A Three-Pronged Approach to Payment Security
December 10, 2014

EMV, tokenization and encryption, when matched together, create a three-pronged approach to keeping cybercriminals at bay. In October of 2015, the U.S. will make the transition from traditional magnetic-stripe cards to EMV tokenization in efforts to prevent more of the high profile data breaches that have littered headlines over the past two years.  

EMV’s biggest value is in its ability to prevent fraud at the ATM or Point of Sale (PoS) – how the attackers involved in the Target breach gained access – through dynamic authentication. EMV uses a data-processing chip embedded in an EMV card (physical transaction where the card is present) or a mobile device (digital transaction, or card not present) to transmit encrypted credentials. The EMV chip, together with the card or mobile device holder’s PIN or signature, must be verified for the transaction to be valid.

The transition to this payment method is well overdue for the U.S. – after all, 80 other countries have adopted this already. However, while EMV is a proven global standard, it isn’t a fail-safe security solution for the payments industry. Additional layered safeguards are still needed, in particular, for data security beyond the PoS.

Although it’s a step in the right direction, it would it be a mistake for retailers to think that this will solve all of their security problems. There are many aspects to delivering a service and collecting customer payments is just one component that needs to be managed. That being said, EMV tokenization is the best method we have right now to thwart eCommerce attacks. The biggest benefit with EMV tokenization is that every single access by a customer is new and unique proof of authentic customer intent. Today, with static data, attacks are often long-lived and difficult to detect, both in terms of the breach and the exploitation and this technology helps to mitigate that.

Among its security benefits, the concept of tokenization can also be used for customer access. Rather than having static user IDs and passwords, dynamic authentication (what EMV tokenization is based on) can be applied to accessing services on mobile, web, or call center. A well-designed mobile application with mutual authentication and dynamic authentication can provide a sea change in the way customer service is delivered. With an app like this, a four-digit PIN on a phone is stronger than any length static password – this means that access for the customer is easy but account takeover and message intercept is much more difficult for attackers.

The moral of this story is that there is no absolute solution to abolish card fraud and account takeovers. However, EMV tokenization and encryption serve as an important extra layer against these attacks. As hackers grow more sophisticated, the payment industry needs to evolve with the technology at their disposal to fight back.