The card brands have something up their sleeve with the EMVco network tokenization standards. According to the April 2015 PCI document "Tokenization Product Security Guidelines" EMVco has set proprietary standards on network tokenization. These new suggested proprietary standards obviously benefit the card brands and are intended to create additional barriers to entry for smaller banks and credit unions. With only a few of the large banks now participating, future participants must meet Global Card Brand guidelines. Don’t get me wrong, tokenization is the best way to remove toxic data from payment acceptance risk points, but the tokenization standards have to benefit everyone.
EMVco Using Dated Technology
The often-lauded EMV card, invented by EMVco, is now at the center of a new skimming scheme called “shimming”. Krebs on security broke the news after the device was found at an ATM in Mexico. “The device acts as a shim that sits between the chip on the card and the chip reader in the ATM — recording the data on the chip as it is read by the ATM.” All US banks are required to make the switch to the EMV card by October 15 and this includes upgrading all ATM’s to be EMV compliant. Banks are terrified that after they upgrade each individual ATM to the tune of $3000, that they will still be in harm’s way. They get to pay the card brands more fees for tokenization. See the cycle starting?
Proprietary Tokenization Benefits Card Brands Only
The big 4 card brands all have network tokenization solutions, but they are riddled with issues. In order for tokenization to remain Durbin compliant, a card issuer must have 2 unaffiliated networks for authorization—and guess who owns the networks? This adds another step in the authorization process and you still need a fraud prevention authentication. See the dangerous cycle they are creating? Furthermore, once you tokenize with a card brand, your data is belongs to them, and they are unlikely to return it should you decide to go with another—less expensive, more open—tokenization solution. Banks need to look at cloud-based tokenization, so they can safely secure customer data, while simultaneously lowering the scope and costs of PCI compliance.
An Exclusive Club is Not the Answer
While tokenization needs standards from a recognized body like the PCI DSS Council, a de facto organization like EMVco should not be setting the network token standards. True tokenization significantly reduces PCI scope and compliance costs. EMVco is creating proprietary standards on who can be a TSP (token service provider) because they want to be the only tokenization solution for financial institutions. This will further handcuff financial institutions to the never-ending litany of global card brand fees. The tokenization standards need an unbiased approach that fights fraud universally for all types of organizations. In the end, when EMV fails to protect against fraud, and PCI is stolen, banks will be the liable parties.