Is there a case for the regulation of tokenization services - An SPA Paper - May 2016
The initiation of a card payment first requires the transmission of the card’s Payment Account Number (PAN) to the payment acceptor; this PAN is then automatically retrieved from the card in a physical terminal or manually entered by the cardholder in the website of an online merchant. However, the increasing use of cards has boosted the proliferation of PAN databases which, if compromised, will result in increased fraud. Indeed, the European Central Bank’s recent fourth report on card fraud (2015) confirms that (1) the level of fraud for Card Not Present (CNP) has grown steadily; and (2) that this level is above the total increase in the number of CNP transactions. To mitigate this fraud risk, EMVCo recommends the use of a payment token for vulnerable payment contexts: typically, online payments or mobile payment using Host Card Emulation (HCE). A payment token is a card PAN surrogate; it replaces the card payment PAN and enables the transaction to be processed according to card payment system rules.
Tokenization, the process for the issuance and management of payment tokens in card transactions, creates a new role in the processing chain: The Token Service Provider (TSP). Upon request, the TSP creates a Token associated to a PAN and records the freshly created peer (PAN Token) and metadata in a secure database called “the Vault”; the Vault is the only location where de-tokenization of the transaction may take place in order to generate the authorization request. The TSP either directly operates or outsources management of the Vault.
The Eurosystem has called for the development of a framework for the interoperable processing of card payments. The technical interoperability of card processors and card schemes using European standards is a central objective for SEPA. As tokenization will become part of the payment process, integration of tokenization-related infrastructures must be respectful of (1) this generic interoperability principle and, (2) the separation of the processor and scheme activities according to Article 7 of the Interchange Fee Regulation (2015).
The migration towards tokenized card transactions does, however, raise a number of interesting issues for financial regulators in relation to the provision of tokenization services; issues that this paper discusses. This topic is not new, during the Money 2020 conference held in Las Vegas in 2014, the regulation of tokenization in US was extensively debated – but discussions were inconclusive.
For the purposes of this paper, the term "regulation" is being considered in the context of recommendations that might promote the existence of an efficient and sustainable market for token-related services, with adequate incentives for innovation and investment. These recommendations might eventually be incorporated into a new regulatory technical standard, or implemented as an extension to those already drafted by the European Banking Authority (EBA). With this respect the SPA outlines that the EBA Consultation paper for a Draft Regulatory Technical Standard on the separation of payment card schemes and processing entities which exclusively addresses accounting, organization and decision-making processes, not technical content.