Payment security standards like Europay, MasterCard and Visa (EMV), Host Card Emulation (HCE), and Point-to-Point Encryption (P2PE) have been given much attention this year. With Apple Pay, we now have a new hype payment security solution called tokenization.
Tokenization replaces the payment account number (PAN) and expiration date with numeric codes of the same length, called tokens. Tokenization, in my eyes, solves some of the security problems of the back-end process. For example, it addresses the problem of exchanging information from one’s phone to a point-of-sale terminal (PoS), as well as the subsequent transferral of this information to card processing systems. The timing for Apple to deploy this technology could not be more perfect, as stories of card breaches due to hacked PoS systems abound.
Free eBook: Modern Retail Security Risk – Get your copy now.
Apple’s recent announcement is also coming out right at the time when EMV is starting to roll out, triggering a major shift in breach liability for 2015. We saw some headlines where tokenization was seen as an alternative to EMV. Tokenization and EMV are different but have complementary capabilities. Tokenization addresses the potential for fraud in the card-not-present scenario within the online/mobile payment channel, but it does not address the physical card risks at the POS terminal. EMV originally required the card to be used at the point-of-sale. Basically, tokenization allows a simpler and more secure way for EMV to use mobile devices, and EMV enables the secure use of token-carrying devices.
There is no single solution that is a magic bullet in the fight against cybercrime. Solutions like EMV, tokenization, and P2PE need to work together to fully protect merchants. Fortunately, their collaboration has great promise for the security of payment data: tokenization addresses the storage of card data, EMV addresses the authentication of the card using a chip, and P2PE addresses the transmission of card data.
While each of these solutions effectively addresses the payment ecosystem, we have yet to see the emergence of new solutions that address the credit card registration process, which still has a lot of issues. More specifically, Apple has not disclosed how they read credit card pictures to add that particular card to users’ iPhones. Also, the PAN is still transmitted from the phone to the payment network to get the tokenized PAN. Time will tell if this becomes a new fraud landscape; however, as an industry, we are making progress in creating an ecosystem that better addresses the opportunity for fraud.
By Damien Hugoo, Product Manager, Easy Solutions
Bio: Damien Hugoo is a seasoned technology professional with 10 years of experience in creating, building and deploying digital software products for the financial services industry. Today, Damien serves as product manager at Easy Solutions, where he plays a key role in the creation of the most innovative and comprehensive fraud prevention and detection solutions available on the market.
Prior to Easy Solutions, Damien held product management roles at FIS, the world’s top provider of banking technology, where he most recently lead all aspects of product management for 2 online banking products that served over 600 financial institutions in North America.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.