Tokenisation eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks, said Fortney.
With tokenisation, credit and debit card data is encrypted at the point where it is captured and sent to the merchant's payment processor where the data is decrypted and the transaction is authorized. The processor then issues a token representing the entire transaction back to the retailer while the actual card number itself is securely stored in a virtual vault.
The retailer can use the token to keep track of the transaction and handle refunds, returns, exchanges and other transactions. The token itself would be of little value to data thieves because there would be no way to link the token back to the PAN without the decryption key.
Customers would do nothing different when paying for purchases using a credit or debit card. The card data is encrypted when the card is swiped through the payment terminal, sent to the processor where it is decrypted for transaction approval processes, and a token issued to the merchant all without the customer experiencing anything different.
Tokenisation can also be implemented on-premise with the merchant itself hosting the server that does the decryption and token issuance.
Tokenisation also offers a great way to secure emerging mobile payment applications, Fortney said. A mobile wallet operator like PayPal or Google could use the approach to store one-time use tokens in a consumer's virtual wallet rather than actual credit and debit card numbers. Consumers could use the tokens to make purchases like they would with an actual payment card while merchants would be able to complete a transaction without touching or storing actual PAN data, he said.
One major advantage with tokenization is that it does not require merchants to make major changes to their current payment acceptance systems, like EMV does, Fortney said. Tokens are formatted in the same manner as card information so merchants have to make relatively minimal changes to their payment systems, he said.
The real heavy lifting would happen at the banks, or other entities that store PAN data, generate tokens and keep track of them through the entire transaction chain.
Tokenisation is not new. The Payment Card Industry Security Council, which administers a set of security standards for payment systems, recommends it as an approach for reducing the work that companies have to do to become PCI compliant.
A growing number of retailers already use tokenisation as a way to reduce PCI scope, and several vendors sell tokenisation products and services.
The Clearing House effort is aimed at fostering standards that everyone in the payment industry can use to implement tokenisation in a consistent manner, Fortney said. "Our desire is to have an open standard across the whole industry," he said.