so we need to make sure the processes around tokenization continue to evolve.
Tokenization has evolved over the years, but the solutions have been largely created in a vacuum. Some tokens are used for storage only, others are used between limited endpoints within the transaction lifecycle, and some solutions provide end-to-end tokenization of the card data. The various solutions do not work together easily and implementation of tokenization is generally costly and very complex for merchants. The current solutions are one or a mix of:
- Network Tokenization – a solution provided by the global networks on their cards (or cards of networks that have reciprocal agreements). These tokens are transactable and in most cases, carry additional security features in the form of a cryptogram.
- Merchant Tokens – a solution that is merchant-specific and is maintained by the merchant. These tokens are not transactable and require the merchant send the PAN (payment account number) to the acquirer/processor.
- Acquirer Tokens – a solution provided by acquirers that allows the merchant to keep the PAN out of their network and only have a non-transactable token to identify the payment.
The trouble is each of these solutions solves the problem of taking Primary Account Numbers (PANs) out of the environment, but they do not work well together. Merchants are required to bear the cost of multiple implementations and maintenance which is generally unsustainable. So as a payments system, how do we solve this problem and what will drive competition?
There have been benefits from tokens. Some tokens provide ways to improve authorization rates because of the additional security features. Tokens with additional security identifiers gives issuers higher assurance of cardholder participation and, in turn, better authorization rates. Merchants would like to explore other uses of tokens that also provide lower costs along with improved authorization rates.
With the growth of Card Not Present (CNP) transactions and increased use of debit cards, tokenization has proven challenging in the space. Originally not all card brands would allow CNP debit transactions be routed to an alternative network, causing regulators to step in. Network tokens for CNP transactions routed to alternative networks do not include the additional security information (commonly called “cryptogram validation”). Not validating the token’s cryptogram is likely to decrease authorization rates, since the issuer will not have visibility to the security elements inherent with the network token. To preserve authorization rates, merchants’ routing options are limited. Tokenization should allow for merchant routing while improving authorization rates and reduce fraud.
MAG is taking steps to improve tokenization and address these problems. How are we doing it? We have partnered with the Secure Remote Payments Council (SRPc) in creating a Tokenization Working Group. The working group is made up of merchants, debit networks, and processors. The members of the working group will work to explore the various tokenization options that exist in the eco-system today, with a goal of identifying a tokenization solution that will meet the needs of all participants in the payments system. The work group is planning to meet over the next several months to analyze the market and existing solutions and determine the feasibility of each solution. Once the work group has completed their review, they will make a recommendation on a path forward to support a solution that meets the needs of all parties engaged in the transaction lifecycle.
It is my hope that in the next year, I will be writing about a token solution that was created with the involvement of merchants and meets the needs of all parties in the system to improve authorization rates and reduce fraud while preserving merchant routing rights. If you are interested in getting involved in the MAG’s Tokenization Community of Practice or the SRPc’s Tokenization Working Group, please reach out to me.