July 1, 2014

The Fight for Tokenization

The Fight for Tokenization

We recently came across an article published by Digital Transactions that discussed “The Furious Battle to Control Tokenization.” The article laid out the politics and power struggles within the payments space and did a good job of explaining the current state of the industry.
The author explains that with all the headaches and confusion around U.S. EMV, it almost certainly won’t be ready in time for the liability shift in October 2015. All the confusion around EMV led to inaction; merchants and processors were waiting for the dust to settle before they moved to adopt the new technology.

Race for Relevancy
This lull left a bit of a power void in the industry. EMVCo (owned by the card brands) thought they had everything going their way and then, suddenly, it was anybody’s game again. With EMV now exposed for what it is (a partial solution to card-present fraud, but certainly not the silver bullet to payment security), merchant groups, card brands, and security vendors have all rushed in to create the new global standard for card data security.

The early leader in this push – and the solution we’ve been promoting for the last five years or more – is the combination of tokenization, P2PE, and EMV. This combination helps merchants reduce their PCI scope while providing true security against an ever-growing threat of a data breach. Steve Mott, the payments industry consultant who wrote this op-ed piece, was dead-on with that analysis.

“Adding tokenization (and deploying the full, end-to-end encryption option) to EMV has the potential to make this global standard palatable for U.S. merchants and banks, and might actually produce a return on the $8 billion-to-$10 billion investment projected for chip-based infrastructure they are expected to pay,” Mott said.

We would add a caveat that while this is the best solution so far proposed, it is not a simple one because – to date – no EMV device manufacturer has enabled P2PE for EMV transactions. Sure, some devices on the market claim to be both EMV and P2PE capable, but that’s only because they still have back-up magnetic swipe readers that are P2PE enabled. No manufacturer has yet released a device that can encrypt data from an EMV card at the point of entry.

Our 4Go® technology can encrypt that data at the system driver level, before it reaches the POS/PMS, which is a step in the right direction. However, in order to be considered a complete P2PE environment, and to gain the promised PCI scope reductions, that encryption needs to take place within the actual EMV terminal.

Moss also had us nodding in agreement with his talk of “the wretched excess and ineffectiveness of PCI” and his observation that allowing the card brands to lead any future card-security initiatives would be as naïve as “letting the fox guard the henhouse.”

Too Good to be True
Overall, it was a well-written article and we appreciate the message it conveyed. Where Mott lost us, though, was when he tried to explain tokenization. Here is an industry analyst – obviously well-versed in the payments industry, including the players, politics, and technologies – whose knowledge of tokenization appeared to be limited to a single provider whose offering is both limited and costly.

First, Mott says that tokenization came on the scene about five years ago – obviously he missed it when we released that technology to the industry nearly a decade ago. And he must have missed our announcement last year about having processed more than five billion tokenized transactions since introducing the technology. When an expert has done this kind of research into a topic, is it too much to expect them to at least mention our having invented the technology? Strange oversight, if you ask us.

Mott also warned merchants that tokenization “costs a little more.”

“Merchants might pay a penny or two to tokenize a transaction, and 3 cents to 5 cents to detokenize it when needed to research a problem or analyze a customer account,” he said.

Wait… what? People charge extra for tokenization? And more than double their rate for reversing the token for chargeback defense? Merchants put up with this? Wow. Tokenization is vital to security. Security is vital to payment processing. Therefore, tokenization is a vital part of what we do – it’s a core element of our offering. Vendors shouldn’t charge extra for something that is essential to their offering.

How We Do It
That’s yet another reason you can be happy you’re part of the Shift4 family. Other companies charge an additional 4-7 cents per transaction for just one of the many services we include at no additional cost. We also simplify EMV, drastically reduce your PCI headaches, and otherwise do all that we can to isolate you from the ridiculousness that occasionally befalls the payments industry. That’s part of our commitment to merchant advocacy.

If you have questions about tokenization, P2PE, EMV, or anything else mentioned in this article, please contact [email protected] or call 702.597.2480 (option 2).