Visa will not charge a fee to card issuers making use of its tokenization service until at least the end of 2015 and may or may not charge a separate fee for the service in the future, CEO Charles Scharf has revealed at the Bank of America Merrill Lynch 2014 Banking & Financial Services Conference.
“We put a rate schedule out there for tokenization; we said we’re waiving everything through the end of 2015,” he said. “We want people to adopt tokenization. We think it does create a meaningful set of opportunities that would be difficult for us to participate in without something like tokenization.
“Down the line, if we specifically monetize it as a service or we participate in the broader volume set and it helps justify the price that’s out there today, that’s a decision we’ll make as time goes on in the context of how we feel at that point in time, but the reason why we built it wasn’t to create a new stream. It was to insert ourselves into digital commerce in a way that we and our clients control our own destiny, and that’s huge.”
Scharf described tokenization during his presentation as “the single biggest change that’s been made in the payment networks easily over the past 15 or 20 years”.
“When we first started talking about tokenization publically, everyone was focused on the security aspects of it,” he explained. “The idea of taking the actual account number out of the flow, common sense says that’s a good thing, especially in the light of the data compromises that we’ve seen.
“Apple Pay is the first example of a product that wouldn’t have been possible unless the network community created tokenization. Our willingness to use the secure element that exists inside the iPhone; if there was no tokenization we wouldn’t have done it, but putting randomized credentials on that phone in a way that is controlled in a very clear process-oriented way is something that we have great comfort in.
“That will then allow for other types of experiences, whether Google wants to do something on their own, whether they are HCE driven through Android and the developer community, whether it’s with device manufacturers, tokenization has opened up this whole world for us to be able to use digital devices to be a meaningful part of the payments flow in a way that they wouldn’t have in the past.”
“Those of us that participate in the token infrastructure can make decisions on who you want to give access to, whether you want to charge for it and things like that,” Scharf continued. “So, it’s hugely meaningful to our ability to open up new channels and to make sure there’s clarity in terms of who controls the payment information.
With regard to the cost of migrating to EMV, Scharf added: “We sit here today just like we sat here two, three years ago, knowing that EMV is a more secure method of payment than the magstripe. So, having said that, it’s very difficult for us to go tell all of our clients that you now have to go and spend a lot of money, or else.
“Having said that, we did that along with our competitors and we put out, I think in 2011, we put out rules that said by 2015, if you don’t do this, there will be liability shifts. We gave people plenty of time and we gave them an incentive to go ahead and do it. Leading up to that, no one wanted to do it. Then, unfortunately this past 12 months, we’ve had a lot of data breaches at retailers.
“While EMV wouldn’t have stopped that, it would have stopped the ability to take that information and actually create duplicate cards, because you cannot duplicate an EMV card today. It hasn’t been done.
“So, the unfortunate experience having gone through that breach are all the negatives that the retailers have had with their sales and the banks have had with customer service but it’s got everyone focused on, hey, it’s in our interest to move the security standards to something which is the highest security standard.
“There’s a lot of momentum for both the issuing community and the merchant community to move towards EMV. We’re very confident by the time we get to the end of 2015, there will be material amount of adoption and then we’ll continue through 2016 and 2017. Again, it’s a role that we play. It’s in our best interest for sure because our brand is on those cards, but it’s in everyone elses as well.”
“Our business is all about helping commerce occur and getting paid for it along the way,” Scharf explained. “As commerce moves to digital channels, whether digital channels are using a digital device in the physical world or buying something in the digital realm, we need to be as successful in that world as we’ve been in the physical world.
“All these things that we’re doing are all about strategically embedding us in whatever payment platforms develop in the digital world.”
Next: Visit the NFCW Expo to find new suppliers and solutions
I agree that tokenization is “the single biggest change that’s been made in the payment networks easily over the past 15 or 20 years”. But I think that data tokenization is bigger than “change in payments” and should also be used as the new approach for securing all sensitive identifying personal data.
I agree that “The idea of taking the actual account number out of the flow, common sense says that’s a good thing, especially in the light of the data compromises that we’ve seen.” There are so many ways to attack our sensitive data at different points across the entire data flow.
We know that highly sophisticated malware was used in many recent attacks. McAfee Labs researchers have analyzed threats and seen a steady growth in malware. Sophisticated malware can be difficult to detect and poses as approved legitimate software. I think we need to protect the data itself, against the new memory scraping malware, in transit, at rest and even in use in computer
memory.
I think that the fact that “the token infrastructure can make decisions on who you want to give access to” is a powerful approach to manage security risk. Recent studies reported that data tokenization can cut security incidents by 50 %. I think it is time to secure the sensitive data in the entire data flow with modern approaches.
Ulf Mattsson, CTO Protegrity