It was starting to get a little too quiet in payments.
We had gone a whole three business days since the last big news was dropped. But, yesterday, that news dearth came to an end with the announcement that Visa, MasterCard and American Express “are teaming” up to introduce a new global standard to make consumers feel more comfy shopping online. And, this proposed standard begins with a T and ends with okenization … yep. Tokenization.
According to the statement made by Jim McCarthy, head of innovation at Visa, having such a framework will ensure a common standard that makes consistent how transactions are authenticated. Merchants won’t have to mess with or worry about keeping payments data secure and consumers won’t have to worry about their information getting hacked. This global tokenization framework would work just like tokens work today: issuers, merchants and digital wallet providers request a token when an account holder initiates a mobile transaction, that token takes the place of a traditional card account number, and is used to process, authorize, clear and settle the transaction. All this with one little variation: tokens can be restricted in how they are used with certain merchants and devices. (Can’t wait to hear how that gets clarified).
This news is still very fresh and the ecosystem is still absorbing it, me included. But, here are a few initial reactions.
1. Hooray! Hey, I don’t claim to be a security expert, but tokenization is something that the cloud-based world has been talking about and doing for a while now. It’s nice to see the networks acknowledging that it’s a superior way of addressing the online fraud problem. And, talking about it at the same time that they are so strongly in support of EMV standards is, well, let’s just say it’s interesting.
2. Hooray, part two! My two cents is that this finally puts the stake in the heart of NFC by those who started the whole thing in the first place. It’s a little cathartic, even. Yes, Virginia, it’s about the cloud and having the networks get behind a global standard that isn’t NFC is, well, nothing short of amazing. Woot woot! Cloud rules!
3. Hooray, part three! This announcement also means that the networks are not only acknowledging that the cloud is where it’s at, but also that tying a security standard to hardware is just way, way old school. Wowza. One small step for the networks, one giant step for the payments ecosystem of the future and innovators, who are all about powering any connected device talking to the cloud and keeping those ‘conversations’ secure.
Now for some of the open questions (AKA agenda items for the inevitable meetings you will be having on this topic):
1. If such a framework is designed to become a global standard and reduce fraud through superior authentication, does this imply that such transactions will become card present transactions? Sure seems to suggest that they should. And, if you’re an issuer, how do you feel about that besides not so thrilled? We know how merchants and innovators will feel – hooray, part four. But the networks might have a hard time rationalizing why card not present rules should still apply in their new secure, tokenized world.
2. And, speaking of issuers, what does this do to the whole Secure Cloud initiative? The Secure Cloud folks have said that they are pleased that the networks have acknowledged that tokenization is superior, but if networks are creating a standard using tokens, why would there be a need for another one? Or has the gauntlet been thrown and are we setting up a swell Battle of the Standards?
3. What, exactly, does it mean for the networks to introduce a standard and who will operate this standard? Is there an MVAT-Co in our future? How does this get implemented in the ecosystem? What are the key dependencies that need to be overcome? And, why was Discover not included in this announcement?
4. What are the implications for innovators and emerging players, like say Braintree, who has been doing tokenization for the last 6 years and over that time, has taken it to another level? Yes, that Braintree, the company that announced that it was going to be acquired by eBay/PayPal three business days ago. Anyone besides me mildly intrigued about the timing of this announcement by the networks?
5. And, how will the merchants respond? They threw up on NFC and many are throwing up on EMV because of the need to acquire hardware to comply with the standard, but also the lock-in to the networks and their rules that was being “forced” by those standards. The cloud doesn’t require hardware but still presents the “lock in” concern that merchants have said bothers them. Maybe that could be blunted with card-present rates, just sayin’.
6. And for the elephant in the room … could this be step one in a Plan B for the EMV requirement in the U.S.? Could it be that this proposed global framework is in response to the growing drumbeat of criticism that EMV was solving the wrong problem for the ecosystem? And, could it be that this announcement means that the networks will give issuers and merchants a choice – EMV or the cloud – in complying with the upcoming liability shift – giving everyone a nice, clean, plausible way out of EMV compliance?
All I can say is that I hope we don’t have to wait three more days before the next big news in payments hits.