The Federal Trade Commission (FTC) is ordering Mastercard to abandon anti-competitive practices related to eWallet tokenization.
According to the FTC, Mastercard violated the Durbin Amendment to the Dodd-Frank Act, which stated that issuers (Mastercard and VISA) are required to enable debit cards routing for at least two unaffiliated debit networks, which often process transactions at a lower cost to merchants. The underlying idea is to create competition in debit card networks.
Mastercard uses eWallet tokenization to avoid pro-competitive routing rules by replacing sensitive account information, such as a card number, with a unique digital identifier, known as a token. Mastercard alone can decrypt these tokens, and by refusing to convert Mastercard tokens for competitor routing networks, it’s essentially bypassing the legislation.
According to the National Law Review, a related scheme is used by Apple Pay and Google Pay in order to keep transactions within their routing networks. The article notes:
Debit card accounts added to eWallets are assigned a token in place of the card number. A look-up table is maintained by the networks in a “token vault.” The network completing the payment must know the token to transact with the issuing bank. Network exclusivity can be maintained even for cards enabled for two competing debit networks simply by refusing access to the token vault to the competing networks.
Elimination of these practices will decrease costs for merchants, by producing cost competition. But this should not knock tokenization as a security practice.
“Tokenization adds value to payments by creating a shield around transaction data and personal information,” says Brian Riley, Head of Credit at Mercator Advisory Group. “A concern in this area is whether the risk will increase by removing the tokenization scheme and whether the risk will outweigh the benefit.”