The Clearing House is not the only organisation looking at tokenisation.
Following the Target breach, EMVCo, an entity owned by American Express, MasterCard, Visa and three other credit card brands, also announced plans to develop a tokenization standard for securing credit and debit card payments made via mobile handsets, tablet computers and online channels.
EMVCo did not respond to multiple Computerworld requests for comment on their effort. But a press release from January said the new specification would complement the existing EMV smartcard specifications that all merchants and banks are required to migrate to by the end of next year.
EMVCo's specification will describe a "consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement," the statement noted.
The biggest benefit with tokenisation is that it helps merchants remove payment card numbers from systems that don't need it, said Terrence Spies, chief technology officer at Voltage Security, a provider of encryption and other data masking technologies.
Since tokenisation is done in a central way, only a small portion of the network knows how to generate and reverse a token. As a result, it is easier for banks and other third parties to protect that process, Spies said. He is also chairman of the cryptographic tools group at the X9 standards body responsible for developing cryptographic standards for the financial services industry.
Like EMVCo and The Clearing House, the X9 standards body is working on developing tokenization standards for the U.S. payment industry, Spies said. The X9 effort is focused on developing standard definitions for tokenization and for the processes for generating and validating tokens, he said. "There's a lot of energy being putting into getting tokenization right," Spies said.