In an effort to address the need to combat card-not-present (CNP) fraud, especially as the payments system increasingly adopts the EMV chip-and-PIN system, the global technical body EMVCo announced it is developing a universal standard for tokenization.
Tokenization is the process of replacing a traditional card account number with a unique payment token that is restricted in how it can be used with a specific device, merchant, transaction type, or channel. When using tokenization, merchants and digital wallet operators do not need to store card account numbers.
EMVCo, collectively owned by American Express, Discover, JCB, MasterCard, UnionPay, and Visa, seeks to increase its focus from chip-based payments to include tokenization.
“Payment tokens also include enhanced data fields to provide richer information about the transaction, helping to improve transaction efficiency and provide more information about the circumstances under which the transaction was initiated,” said Christina Hulka, EMVCo Board of Managers Chair, in response to questions from ABA Banking Journal. “This advances the consumer and merchant payment experience and is one approach to preventing and containing fraudulent card account use.”
It’s a generally accepted fact that as countries have adopted EMV, card-present fraud declines but CNP fraud—typically involving online purchases—increases. The Payments Council of the Smart Card Alliance tracked CNP fraud in the United Kingdom and found it increased from about 55% of all credit fraud in 2007, to about 65% in 2012. Similarly, in France, the CNP fraud went up from about 52% in 2007, to about 73% in 2011.
EMVCo seeks to address this situation by coming up with a standard for tokenization that could be used universally.
“Existing payment tokenization systems are proprietary in nature and are not interoperable. This is why specifications are needed,” Hulka said. “A global specification to address tokenization will provide all stakeholders with a consistent, secure, reliable, and interoperable environment for digital payments. For consumers, enhanced security can lead to improved confidence in conducting digital payments. For merchants, this will enable them to confidently launch new technologies, knowing that they are building on a common framework that will be scalable to future industry requirements.”
The organization has appointed a task force of representatives from each member-owner of EMVCo, which will define the scope and action plan for the tokenization specification within the payments community. It expects to publish a first draft of the specification some time this year. It will engage with EMVCo associates when sufficient progress has been made, Hulka said.
“It is important to note that payment tokenization is not expected to unilaterally eradicate fraud, but offer a tool which can be deployed as part of a layered security approach by merchants and acquirers to minimize and contain card-not-present attacks. By increasing the defensive measures against malicious, unauthorized use of card account numbers, the payments industry is continuing to accelerate its vigilance against fraudsters.”