A coalition of retail industry trade groups this week called for the creation of an open tokenization standard for protecting credit and debit card data from theft and misuse.
The call stems from concerns over an effort by credit card companies to develop a method for tokenization that many in the retail sector fear would be too proprietary in nature.
In a letter, the National Retail Federation, Retail Industry Leaders Association, National Restaurant Association, Merchant Advisory Group and several others said an open tokenization standard offered the best approach for protecting payment card data.
"An open, interoperable platform will also ensure merchants can support the technology across multiple providers and make back-end security processes seamless for the customer experience," the groups said.
A universal method for tokenization will benefit not just the payments industry but also sectors such as the healthcare industry, which also handles huge amounts of sensitive data, they added.
Tokenization is a method for protecting card data by substituting a card's Primary Account Number (PAN) with a unique, randomly generated sequence of numbers, alphanumeric characters, or a combination of a truncated PAN and a random alphanumeric sequence.
Tokens are randomly generated and are usually the same length and format as the original PAN, so it appears no different than a standard payment card number to back-end transaction processing systems, applications and storage systems. The token acts as a substitute value for the actual PAN and can be used for all transaction-processing purposes but is valueless by itself if stolen.
Security experts consider tokenization a great way to protect credit and debt card data.
EMVCo, an organization created by American Express, Discover, MasterCard, Visa, JCB and UnionPay, and supported by dozens of banks, is developing a tokenization specification for the payments industry.
However, there is concern within the industry about the specification being too proprietary, said Mallory Duncan, general counsel of the NRF.
"We understand there are efforts in the financial sector to develop a proprietary standard that is much more limited and focused purely on financial activity," Duncan said.
According to Duncan, EMVCo has indicated its willingness to consider ideas and suggestions from all stakeholders in the payment industry. But they have also made it clear that all decisions will be solely their own, he said.
Rather than have EMVCo define a tokenization specification for the entire industry, it's better to have the effort handled by an accredited standards body, such as the International Standards Organization (ISO) or the American National Standards Institute (ANSI X.9).
The focus should be on developing a technology neutral platform based on broad participation from all stakeholders and that works in multiple payment environments, including e-commerce and mobile commerce, Duncan said.