We might be forgiven for thinking that tokens have been the Rodney Dangerfield of the payments business, but that label is changing fast. Tokens have been used in the payments business for years, mostly in the back room where they have been a preferred tool for securing customer information for merchants who require a more assured method for handling exception items. Since last summer, however, we’ve seen a number of efforts designed to move token functionality to the front end of payment transactions, culminating with EMVCo’s draft payment tokenization framework release the week of March 10th (a full draft tokenization specification is promised for June 2014 ). The Clearing House, EMVCo, MasterCard, VISA and major banks are all moving quickly to use tokens in place of long-standard account identifiers to help reduce the risk associated with data breaches, and that’s a welcome development.

So what, exactly, is a token? Tokens are simply surrogate values that can be used in place of specific information that for one reason or another is best kept private. In the payments business, tokens are rapidly becoming a preferred tool to increase the security of individual transactions where they will be used to replace the Personal Account Number (PAN), primarily in the virtual world.

For transactions at the physical point of sale, efforts are underway to close gaps that allow PAN and other data to be exposed in some EMV implementations. That kind of exposure can happen inside of a POS terminal memory device where PAN and other data may be unencrypted for an instant, but long enough to be compromised. A new PCI 3.0 requirement, 6.5.6 (Insecure Handling of PAN and SAD in Memory) effective mid-year 2015, tightens requirements around this issue. That said, the incentive to harvest transaction data at the point of sale would be reduced tremendously in an EMV environment if that information could not be used in the virtual world to easily compromise accounts. That’s where payment tokens assume such significance.

Tokens will be key to limiting the very rapid migration of payments fraud from the physical to the virtual world that’s occurred in almost every country where EMV implementations have been successful in reducing fraud at the physical point-of-sale. That’s one reason The Clearing House and its twenty two members (including the largest U.S. banks) have been working on token based payment applications for more than two years, and last summer announced “Secure Cloud,” a token based wallet solution.

In fact, the U.S. market is already seeing the introduction of token based digital wallets, such as Chase’s new token based online wallet announced in late February as part of the company’s new ChaseNet initiative. In this wallet, each use of a card housed within the wallet generates a onetime token that’s passed to the merchant and then back to the issuer (the wallet is “open” and supports cards other than those issued by Chase) for transaction approval. The issuer then sends its approval to the merchant, all without the use of a PAN or other potentially sensitive data.

I think it’s reasonable to expect an explosion of token based online payment applications this year and next. So EMVCo’s tokenization framework release puts more welcome fuel on the fire, which happily is now beginning to burn brighter.

For more than 35 years, Santa Fe Group Senior Consultant, Gary Roboff, contributed his outstanding talents to the financial services industry, and in particular to financial services payments systems. Gary has focused on such issues as privacy and information utilization, business frameworks, changes in the payments and settlement systems, and standards for emerging e-commerce applications. He has chaired the Electronic Funds Transfer Association (EFTA) Board of Directors and was a founder of the International Security Trust and Privacy Alliance (ISTPA), serving as Vice Chair of its Board.