The Future of Payments

Tokens and the Travel Rule 74 BANKING PERSPECTIVES QUARTER 4 2018 O ONE OF THE GREATEST CHALLENGES we face today in our high-tech, interconnected world is protecting sensitive data from sophisticated cybercriminals and nation-states. Of course, the best way to protect this information is never to share it or, at least, limit with whom we share it and require them to destroy the information immediately after use. Unfortunately, this isn’t life in the 21st century. Just the opposite. We are faced every day with trade-offs between convenience and privacy. And for payments, this means that we are often sharing – and allowing the storage of – our card and bank account numbers, numbers that when compromised can allow thieves to steal our money, destroy our credit, and wreak havoc on our lives. The widespread storage of our account numbers means that there are many more places that can be breached by criminals and nation-states. The compromise of millions of credit and debit card numbers stored at large retailers in recent years (think T.J. Maxx, Target, and Home Depot) and the ever-evolving and increasingly sophisticated nature of cybersecurity threats have forced payment system stakeholders to enhance the security of their systems. The fortification of payment systems has taken many forms. In the world of card payments, these new defenses include chips embedded in our credit and debit cards that guard against use of fake cards at physical points of sale; convenient online controls offered by many banks that enable us to turn our cards “on” and “off ” with a tap on our phone or a mouse click; and services that enable us to make mobile and online payments without having to disclose our card or bank account numbers. This last category of defense ensures that card numbers are not shared and stored unnecessarily. This is accomplished through the use of special, limited-purpose numbers, known as tokens, which can be used in lieu of our actual card numbers in our mobile and online payments. In other words, banks, card networks, and other service providers protect sensitive data by replacing it with non-sensitive data in transaction processing. To date, tokens are most widely employed in the card space, though payment system stakeholders would like to extend the use of tokens to other payment types such as Automated Clearing House 1 (ACH) and funds transfer systems. Whether tokens can be widely deployed for other types of payments may well depend on resolving a conflict between current needs to protect payment systems in a cybersecurity-vulnerable world and a mid-1990s view of payment transparency contained in the Bank Secrecy Act. MORE ABOUT TOKENIZATION The conversion of sensitive data to non-sensitive data is known as tokenization. It can be achieved in many ways, and its value as a security enhancement ultimately will depend on the exact implementation. In the United States, tokenization primarily has been used in connection with card payments. However, even for card payments, the process used to tokenize card numbers (and related standards) vary in response to differences in card transaction processing (e.g., point-of-sale, e-commerce). At a general level, tokenization in the card space relies on technology that results in the substitution of a unique number generated for a particular transaction in place of the payer’s card number. Because the technology generating the number does not rely on an algorithm, the ability to revert back to the original number is nearly impossible. The randomly generated number (the token) has no value on its own. Only the issuer of the token can associate the token with the original card number. Of course, the “token vault” that associates the token with real card numbers must be protected in accordance with very high security standards. The use of tokens increases the level of security for card numbers in several important ways. First, and perhaps of most importance, it significantly reduces the number of databases that store the sensitive card information and