By Bob Graham, Senior Vice President – Banking and Financial Services, Virtusa
The rash of data breaches at major retailers over the past year has spurred the banking industry to take action against fraud. EMV (Europay, MasterCard, Visa), which had struggled to gain adoption in the U.S. for years, has suddenly become the touted saviour to all the fraud issues branches are experiencing. Tokenisation is now a new buzzword in the industry. However, confusion persists on what these advancements mean and more specifically, whether they solve fraud and the retailer’s data breach challenges.
First, a little background. Most reports suggest that retailer data breaches were caused by malware that allowed hackers to access card holder data from retailer systems. The EMV standard for using a microchip to store encrypted card data combined with a PIN requirement, is aimed at reducing fraud at the point of sale by preventing the use of counterfeit mag-stripe cards. This technology has been used in Europe for nearly 20 years and has successfully reduced counterfeit cards being used at point of sale (POS) terminals. The U.S, on the other hand, has resisted the deployment of EMV for years. This is because EMV does not satisfy PCI compliance; it is not clear who would fund the cost of the chip based infrastructure, and the EMV standard does not solve the problem of online fraud, which by far is the bigger problem facing the industry.
Most industry experts agree that EMV failed in preventing data breaches at Target, Neiman Marcus and others, because EMV still relies upon merchants receiving and processing the same account numbers that are used today. Contrary to popular belief, there was no skimming happening at POS terminals, so consumers were not in danger of having their card data stolen at the point of sale. The theft occurred in the retailer’s systems, which stored account data. Additionally, even with EMV, online fraud is still possible once someone has stolen your 16 digit account number (known as PAN), expiration date and three digit security code.
This is where tokenisation comes in. Tokenisation is where random, digital representations of the PAN and security code are created and distributed by the card account issuer (i.e. your bank). Let’s use Apple Pay as an example. Apple Pay is facilitated by your smartphone communicating a digital token via NFC to the merchant POS terminal. This token is routed from the merchant POS to card account issuer, who is then able to decode the token and map it to the account holder and authorise the transaction.
Tokenisation’s biggest benefit is the non-exposure of the account holder’s credentials in the transaction process, therefore nullifying the possibility of data breaches and resultant fraud, allowing the retailer to no longer have to store account credentials.
There are two major implications for banks; one is that they need to get on the tokenisation bandwagon. As of January 2015, there were over 30 banks listed on Apple’s site as having their credit cards available on Apple Pay, and reports from Visa/MasterCard indicate that there are over 500 banks waiting to on-board. Banks need to work with their processors, Visa/MasterCard and Apple/Google, to get their tokenisation approached, certified and deployed. It is important to note that this is an effort and expense for banks that does not have any direct revenue correlation.
The second implication is more subtle but perhaps a bigger challenge for banks. Banks need to combine EMV and tokenisation, to reduce the amount of sensitive cardholder data held by merchants to make them a less valuable target for hackers. According to a recent report released by the Identity Theft Resource Center (ITRC) and sponsored by IDT911™, the number of U.S data breaches hit a record high of 783 in 2014. The report indicated that 42 data breaches were carried out against banks in 2014, of which the largest known one was at JP Morgan Chase.
While card holder and account number data continue to be targets, new risks focus around account takeover and new account openings. Hackers use confidential information to either take over existing accounts and get new cards mailed to them, or they use that information to open up new accounts and use them for online fraud. The UK saw a major rise in both of these factors when it adopted only EMV. So, to conclude, Banks need to implement both EMV and tokenisation in order to ensure their processes for account opening and issuing new cards employ the highest levels of security processes, and protect customers’ data as robustly as possible.