STATUS: Withdrawn by the proponent for now in favor of the credentials work.

Tokenization Task Force

Goals

Create an open standard for tokenization.

Problem Statement

Tokens act as surrogates for sensitive data. They help companies attain or maintain PCI compliance by limiting potential exposure of sensitive data. Many web apps/services could use tokens for their business activities if there were an open standard. Existing tokenization systems such as EMV have shown value but are proprietary.

In addition, here are some specific limitations to EMV that could be addressed in an open standard:

• It does not support dynamic tokens. Rather, they are static, based on scans, photos, etc sent to the back end token provider.
• It is specific to a merchant, for a finite period, that can only be detokenized by a single party; there are use cases that require greater flexibility.
• It is card-based and so limited to the current 13-19 digit primary account number structure.
• It does not support a PIN offset so there is no link between the original card number and PIN so a PIN can't be used.

Other notes on desirable characteristics of an open tokenization system:

• Tokens can maintain the length and format of the original data so that applications don't require modification.

Deliverables

• Description of a tokenization system, token service provider,
• Security requirements for web service exposing a tokenization service to the public internet
• List of ... that is outside the scope of a standard (such as authentication of end card user)
• List of Terms and Definition

Success criteria

• Successful creation of a Task Force

Task Force Operation

If formed, the WPIG Tokenization Task Force will:

• Have weekly calls
• Work on completing the deliverables outlined above
• Presentable material for February F2F

Dependencies

• WebAppSec WG
• https://w3c.github.io/websec/hasec-charter
• Requires an standard IdP interface (Identity Provider)

Milestones / Timelines

• Perform background research listed in deliverables