The EMVCo Tokenization specification captures the basic services, in support of the payment authorization processing during the card not present (CNP)
e-commerce and card present (CP) mobile payment use cases. In addition, the ProxyEMVPay Card concept elaborated on how the basic Tokenization Service Provider (TSP) functionality
can be extended cheaply and elegantly, to enable usage of tokenization with plastic EMV chip-cards and NFC wearables as well – for card present and for card not present payments.
Tokenization is indeed a very potent and powerful, yet relatively straightforward concept. It can certainly be used irrespective of the channel or use case. Its main purpose is to protect the sensitive card data (Primary Account Number or PAN) by replacing
it with the irreversible equivalent (token), which if stolen can’t be misused. But should we stop at that and be satisfied only with cost effectively achieving the standardized sensitive card data protection?
The tokenization service providers could and should play a much bigger role. Since they already play the friendly ‘man in the middle’ role, by intercepting all tokenized payment authorization requests and responses, they can also serve as perfect ‘API plug-in’
points for all kinds of 3rd party Value Added Services, such as: loyalty, stored value, authentication, social networking, etc. The payment industry (i.e. mainly EMVCo) should therefore consider moving beyond pure tokenization and toward standardized APIs
for these value added services, in order to make them easily pluggable into the compliant TSPs — all in a standard and controlled way.
With such a extensible and flexible architecture, the payment processing can be extended for the use cases, which aren’t a natural fit for the traditional payment rails, still under full control by the established industry players.
For example, the loyalty collection could potentially be achieved transparently to the user (as part of the payment processing), by using the same card / device, and regardless of the payment channel — once the payment authorization response is intercepted
by the TSP, the appropriate loyalty collection standard API plug-in can be invoked, just before the final response is sent to POS or the online merchant server.
This architectural transformation and extension is not going to happen overnight though, but the tokenization service providers certainly have the opportunity to make it possible. In other words – those who can legitimately intercept the payment authorization
requests and responses, can add value. The payment industry has a big and obvious opportunity to move beyond pure tokenization toward an even brighter future. Let’s hope it happens!