The Food Marketing Institute, Merchant Advisory Group, National Association of Convenience Stores, National Grocers Association, National Restaurant Association, National Retail Federation, and Retail Industry Leaders Association have come together to call for the creation of a set of open standards for tokenized payments that would be managed by an independent body such as ISO or ANSI — rather than by the payments industry.
Tokenization, which is undergoing a standardization process by EMVCo at the request of the world’s major payments networks, will be introduced by Visa in September 2014 as part of its new Visa cloud payment suite. The other networks are expected to follow soon after.
The technology is designed to replace the exchange of actual card numbers between shoppers and merchants with tokens that act as a proxy for a card number and can be restricted so that they can only be used on a particular mobile device or chip card, at a particular merchant or in a particular geographical location.
It will also provide a way to include additional data fields in transactions and enable support for open loop EMV payments via QR and Bluetooth Low Energy (BLE) as well as NFC, EMVCo’s Christina Hulke explained to NFC World+ in an in-depth interview earlier this year.
“Improving security and consumer confidence in the US payments system is a top priority for the merchant community,” the merchant groups say. “We call upon all stakeholders in the payments industry to come together to ensure open and efficient standards to better protect US consumers and businesses from payment card and system security threats.
“An open and universal tokenization standard will also help ensure sensitive personal information beyond just payment card account-level data will be more adequately secured across other US commerce channels.”
“Regardless of whether a consumer is paying at a brick-and-mortar checkout, at the pump, on the internet, or even via a mobile phone, there is a need to ensure the payment data is protected,” they add. “One way this can be done is through a technology called tokenization.”
“A properly designed, implemented and enforced tokenization standard would move the US payments system in the right direction toward mitigating payment card fraud and identity theft,” the merchant groups say.
“In order for the full benefits of tokenization technology to be realized by US consumers and businesses, the standards for this technology must be created on an open platform that enables all technology providers to compete equally.
“An open, interoperable platform will also ensure merchants can support the technology across multiple providers and make back-end security processes seamless for the customer experience.
“Tokenization will also be a valuable tool to secure data in other aspects of commerce, such as age verification identity checks, and storage and transmission of electronic health records and pharmacy prescriptions.
“Ensuring an open standards process for the development of tokenization technology will result in a final standards product appropriate for other aspects of US commerce beyond just payments, and will be more easily and efficiently integrated into all hardware and software business environments.”
“There are a number of independent, unbiased professional standards organizations that support the development and maintenance of sound, open, neutral technology standards,” they continue. “We strongly encourage payment stakeholders to participate in an accredited standards process, such as, but not limited to, the International Standards Organization (ISO) or American National Standards Institute (ANSI X.9), to create, maintain and coalesce around an open solution approach to payments security.”
Solutions for tokenization should align with the following guiding principles, they conclude:
- Subscribe to an open standards approach through an accredited standards-setting body;
- Create a technology-neutral platform allowing broad participation in the standard from technology stakeholders;
- Allow participants to develop proprietary frameworks that operate in adherence to the standard;
- Ensure the standard works for multiple payment environments, including ecommerce and mcommerce;
- Require that intellectual property — such as coin vaults and common technology applications — be governed by the industry standards;
- Require the standard be supported by all networks, brands and payments types (credit, debit, prepaid, ACH, etc).