Groups recommend guiding principles for the creation, maintenance, and enforcement of tokenization security standards
Washington , DC - 7/28/2014
Today, the Food Marketing Institute, Merchant Advisory Group, National Association of Convenience Stores, National Grocers Association, National Restaurant Association, National Retail Federation, and Retail Industry Leaders Association released the following statement on tokenization technology in the United States:
Improving security and consumer confidence in the U.S. payments system is a top priority for the merchant community. We call upon all stakeholders in the payments industry to come together to ensure open and efficient standards to better protect U.S. consumers and businesses from payment card and system security threats. An open and universal tokenization standard will also help ensure sensitive personal information beyond just payment card account-level data will be more adequately secured across other U.S. commerce channels.
Payment card data can be vulnerable to theft at three main points:
Where the card is swiped or a card number is entered;
Where card information is stored; and
Where card information is transmitted (sent or received).
Regardless of whether a consumer is paying at a brick and mortar checkout, at the pump, on the Internet, or even via a mobile phone, there is a need to ensure the payment data is protected. One way this can be done is through a technology called tokenization.
Tokenization refers to the process of replacing sensitive account data and identity information with a unique token or symbol, making it less vulnerable to a security compromise. Tokens are randomly generated in a secure environment – like a coin vault – so that no data is stored or transmitted in an unsecure format. A properly designed, implemented, and enforced tokenization standard would move the U.S. payments system in the right direction toward mitigating payment card fraud and identity theft.
In order for the full benefits of tokenization technology to be realized by U.S. consumers and businesses, the standards for this technology must be created on an open platform that enables all technology providers to compete equally. An open, interoperable platform will also ensure merchants can support the technology across multiple providers and make back-end security processes seamless for the customer experience.
Tokenization will also be a valuable tool to secure data in other aspects of commerce, such as age verification identity checks, and storage and transmission of electronic health records and pharmacy prescriptions. Ensuring an open standards process for the development of tokenization technology will result in a final standards product appropriate for other aspects of U.S. commerce beyond just payments, and will be more easily and efficiently integrated into all hardware and software business environments.
There are a number of independent, unbiased professional standards organizations that support the development and maintenance of sound, open, neutral technologically standards. We strongly encourage payment stakeholders to participate in an accredited standards process, such as, but not limited to, the International Standards Organization (ISO) or American National Standards Institute (ANSI X.9), to create, maintain, and coalesce around an open solution approach to payments security. Solutions for tokenization should align with the following guiding principles:
Subscribe to an open standards approach through an accredited standards-setting body
Create a technology neutral platform allowing broad participation in the standard from technology stakeholders
Allow participants to develop proprietary frameworks that operate in adherence to the standard
Ensure the standard works for multiple payment environments, including e-commerce and m-commerce
Require that intellectual property – such as coin vaults and common technology applications – be governed by the industry standards
Require the standard be supported by all networks, brands and payments types (credit, debit, prepaid, ACH, etc.)