The card scheme-owned EMVCo standards body is beginning work on specifications for the use of digital tokens - rather than account numbers - for online and mobile transactions.
It was about time for ensuring that the EMV card applications do not provide the PAN data 'in clear' to the POS devices and ATMs. I have been talking
However my view is that this may not be the best approach UNLESS tokenization is left to be an issuer specific extension of the EMV. In other words the Issuer Host and EMV card application should share a symetric secret key - they already have such shared
key - one used for the Application Cryptograms
I therefore do not see the need for the big changes to the existing EMV specification set are in fact required. EMV standard should only specify that the behavior of the existing READ RECORD APDU should be modified for the specific Tag value which points
to the PAN data. In that case only, the READ RECODS APDU implementation in the EMV card application should use symetric key (the on that is shared with the Issuer Host) and produce the 'PAN token' which 'looks, feels and behaves like real original PAN' i.e.
1. preserves the original BIN/IIN
2. preserves last 4 digits of the real PAN
3. has everything in between #1 and #2 encrypted OR hashed OR MAC-ed by the symmetric key
This MUST be done per txn. The token should not be possible to be reused. Nothing else should be done.
Now with this said, I do not think that EMV needs to even change. Issuers can do this today on their own (instruct their EMV card application developers) and it will be 100% transparent to the merchant POS systems, merchant backend systems, acquirer systems,
Only Issuer Host and EMV card applications (both owned and controlled by the card issuer) would be aware of this happening.
Why do EMVco executives need to have another big PR announcement is beyond my understanding. This industry is not capable of innovating it is obvious.
CompetitiveNew York City, NY (USA)
© Finextra Research 2014