While EMV chip technology continues its roll out in this country, a whitepaper from the Smart Card Alliance Payments Council contends that payment industry stakeholders can better protect against card fraud by layering EMV chip and two other security technologies, encryption and tokenization.
According to the paper (PDF), “Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization,” the three technologies play well together with chip providing cryptographic card authentication that serves as a deterrent for counterfeit cards and tokenization replacing card data with tokens, or surrogate values, that can't be used by outsiders and, outside of a specific merchant or channel, hold no value. Encryption, of course, encrypts data from the time a card is swiped, tapped or inserted so that it can't be read or used illicitly.
“These three security technologies protect different aspects of the payments system. EMV protects against counterfeit cards and tokenization and encryption protects transaction data that is at rest (stored in merchant locations) in motion (while moving through the processing system),” Randy Vanderhoof, executive director of the Smart Card Alliance, told SCMagazine.com in Tuesday email correspondence. "The combination of tokenization for new payments types like mobile payments and encryption for older magnetic stripe transactions protects data in the payments system that has not been replaced with EMV chip data yet.”
Noting that an uptick in counterfeit card fraud was the catalyst for the global payment industry to develop EMV chip, the paper called out the technology for its “ability to authenticate the card to be sure it's not a clone or counterfeit of the card.” The EMV specification defines two methods of card authentication—offline and online, with the former offering the merchant an electronic means of authentication and the latter using symmetric key technology to create a unique application cryptogram that is sent to the card issuer and authenticated during the authorization process.
The paper also discussed tokenization, detailing not only the complementary role it plays to chip and encryption, but also the initiatives underway to standardize it. The American National Standards Institute's Accredited Standards Committee (ASC) X9, EMVCo, PCI Security Standards Council (PCI SSC), and The Clearing House all are developing tokenization specifications for bank card payment industry use. The National Institute of Standards and Technology (NIST), has a set of standards for an identity credentials initiative that closely resembles tokenization and which includes “consideration of levels of assurance,” the paper said.
While the paper said stakeholders should “give careful thought to their approach for layering the three technologies,” based on cost, needs, industry requirements, regulations, and likely trends, it also urged merchants to invest in the technologies that offer the protection they need.
“Every business has a level of risk for fraud that they are willing to take and it varies from business to business,” said Vanderhoof. “These fraud mitigation tools are available but they come with a cost and a level of complexity that must be considered in the context of a business's tolerance for risk from fraud losses if they only do one without the other.”
For example, the paper noted that a low-value-ticket card-present merchant might not be concerned with counterfeit cards but might want to focus on encrypting data in transit, while face-to-face merchants operating in complex environments that use card data beyond just authorization may want to layer the three technologies.
“Each method of security technology has its own complexity and cost to implement,” said Vanderhoof. “Doing all three might be appropriate for some merchants and issuers depending on the fraud risk they are experiencing today or are anticipating in the future.”