EMVCo to hammer out specifications for tokens at the digital checkout

EMVCo to hammer out specifications for tokens at the digital checkout

The card scheme-owned EMVCo standards body is beginning work on specifications for the use of digital tokens - rather than account numbers - for online and mobile transactions.

Tokenisation replaces a traditional card account number with a unique payment token that is restricted in how it can be used with a specific device, merchant, transaction type or channel. When using tokenisation, merchants and digital wallet operators do not need to store card account numbers; instead they store tokens that can only be used for their designated purpose.

The technique was first proposed by Visa, MasterCard and American Express in October when the card giants argued that it would make life simpler and safer for customers shopping on a mobile phone, tablet or PC.

EMVCo - which is owned by the three and Discover, JCB and UnionPay - will now hammer out the specifications, which will complement the existing EMV rules for a "cohesive global payments framework".

Dave Meadon, executive committee chair, EMVCo, says: "The payments landscape is undergoing significant change, as new types of payments devices and experiences are developed to address the blurring of the physical and digital worlds. EMVCo's continued work to define specifications for the payment industry will establish a reliable, interoperable and secure framework to enable 'digital commerce' to achieve its full potential."

The body says that it will consider existing standards to promote industry interoperability and tap current infrastructure established by the wider payments ecosystem.

EMVCo is planning new data fields to improve transaction efficiency and prevent fraudulent card account use. It will also create a consistent approach to identify and verify the valid use of a token during payment processing including authorisation, capture, clearing and settlement.

Industry stakeholders are being invited to contribute to the process through the EMVCo associate programme.

Comments: (1)

A Finextra member
A Finextra member 17 January, 2014, 13:051 like 1 like

It was about time for ensuring that the EMV card applications do not provide the PAN data 'in clear' to the POS devices and ATMs. I have been talking

However my view is that this may not be the best approach UNLESS tokenization is left to be an issuer specific extension of the EMV. In other words the Issuer Host and EMV card application should share a symetric secret key - they already have such shared key - one used for the Application Cryptograms

I therefore do not see the need for the big changes to the existing EMV specification set are in fact required. EMV standard should only specify that the behavior of the existing READ RECORD APDU should be modified for the specific Tag value which points to the PAN data. In that case only, the READ RECODS APDU implementation in the EMV card application should use symetric key (the on that is shared with the Issuer Host) and produce the 'PAN token' which 'looks, feels and behaves like real original PAN' i.e.

1. preserves the original BIN/IIN

2. preserves last 4 digits of the real PAN

3. has everything in between #1 and #2 encrypted OR hashed OR MAC-ed by the symmetric key

This MUST be done per txn. The token should not be possible to be reused. Nothing else should be done.

Now with this said, I do not think that EMV needs to even change. Issuers can do this today on their own (instruct their EMV card application developers) and it will be 100% transparent to the merchant POS systems, merchant backend systems, acquirer systems, payment schemes.

Only Issuer Host and EMV card applications (both owned and controlled by the card issuer) would be aware of this happening.

Why do EMVco executives need to have another big PR announcement is beyond my understanding. This industry is not capable of innovating it is obvious.