Page 18 - GS190201
P. 18
Views
While the mandate was accompanied by promises that
Insider’sreport lower interchange would result in lower prices paid
by consumers, that never really happened. In fact, a
study published in 2012 by the Federal Reserve Bank of
on payments Richmond revealed that debit interchange actually rose
on small-ticket items in the years immediately after debit
interchange was capped. "In response, many small-ticket
merchants have tried to offset their higher rates by raising
prices, encouraging customers to pay with alternative
payment means, or dropping card payments altogether," a
Richmond Fed economist wrote.
Fortunately, card data security is not an "us versus them"
Looking back on 2018 proposition. (Except, perhaps, that it helps the good guys
fend off fraudsters.)
and forward to 2019 Tokenization, the basics
Like the shift to chip cards, tokenization aims to prevent
By Patti Murphy fraudsters from accessing card account information and
creating bogus replacements. However, whereas chip
ProScribes Inc. cards protect data on cards used at brick-and-mortar stores,
tokenization is intended primarily to protect card data in
ecurity needs to be priority one in payments. The digital commerce environments. With tokenization, online
challenge is getting all stakeholders in the matter purchases can maintain card information on file without
on board with that imperative. I was reminded risking that information getting compromised in breaches.
S of this last month during a panel discussion at
the Northeast Acquirers Association annual conference. In a nutshell, tokenization protects a customer's card
The panel, which included representatives of Mastercard, account number by replacing it with an algorithmically
Visa, me and another industry reporter, was discussing generated number, or token. The tokens then are used to
the benefits of tokenization. And one panelist described process payments, and the corresponding account numbers
how difficult it is to explain tokenization to friends and are held in secure token vaults, which can be accessed by
acquaintances. Most otherwise intelligent people just don't merchants and their acquiring partners on an as-needed
get it, he related. basis. They also help to prevent service disruptions since
card information is automatically updated when new/
It got me to thinking: how should the industry position replacement cards are issued. This is a big deal considering
tokenization (or any card security protocol for that matter) half of all online shippers save credit card information
so that everybody gets it – merchants and consumers, alike? on multiple ecommerce sites, according to Mastercard.
It may be time to dumb down our terminology on security Securing card data with tokenization diminishes the
to more clearly convey its essence. Perhaps we, as an hassles of merchant compliance with the Payment Card
industry, can come up with a new moniker for tokenization. Industry (PCI) security standards, since merchants are not
A phrase I've been toying with is "data masking." But I'm storing customer card information, and card information
open to other ideas. passing through their POS devices, because it is masked, is
of no value to fraudsters.
My concern is that if we don't begin to educate merchants
and consumers about tokenization, someone else will do The idea of "masking" card account information is
it for us, and that almost never ends well. For example, not new. Banks have been doing it for years. The most
twenty years ago few people outside the card business obvious example is encryption, which scrambles sensitive
understood the concept of interchange. Then someone in information for unscrambling by processors or other
the merchant community came up with the phrase "swipe authorized parties in possession of special cryptographic
fee," and retailing groups embarked on a massive lobbying keys. To work optimally, tokenization needs to be paired
campaign to convince consumers and lawmakers that with point-to-point encryption (P2PE), the first time a
something needed to be done about swipe fees. customer's card is swiped, tapped or keyed in.
What followed was a long-running debate over the cost "P2PE and tokenization are the one-two punch of data
of card acceptance and a partial legislative remedy in the devaluation," said Ruston Miles, co-founder and chief
form of the Durbin Amendment to the Dodd-Frank Act. strategy officer at Bluefin. "Thousands of merchants have
I'm referring, of course, to mandated caps on debit card used this very combination to reduce their PCI compliance
interchange. security requirements by up to 90 percent, going from 300
required security controls down to 30."
18
