White Paper: EMVCo Tokenization Standard Closed to Industry Input
Aug. 17, 2015
The Secure Remote Payment Council (SRPc), a New Jersey-based group comprising national EFT networks focused on growing debit-based e-commerce, late last week released the most recent in a series of position papers related to tokenization . Specifically, the group is concerned about the tokenization standard advanced by EMVCo (which is operated by the major card brands) in 2014.
“EMVCo formulated their tokenization specs in a closed environment,” SRPc president Paul Tomasofsky told CardNotPresent.com. “We’re looking for a more open way for industry stakeholders to have equal say in the process and influence how that standard works and make it better.”
The SRPc Authentication Working Group said the fact that EMVCo’s standard is proprietary and will be implemented at the network level rather than the processor level is problematic. In the EMVCo standard, the SRPc said in the white paper, there are a limited set of entities that can serve as token service providers (TSPs)—mostly the card networks, themselves—guarding data accumulated during the tokenization process in token vaults. The paper asks if the additional security provided by the use of TSPs is outweighed by the additional risk introduced by the existence of token vaults that will become attractive to hackers.