Warning:
This wiki has been archived and is now read-only.
Main Page/ProposalsQ42015/Tokenization TF
From Web Commerce Interest Group
< Main Page | ProposalsQ42015
STATUS: Withdrawn by the proponent for now in favor of the credentials work.
Contents
Tokenization Task Force
Goals
Create an open standard for tokenization.
Problem Statement
Tokens act as surrogates for sensitive data. They help companies attain or maintain PCI compliance by limiting potential exposure of sensitive data. Many web apps/services could use tokens for their business activities if there were an open standard. Existing tokenization systems such as EMV have shown value but are proprietary.
In addition, here are some specific limitations to EMV that could be addressed in an open standard:
- It does not support dynamic tokens. Rather, they are static, based on scans, photos, etc sent to the back end token provider.
- It is specific to a merchant, for a finite period, that can only be detokenized by a single party; there are use cases that require greater flexibility.
- It is card-based and so limited to the current 13-19 digit primary account number structure.
- It does not support a PIN offset so there is no link between the original card number and PIN so a PIN can't be used.
Other notes on desirable characteristics of an open tokenization system:
- Tokens can maintain the length and format of the original data so that applications don't require modification.
Deliverables
- Description of a tokenization system, token service provider,
- Security requirements for web service exposing a tokenization service to the public internet
- List of ... that is outside the scope of a standard (such as authentication of end card user)
- List of Terms and Definition
Success criteria
- Successful creation of a Task Force
Task Force Operation
If formed, the WPIG Tokenization Task Force will:
- Have weekly calls
- Work on completing the deliverables outlined above
- Presentable material for February F2F
Dependencies
- WebAppSec WG
- https://w3c.github.io/websec/hasec-charter
- Requires an standard IdP interface (Identity Provider)
Milestones / Timelines
- Perform background research listed in deliverables