Tokenization, the process of replacing card account numbers held in insecure locations (such as in a retailer near you) with an alias, is currently all the rage among the financial fraternity. The idea, of course, is to reduce the scope of fraud attacks by ensuring that if someone gets hold of a token they can’t use it to make a payment with anyone other than the party foolish enough to give it away.
This isn’t a new idea, we’ve seen tokens floating around for years, but interest has strengthened as the multi-channel experience exponentially increases the number of places we need to hold card numbers. Highly publicized data breaches where millions of card numbers have been stolen, and the associated millions of dollars in fines, have also helped to concentrate minds.
Currently the main model being discussed is a scheme network-centric one – e.g. Visa or MasterCard will tokenize your card numbers (be you a retailer, a card issuer or a mobile wallet provider), will perform on-behalf-of tokenized transaction processing for you, turn the token back into a card number and will deliver to the issuing bank a card number based transaction for authorization. It’s a simple and attractive model, and it will work for many organizations, but it’s not without its drawbacks.
One immediate problem is that large banks who are issuers and acquirers and who perform a lot of “on-us” transactions, with no network fees and no need to process via a payment network, find that they have to throw their transactions back to the scheme networks for de-tokenization and that this will involve costs. Someone has to pay for the tokenisation infrastructure and as Jim McCarthy, executive vice president for innovation and strategic partnerships at Visa, talking to Digital Transactions News, says about their service:
We’re waiving [tokenization fees] altogether, as long as the issuer is processing with us
[From With New Digital Program, Visa Drops Token Fees, Offers Issuers Single Connection to All Services]
What this means is that the issuer pays for on-behalf-of processing or they pay for tokenization. As issuers acquiring their own transactions don’t normally need to use any services from the schemes you can see why scheme-based tokenization may not be universally popular among issuer-acquirer banks.
For this reason, and many others, the schemes are not going to be the only providers of tokenization going forward, and the market is likely to broaden over the coming months and years as other players offer solutions. Most major issuers and processors either are or ought to be planning their own tokenization solutions and technically there’s really no reason issuer- or processor -based tokenization shouldn’t work, as long as token BIN ranges can be allocated to specific issuers (otherwise you’ll have issues with chargeback and settlement).
This means that, as we at Consult Hyperion have consistently argued, tokenization will have profound consequences. The process of turning a card number into a token that can transact over payment networks can be applied to other types of credential. I could take a non-card based account and tokenize it. I could even take my identity and turn that into a payment vehicle – and the advent of mobile device based payments means I don’t even need to have a physical card. As long as I can link the token to an actual account somewhere I can make a payment.
Behind all of this there needs to be some radical rethinking of the nature of the consumer in the payments environment. It’s been clear for a while that it’s no longer sufficient to represent the customer as a card account number, especially if we start to take into account all of the other non-payment network use cases that are possible: electronic funds transfer, e-commerce, remittances, foreign exchange: the list is endless. But putting tokenization on top of that will mean that all of those tracking systems out there that rely on the card number will stop working – figuring out what consumers are doing is going to get a lot harder and the token service providers are going to be the key players in this new world.
At the moment tokenization is being treated as a means to an end, a way of removing card numbers from the scope of fraud attacks. But really it’s an indicator of a much more profound change in the way the payments industry and all of its attendant parties are going to do business. The question is not about whether tokenization will happen, that’s already decided, the question is, really, who will know who the tokens belong to?