While EMV chip technology continues its roll out in this country, a whitepaper from the Smart Card Alliance Payments Council contends that payment industry stakeholders can better protect against card fraud by layering EMV chip and two other security technologies, encryption and tokenization.
According to the paper (PDF), “Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization,” the three technologies play well together with chip providing cryptographic card authentication that serves as a deterrent for counterfeit cards and tokenization replacing card data with tokens, or surrogate values, that can't be used by outsiders and, outside of a specific merchant or channel, hold no value. Encryption, of course, encrypts data from the time a card is swiped, tapped or inserted so that it can't be read or used illicitly.
“These three security technologies protect different aspects of the payments system. EMV protects against counterfeit cards and tokenization and encryption protects transaction data that is at rest (stored in merchant locations) in motion (while moving through the processing system),” Randy Vanderhoof, executive director of the Smart Card Alliance, told SCMagazine.com in Tuesday email correspondence. "The combination of tokenization for new payments types like mobile payments and encryption for older magnetic stripe transactions protects data in the payments system that has not been replaced with EMV chip data yet.”
Noting that an uptick in counterfeit card fraud was the catalyst for the global payment industry to develop EMV chip, the paper called out the technology for its “ability to authenticate the card to be sure it's not a clone or counterfeit of the card.” The EMV specification defines two methods of card authentication—offline and online, with the former offering the merchant an electronic means of authentication and the latter using symmetric key technology to create a unique application cryptogram that is sent to the card issuer and authenticated during the authorization process.
The paper also discussed tokenization, detailing not only the complementary role it plays to chip and encryption, but also the initiatives underway to standardize it. The American National Standards Institute's Accredited Standards Committee (ASC) X9, EMVCo, PCI Security Standards Council (PCI SSC), and The Clearing House all are developing tokenization specifications for bank card payment industry use. The National Institute of Standards and Technology (NIST), has a set of standards for an identity credentials initiative that closely resembles tokenization and which includes “consideration of levels of assurance,” the paper said.