Dear Networks,
First, thank you.
Your rules play a critical role in keeping the payments ecosystem running safely and smoothly. Merchants, banks, processors, facilitators, and sales organizations all rely on the guardrails you’ve built to ensure trust and consistency across your networks.
In those rules you make it clear that you, the network, owns the PAN – colloquially referred to as the credit card number.
Over the years, the industry has worked hard to protect that number from falling into the wrong hands. We’ve introduced encryption protocols, tokenization, and end-to-end security measures that make it difficult for bad actors to access card data. These are all good things.
We encrypt as close to the point of acceptance as possible, and decrypt as late in the process as possible. Minimizing risk for everyone. You’ve even taken meaningful steps of your own, like introducing network tokens and incentivizing their use.
But there’s one problem you could easily fix, and it would have an outsized positive impact.
While you rightfully own the PAN, some market participants who tokenize that PAN (as part of the security process) are claiming they own the resulting token. That’s absurd. A processor doesn’t suddenly own a piece of the cardholder’s identity because they wrapped it in encryption (see almost every intellectual property agreement governing derivative works).
Visa (or Mastercard, Discover, Amex) owns the PAN. Market participants that take the PAN, create a token, and then claim ownership – are hurting the network and most importantly merchants. The token is wielded as a weapon to lock merchants into out-of-market agreements.
There’s a real opportunity to set the record straight. A simple clarification that networks own both the PAN and its derivative tokens, and that those tokens must be portable, would go a long way toward promoting security best practices and stopping the underhanded tactics that stifle competition and innovation.
All the best,
Brandon
CEO, Forward
