The card brands have something up their sleeve with the EMVco network tokenization standards. According to the April 2015 PCI document “Tokenization Product Security Guidelines” EMVco has set proprietary standards on network tokenization. These new suggested proprietary standards obviously benefit the card brands and are intended to create additional barriers to entry for smaller banks and credit unions. With only a few of the large banks now participating, future participants must meet Global Card Brand guidelines. Don’t get me wrong, tokenization is the best way to remove toxic data from payment acceptance risk points, but the tokenization standards have to benefit everyone.
EMVco Using Dated Technology
The often-lauded EMV card, invented by EMVco, is now at the center of a new skimming scheme called “shimming”. Krebs on security
broke the news after the device was found at an ATM in Mexico. “The
device acts as a shim that sits between the chip on the card and the
chip reader in the ATM — recording the data on the chip as it is read by
the ATM.” All US banks are required to make the switch to the EMV card
by October 15 and this includes upgrading all ATM’s to be EMV tokenization compliant.
Banks are terrified that after they upgrade each individual ATM to the
tune of $3000, that they will still be in harm’s way. They get to pay
the card brands more fees for tokenization. See the cycle starting?
Proprietary Tokenization Benefits Card Brands Only
The big 4 card brands all have network tokenization solutions, but they
are riddled with issues. In order for tokenization to remain Durbin
compliant, a card issuer must have 2 unaffiliated networks for
authorization—and guess who owns the networks? This adds another step in
the authorization process and you still need a fraud prevention
authentication. See the dangerous cycle they are creating? Furthermore,
once you tokenize with a card brand, your data is belongs to them, and
they are unlikely to return it should you decide to go with another—less
expensive, more open—tokenization solution. Banks need to look at
cloud-based tokenization, so they can safely secure customer data, while
simultaneously lowering the scope and costs of PCI compliance.
An Exclusive Club is Not the Answer
While tokenization needs standards from a recognized body like the PCI DSS Council, a de facto organization like EMVco
should not be setting the network token standards. True tokenization
significantly reduces PCI scope and compliance costs. EMVco is creating
proprietary standards on who can be a TSP (token service provider)
because they want to be the only tokenization solution for financial
institutions. This will further handcuff financial institutions to the
never-ending litany of global card brand fees. The tokenization standards need an unbiased approach that fights fraud universally for all types of organizations. In the end, when EMV fails to protect against fraud, and PCI is stolen, banks will be the liable parties.
Comments