We might be forgiven for thinking that tokens have been the Rodney Dangerfield of the payments business, but that label is changing fast. Tokens have been used in the payments business for years, mostly in the back room where they have been a preferred tool for securing customer information for merchants who require a more assured method for handling exception items. Since last summer, however, we’ve seen a number of efforts designed to move token functionality to the front end of payment transactions, culminating with EMVCo’s draft payment tokenization framework release the week of March 10th (a full draft tokenization specification is promised for June 2014 ). The Clearing House, EMVCo, MasterCard, VISA and major banks are all moving quickly to use tokens in place of long-standard account identifiers to help reduce the risk associated with data breaches, and that’s a welcome development.
So what, exactly, is a token? Tokens are simply surrogate values that can be used in place of specific information that for one reason or another is best kept private. In the payments business, tokens are rapidly becoming a preferred tool to increase the security of individual transactions where they will be used to replace the Personal Account Number (PAN), primarily in the virtual world.
For transactions at the physical point of sale, efforts are underway to close gaps that allow PAN and other data to be exposed in some EMV implementations. That kind of exposure can happen inside of a POS terminal memory device where PAN and other data may be unencrypted for an instant, but long enough to be compromised. A new PCI 3.0 requirement, 6.5.6 (Insecure Handling of PAN and SAD in Memory) effective mid-year 2015, tightens requirements around this issue. That said, the incentive to harvest transaction data at the point of sale would be reduced tremendously in an EMV environment if that information could not be used in the virtual world to easily compromise accounts. That’s where payment tokens assume such significance.
Tokens will be key to limiting the very rapid migration of payments fraud from the physical to the virtual world that’s occurred in almost every country where EMV implementations have been successful in reducing fraud at the physical point-of-sale. That’s one reason The Clearing House and its twenty two members (including the largest U.S. banks) have been working on token based payment applications for more than two years, and last summer