Black Friday Brings Tokenization to Life
This year purchasing through mobile services like Apple Pay, Android Pay, and Samsung Pay may actually be safer than that microchip credit card you just got in the mail.
As we approach the two year anniversary of the Target breach in December 2013, one tangible change is the issuance of microchip-enabled credit cards. We've had chip-enabled credit cards before, but as of October 2015 merchants have been incentivized through a shift in liability for loss to install Point of Sale terminals that actually accept the microchips. This appears to have been a compromise.
Five years ago, I sat on a panel at the Philadelphia Federal Reserve and heard from the card issuers how adopting EMV (Europay, Mastercard, Visa) chip and PIN technology would be costly to implement in the US market. EMV requires the use of a chip enabled credit card and a PIN that must be entered by the consumer before the transaction is complete. If the PIN is forgotten or unknown, a signature can be accepted instead. In both cases EMV uses two-factor authentication.
EMV is used in almost every developed country in the world except for the US. Back in Philadelphia it was interesting to hear Visa (which co-authored the algorithm) argue with a representative from Walmart (which wanted EMV) that because of the size and the complexity of the US market we were easily ten years away from adopting EMV as a country. Yet here we are in 2015 with little microchips in our credit cards – only this is a pyrrhic victory. This is not chip and PIN. It is merely chip.
Last week a group of Attorney Generals from 40 states wrote an open letter to the heads of several large banking and financial services companies asking that full chip and PIN be implemented in the US. "Some have claimed that chip and PIN will be burdensome and confusing to customers," the AGs wrote. "We believe any burdens will be minimal and justified by the dramatic security improvements offered by this technology. Many American consumers are already accustomed to using PINs in financial transactions, including those involving debit cards."
Since the cards have been issued, and the payment system hardware updated to accept the chips, it's really a matter of the software enforcing a PIN. But never mind that. The credit card industry is holding its breath and waiting for the next big innovation.
This year many of us will use our mobile devices to make real world purchases. And that's a good thing.
More secure than using EMV-enabled credit cards are the services Apple Pay, Android Pay and Samsung Pay. What makes them better is that the merchant never sees your actual Personal Account Number (PAN), and therefore can't store them either. These services use the backend substitution technology known as tokenization.
Tokenization is not new, but its acceptance is. As soon as you store your card on your mobile device, the account number is randomized and that randomized value is stored on the device and shared with the processer (or in this case, Apple, Google, and Samsung). A token might be the same length as your bank card number and contain elements of the original data such as the last four digits of the card number.
The end user can use their mobile device at the POS. The merchant accepts the tokenized card data and sends it up the processor. Only the processor has the key to decrypt the data and real the true identity of the card holder. The processor, once they confirm the purchase with the issuing bank, then sends back a confirmation using a token. The merchant can still reference a purchase or handle refunds, returns, exchanges and other transactions using the token. If the merchant suffers a data breach, those customers using a tokenization service can be assured that their PAN is still secure.
EMV is only effective at stopping fraud associated with card present (real-world) purchases and it has actually increased fraud associated with card not present (online) purchases. Tokenization works with online purchases as well.
Outside of the transaction the token value is meaningless to a criminal, particularly single-use tokens. Without the without a decryption key, the PAN information in indecipherable. Tokenization is standardized; it conforms to X9.119 Part 2, which covers financial cryptography and data protection. The PCI Council, which sets rules for merchants around payment card transactions, supports tokenization for reducing risk in data breaches. And, not to be lost in all of this, EMV has also released its own payment tokenization specification.
Robert Vamosi is a CISSP and award-winning journalist. He is also the author of When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies (Basic Books).