On June 30, Nacha, the organization governing the ACH network, released new rules on supplemental ACH data security. Some ACH originators and covered third parties must implement additional protections for account numbers used in ACH payments by making the information unreadable when stored electronically. The process begins with those processing at least six million ACH transactions annually, with those processing at least two million annually needing to comply a year from now. Institutions working in good faith toward compliance will have a one-year extension to give them time to implement solutions.
TokenEx is well-positioned to help companies adjust to these rules, founder and CEO Alex Pezold said. Founded in 2010, Mr. Pezold quickly saw how tokenization could meet what he knew would be increasingly stringent data security rules in the years ahead.
Tokenization protects sensitive transaction data by converting it into a string of randomly generated numbers, making it unreadable if exposed in a breach. TokenEx uses the process to remove that sensitive data from a company’s system and store it elsewhere while a nonsensitive credit card token number is returned as a placeholder. Data can then be sent to endpoints through a patented, processor-agnostic Transparent Gateway.
Up until 2013, TokenEx only worked with PCI data but they were approached by a large insurance carrier that wanted help beyond their PCI data to Social Security numbers and ACH data too. That has helped TokenEx grow substantially over the past eight years with solutions that can be deployed anywhere there is cloud capability.
It’s important to note that 11 years ago few were talking about tokenization of anything, so credit the TokenEx team with recognizing its potential and developing a company based on a novel technology.
“I became enthralled with the concept of how do you alleviate the scope, burden cost … all the things that go along with PCI that make it so painful,” Mr. Pezold said. “We knew we were early but should the card brands endorse this we will be in the right place at the right time to solve the PCI problem.”
TokenEx has been working with Nacha for several years to develop more secure solutions, for even though it is a closed-loop route there are still attack vectors and breach opportunities. It’s been an ongoing discussion as Nacha has looked at PCI and to how their controls can be applied to ACH data.
“The amount of fraud that happens through the financial system is still incredibly large,” Mr. Pezold said. “What I am very surprised by is it took us this long to start taking it and look at data protection mechanisms to protect ACH data particularly.
“We want to make the relationship closer; we want to get more involved with some of the decisions being made for those getting into alternative forms of payment like account-to-account and protecting that data where proper controls exist to help them increase their goal of more account to account activity.”
TokenEx envisions itself as a data protection partner where they work with the industry to describe different methods and how to implement them. That involves improving existing processes along with looking to the future and how to protect cryptocurrencies.
As new technological waves hit the industry, there is a rush to market. Shortly thereafter attack vectors are identified and companies look more seriously at security. Mr. Pezold said many companies have great ideas on how to enable account-to-account payments that get us away from credit cards while empowering the Nacha system, but they must remember a few key steps.
“If you’re not using secure code standards to develop the product and you’re not using protocols for communication of sensitive data… those are elements you need to be considering.”
If you have a P2P payment app on your phone, how is the financial account information being protected within the app? How are you as a company performing due diligence on that app and the communication it facilitates between users?
“We talk about how they can facilitate the secure exchange of cash but also help from best practices,” Mr. Pezold said. “Are you performing source code reviews? Are you performing penetration testing? What rigor and due diligence technology are you going through prior to its release?
“That possible opportunity for you is to explode your growth but the worst thing that can happen is you have 10 million users but you didn’t develop your app securely and the next thing you know is all 10 million users are breached and you’re out of business.”
And as the novel payments technologies keep coming, the discussions around security will continue to evolve. TokenEx is consulting with automobile manufacturers about in-car app purchases like buying gasoline before you reach the station. That begins a discussion at the Internet of Things which might be scary for you depending on what part of the payments industry you are in.
“IoT… it’s scary to say… People still don’t put security at top, at the end of the day they’re trying to make money,” Mr. Pezold said. “They need a platform that enables developers and creators to get to market with a secure product and that is what tokenization does.”