Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

WHAT DOES EMV AND TOKENISATION MEAN FOR BANKS?

By Bob Graham, Senior Vice President – Banking and Financial Services, Virtusa

The rash of data breaches at major retailers over the past year has spurred the banking industry to take action against fraud. EMV (Europay, MasterCard, Visa), which had struggled to gain adoption in the U.S. for years, has suddenly become the touted saviour to all the fraud issues branches are experiencing. Tokenisation is now a new buzzword in the industry. However, confusion persists on what these advancements mean and more specifically, whether they solve fraud and the retailer’s data breach challenges.

First, a little background. Most reports suggest that retailer data breaches were caused by malware that allowed hackers to access card holder data from retailer systems. The EMV standard for using a microchip to store encrypted card data combined with a PIN requirement, is aimed at reducing fraud at the point of sale by preventing the use of counterfeit mag-stripe cards.  This technology has been used in Europe for nearly 20 years and has successfully reduced counterfeit cards being used at point of sale (POS) terminals. The U.S, on the other hand, has resisted the deployment of EMV for years. This is because EMV does not satisfy PCI compliance; it is not clear who would fund the cost of the chip based infrastructure, and the EMV standard does not solve the problem of online fraud, which by far is the bigger problem facing the industry.

Bob Graham
Bob Graham

Most industry experts agree that EMV failed in preventing data breaches at Target, Neiman Marcus and others, because EMV still relies upon merchants receiving and processing the same account numbers that are used today. Contrary to popular belief, there was no skimming happening at POS terminals, so consumers were not in danger of having their card data stolen at the point of sale. The theft occurred in the retailer’s systems, which stored account data. Additionally, even with EMV, online fraud is still possible once someone has stolen your 16 digit account number (known as PAN), expiration date and three digit security code.

This is where tokenisation comes in. Tokenisation is where random, digital representations of the PAN and security code are created and distributed by the card account issuer (i.e. your bank). Let’s use Apple Pay as an example. Apple Pay is facilitated by your smartphone communicating a digital token via NFC to the merchant POS terminal. This token is routed from the merchant POS to card account issuer, who is then able to decode the token and map it to the account holder and authorise the transaction.

Tokenisation’s biggest benefit is the non-exposure of the account holder’s credentials in the transaction process, therefore nullifying the possibility of data breaches and resultant fraud, allowing the retailer to no longer have to store account credentials.

There are two major implications for banks; one is that they need to get on the tokenisation bandwagon. As of January 2015, there were over 30 banks listed on Apple’s site as having their credit cards available on Apple Pay, and reports from Visa/MasterCard indicate that there are over 500 banks waiting to on-board. Banks need to work with their processors, Visa/MasterCard and Apple/Google, to get their tokenisation approached, certified and deployed. It is important to note that this is an effort and expense for banks that does not have any direct revenue correlation.

The second implication is more subtle but perhaps a bigger challenge for banks. Banks need to combine EMV and tokenisation, to reduce the amount of sensitive cardholder data held by merchants to make them a less valuable target for hackers. According to a recent report released by the Identity Theft Resource Center (ITRC) and sponsored by IDT911™, the number of U.S data breaches hit a record high of 783 in 2014. The report indicated that 42 data breaches were carried out against banks in 2014, of which the largest known one was at JP Morgan Chase.

While card holder and account number data continue to be targets, new risks focus around account takeover and new account openings. Hackers use confidential information to either take over existing accounts and get new cards mailed to them, or they use that information to open up new accounts and use them for online fraud. The UK saw a major rise in both of these factors when it adopted only EMV. So, to conclude, Banks need to implement both EMV and tokenisation in order to ensure their processes for account opening and issuing new cards employ the highest levels of security processes, and protect customers’ data as robustly as possible.