Forrester Research predicts that “broad adoption” of plastic EMV chip-and-signature and chip-and-PIN payments in the U.S. will take several years, despite the looming fraud liability shift taking effect in October.
In a new report published this week, called “Prioritize Tokenization to Secure the Payment Chain,” co-authors Andras Cser, Ed Ferrara and John Kindervag, said that widespread EMV adoption wouldn't occur until 2020. While the adoption process drags along, however, merchants should be fully aware that, while EMV chip technology significantly thwarts skimming fraud, it should not be seen as a solution for deterring massive card breaches.
“EMV without tokenization does not encrypt or protect the card numbers and expiration dates transmitted during card transaction,” the report said. “EMV is largely a bolt-on to existing card technologies to support a chip on the card that prevents counterfeiting, but it does nothing to prevent counterfeiting of cards (i.e., you can still copy the data and produce a counterfeit magnetic stripe card that will work at any magstripe terminal) or fraudulent online use of cards in CNP (card-not-present) transactions.”
Since encryption takes the added step of obscuring card details sent over payment networks, and tokenization would allow for encrypted card data to be sent from the accepting point-of-sale (POS) terminal to a PCI-DSS-compliant service provider initiating the tokenization process – merchants (and card carrying consumers) would be better protected against major payment card breaches through added investments in these technologies, report authors explained.
In a Wednesday interview with SCMagazine.com, report author Andras Cser highlighted this point, saying that “EMV, alone, won't protect against wholesale attacks on payment infrastructure, like in the Home Depot or Target breaches.” He later added that it would be through tokenization and encryption that merchants could save money and protect against attacks.
To make payment transactions significantly more secure, Forrester recommended that security and risk professionals “demand tokenization from all payment chain participants.”
Contactless payment methods, for instance – which include mobile services like Apple Pay, Google Wallet – offer built-in tokenization to protect card numbers from being exposed on the internet, the report said. And the prospect of shifting to contactless payments would also result in merchants “eventually spending less money complying with PCI-DSS,” since they would no longer need to store credit card numbers with the digital wallet systems, Forrester noted.