Visa’s Retail Token Advice Of Token Value

Written by Evan Schuman
October 8th, 2009

Visa on Monday (Oct. 5) issued a document to ostensibly help retailers figure out how best to navigate the new encryption and tokenization landscape. But as a practical matter, the document did little beyond rehash conventional wisdom and long-standing Visa and PCI best practices. It felt more like a quintessential psychologist’s advice session: “Dr. Visa, what should we do about tokenization?” “That’s an excellent question, Mr. CIO. What do you think you should do?”

The document danced around the key issues about which retailers would truly love strong guidance from Visa, ranging from whether tokens could ever conceivably be considered out of PCI scope to whether retailers are actually encouraged to retain such tokens on their own servers.

The only explicit advice that Visa’s document gave spoke to issues that have, for all practical purposes, already been decided. For example, the document touched on the encryption technique that many vendors are inaccurately calling end-to-end encryption. Visa has chosen to call that approach—where the card data is encrypted or turned into a token a split second after the card is swiped—Data Field Encryption. (It’s not the catchiest term, but let’s give points to Visa for refusing to use the inaccurate end-to-end name. At least Data Field Encryption is descriptive and accurate.)

It took the position that Data Field Encryption is viable and worthy of evaluation. That would have been helpful a year or two ago, but it’s such a foregone conclusion today as to be of little strategic help.

“While no single technology will completely solve for fraud, Data Field Encryption can be an effective security layer to render cardholder data useless to criminals in the event of a merchant data breach,” said Eduardo Perez, global head of data security at Visa Inc. “Using encryption as one component of a comprehensive data security program can enhance a merchant’s security by eliminating any clear text data either in storage or in flight.” A true statement, but it’s hardly one that will prove especially enlightening for retail chain IT execs. Their questions are mostly “which approach” and “how should it be deployed.” Alas, advice there was not offered.

One of Visa’s leaders on the encryption and tokenization debate is Jennifer Fischer, a Visa senior business leader. Fischer said scope issues eventually would be worked out. But she cautioned against retailers putting too much faith into, well, anything. “We don’t want encryption to be viewed as a silver bullet. Both encryption and tokenization may enable a merchant to reduce their scope.” A journalism professor once drilled into my head to never use a phrase containing the verb “may” if it could just as accurately be changed to “may not.”

(Related story: PCI Columnist David Taylor offers his own take on the Visa report. Is it a tacit endorsement?)

In another nod to the psychologist analogy, the Visa document tried to sound sympathetic to the plight of retailers while avoiding offering any concrete guidance. “The implementation of any Data Field Encryption must be done in a strong and secure way to prevent the compromise of card data.” (As Harvard Law Professor Arthur Miller once quipped when presented with a similar truism: “Do you actually get paid for giving answers like that?”) The sympathy came in the next line: “With industry standards still in the development phase, that goal can be particularly challenging.”

One of the key issues behind tokenization is the optimistic claim that tokens—properly maintained—might be considered out of PCI scope. Although the Visa document didn’t explicitly say whether tokens could ever be out of scope, it hinted that this possibility is unlikely. “No single technology can completely solve for fraud. Accordingly, Visa views Data Field Encryption as a complement to, rather than a substitute for, PCI DSS compliance requirements.”

It’s hard to see how tokens—as currently envisioned—could ever be considered out of scope given the fact that they start out as card numbers and can—at whim—be converted back into card numbers. Most tokens can’t be unencrypted or reverse-engineered per se, but lists are maintained to permit the token to be re-associated with the original card data. So if it starts out as having all of the data and can again have all of the data at the whim of the retailer, it seems difficult to envision how tokens could be beyond Visa’s or PCI’s jurisdiction.

George Peabody, the director of the emerging technology advisory service at Mercator Advisory Group, pointed out another concern associated with tokenization. Although much of the debate today is focused on whether tokens should be maintained by the retailers directly or sent away where a third-party vendor can handle the protection, the token approach can handle a lot more data than simply payment codes. For convenience, such tokens could also store and protect “all of the metadata surrounding the payment,” including SKUs, time of purchase, shopping history, what coupons or discounts were used and many other CRM details, Peabody said.

“Enterprise security people need to be thinking about what’s adequate when they’re judging tokenization vendors. They better be looking at what is convenient and what isn’t,” Peabody said. Presumably, a retailer that is using a vendor to store and protect the tokens outside of the retailer’s network would want to keep nothing in the token beyond the critical payment details, making sure that SKU and other information is not there. But if the chain is handling such tokens internally, it could be very efficient to use the token techniques to consolidate lots of helpful details.

But here’s the danger with such a scenario. If a retailer chooses initially to store the tokens itself and then, perhaps a year or two down the road, opts to outsource, will the team remember to go back and strip away all of the non-payment data? Will anyone bother? It’s a huge risk, because the tokenization vendors are also likely working for some of that chain’s largest rivals and those retailers also have the ability to access that data. Is that not a huge temptation? How much would an unscrupulous Rite Aid manager pay for access to that kind of CRM data about Walgreen’s customers? It only takes one debt-ridden employee of that token vendor to enable such a nightmare scenario.


2 Comments | Read Visa’s Retail Token Advice Of Token Value

  1. Steven Kendus Says:

    The best practices for data field encryption announced by Visa work toward developing a standard approach while offering guidance to payment solution providers. As Schuman points out, the document rehashed conventional wisdom and long-standing Visa and PCI best practices. However, there is definite value in the fact that Visa is actually weighing in and looking to provide some guidance. The five key implementation objectives outlined in the document provide some validation to tokenization approaches that are currently in production. Likewise, their stance that no single technology can completely solve for fraud has merit. Existing solutions that use both end-to-end encryption to encrypt card data from the point of sale, and tokenization on the back end of the transaction support their stance.

  2. Michael Cherry Says:

    Does VISA realize that lawsuits are coming and psychologists don’t get sued? I believe both of the following almost contradictory statements:
    1. Customer submitted credit cards are radioactive and they need to be immediately encrypted as they are swiped.
    2. Data centers that store data-at-rest can be designed to automatically identify and block breach attempts. Database encryption and the associated key management headaches are unnecessary.

    Michael Cherry, Cherry Biometrics Inc.
    Vice Chair, Digital Technology Committee
    National Association of Criminal Defense Lawyers


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.