SRPc to EMVCo: Tokenization Standard Should be Open

July 28, 2014

SRPc to EMVCo: Tokenization Standard Should be Open The Secure Remote Payment Council (SRPc), a national association of EFT networks, last week urged the payments industry to work together to develop standards for tokenization to better protect payment-card transactions. It said it has “serious concerns” over the tokenization standard advanced by EMVCo in March . The SRPc said the framework introduced by EMVCo isn’t an open standard at all, but a specification controlled by the major card brands in which token-granting entities are limited by global brand rules and token processing is controlled by these global brand rules.

“The EMVCo framework does not support a complete solution. Standards for tokenization must be flexible enough to cover all technologies, and not be limited in scope to one or two options such as NFC,” the SRPc said in a statement. “They should support dynamic tokenization, i.e., one-time or limited use tokens, rather than static, domain specific, cryptograms as proposed by EMVCo.”

And, as is the case with the EMV implementation road map currently being promulgated by the card networks, card-not-present transactions are not addressed by the EMVCo tokenization standard.

“We should not rush to market with a solution that doesn’t address the entire problem,” the statement said. “The lessons learned from the implementation of EMV in other countries have shown a shift of fraud from the physical space to the online environment. As such, the industry solution for tokenization must address both the card-not-present and the card-present environments.”