Banks push for tokenization standard to secure credit card payments

Tokenization addresses gaps in EMV smartcard standard, says indsutry group

A group representing 22 of the world's largest banks is pushing for broad adoption in the U.S. of payment card technology called tokenization, citing shortcomings in the planned migration to the Europay MasterCard Visa (EMV) smartcard standard over the next two years.

The Clearing House Payments Company (TCH), whose owners include Bank of America, Citibank, Capital One and JP Morgan Chase, is working with member banks to see how tokenization can be applied to online and mobile payment environments to protect against fraud.

The effort stems from what the group says is the need to address gaps in the EMV standard involving mobile and online transactions.

"EMV has been out there for close to 20 years" and has served its purpose well, said Dave Fortney, senior vice president, product development and management for The Clearing House.

Debit and credit cards based on the EMV technology use an embedded microchip, instead of a magnetic stripe, to store data and are considered almost impossible to clone for fraudulent purposes. Though the rest of the world moved to the technology years ago, the U.S. has lagged behind for a variety of reasons.

However, after the recent Target breach that exposed data on 40 million debit and credit cards, calls to adopt the standard in the U.S. have become more strident. MasterCard and Visa have said they want merchants and banks to be ready to start accepting EMV cards by October 2015.

While the planned migration has its benefits, EMV is not quite the panacea that many assume it is, Fortney said. "The downside with EMV is that it was created when there was no Internet, no online commerce, no smartphones and no tablets."

While EMV is great for securing card transactions at point-of-sale terminals, it is less useful for online payments and other card-not-present transactions. That is one of the major reasons why payment card fraud has migrated from point-of-sale systems to online channels in Europe and other places that have already adopted EMV.

Payment card tokenization is one way to address this gap, Fortney noted.

Tokenization is a method for protecting card data by substituting a card's Primary Account Number (PAN) with a unique, randomly generated sequence of numbers, alphanumeric characters, or a combination of a truncated PAN and a random alphanumeric sequence.

The token is usually the same length and format as the original PAN, so it appears no different than a standard payment card number to back-end transaction processing systems, applications and storage.

The random sequence, or "token," acts as a substitute value for the actual PAN while a transaction is processed or while the data is at rest inside a retailer's systems. The token can be reversed to its true associated PAN value at any time with the right decryption keys. Tokens can be either single use tokens or multi-use tokens.

Tokenization eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks, said Fortney.

With tokenization, credit and debit card data is encrypted at the point where it is captured and sent to the merchant's payment processor where the data is decrypted and the transaction is authorized. The processor then issues a token representing the entire transaction back to the retailer while the actual card number itself is securely stored in a virtual vault.

The retailer can use the token to keep track of the transaction and handle refunds, returns, exchanges and other transactions. The token itself would be of little value to data thieves because there would be no way to link the token back to the PAN without the decryption key.

Customers would do nothing different when paying for purchases using a credit or debit card. The card data is encrypted when the card is swiped through the payment terminal, sent to the processor where it is decrypted for transaction approval processes, and a token issued to the merchant all without the customer experiencing anything different.

Tokenization can also be implemented on-premise with the merchant itself hosting the server that does the decryption and token issuance.

Tokenization also offers a great way to secure emerging mobile payment applications, Fortney said. A mobile wallet operator like PayPal or Google could use the approach to store one-time use tokens in a consumer's virtual wallet rather than actual credit and debit card numbers. Consumers could use the tokens to make purchases like they would with an actual payment card while merchants would be able to complete a transaction without touching or storing actual PAN data, he said.

One major advantage with tokenization is that it does not require merchants to make major changes to their current payment acceptance systems, like EMV does, Fortney said. Tokens are formatted in the same manner as card information so merchants have to make relatively minimal changes to their payment systems, he said.

The real heavy lifting would happen at the banks, or other entities that store PAN data, generate tokens and keep track of them through the entire transaction chain.

Tokenization is not new. The Payment Card Industry Security Council, which administers a set of security standards for payment systems, recommends it as an approach for reducing the work that companies have to do to become PCI compliant.

A growing number of retailers already use tokenization as a way to reduce PCI scope, and several vendors sell tokenization products and services.

The Clearing House effort is aimed at fostering standards that everyone in the payment industry can use to implement tokenization in a consistent manner, Fortney said. "Our desire is to have an open standard across the whole industry," he said.

The Clearing House is not the only organization looking at tokenization.

Following the Target breach, EMVCo, an entity owned by American Express, MasterCard, Visa and three other credit card brands, also announced plans to develop a tokenization standard for securing credit and debit card payments made via mobile handsets, tablet computers and online channels.

EMVCo did not respond to multiple Computerworld requests for comment on their effort. But a press release from January said the new specification would complement the existing EMV smartcard specifications that all merchants and banks are required to migrate to by the end of next year.

EMVCo's specification will describe a "consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement," the statement noted.

The biggest benefit with tokenization is that it helps merchants remove payment card numbers from systems that don't need it, said Terrence Spies, chief technology officer at Voltage Security, a provider of encryption and other data masking technologies.

Since tokenization is done in a central way, only a small portion of the network knows how to generate and reverse a token. As a result, it is easier for banks and other third parties to protect that process, Spies said. He is also chairman of the cryptographic tools group at the X9 standards body responsible for developing cryptographic standards for the financial services industry.

Like EMVCo and The Clearing House, the X9 standards body is working on developing tokenization standards for the U.S. payment industry, Spies said. The X9 effort is focused on developing standard definitions for tokenization and for the processes for generating and validating tokens, he said. "There's a lot of energy being putting into getting tokenization right," Spies said.

This article, Banks push for token standard to secure credit card payments, was originally published at

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is

See more by Jaikumar Vijayan on

Read more about data security in Computerworld's Data Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Capital Onedata securitymobile paymentsFinancial ITsecurityvisaCitibankCapitadata protectionTarget

More about American Express AustraliaCapital OneCitigroupGoogleJP MorganMorganPayPalTopicVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place