To EMV or not to EMV?

To EMV or not to EMV? That is the question now on the minds of many retailers and issuers.

EMV (Europay, MasterCard, and Visa), or Contact EMV, is the protocol to make payments possible with a card embedded with a microchip. After a significant delay, the U.S. is gearing towards deploying EMV like much of the rest of the world. Large-scale data breaches and a recent White House Executive Order gave a much-needed shot in the arm towards the deployment of EMV in the U.S. [Read “White House mandates cyber security via 'BuySecure'”]

While EMV deployment has been slowly gaining momentum, a surprising turn of events is rapidly changing the payment landscape.

More than the introduction of the prominent mobile payment methods, the underlying concept of network tokenization is causing a paradigm shift in the way payments are secured.

Simply, tokenization is a method to replace a credit card number with another number that will be useless if stolen by a fraudster. While tokenization is an old concept, the new method of tokenizing card numbers by the credit card networks can reduce the need for significant additional security within the payments value chain, especially at the retailer. This shifts the burden of card data security from a distributed Point of Sale model to a centralized token issuer model. [Read “Tokenization to become a token of our affection”]

Path that led us here

For the last decade, as the rest of the world implemented EMV, cards in the U.S. carried cardholder information in the magnetic stripe on the card, which was unencrypted. As a result, fraudsters were able to devise ingenious ways to steal the customer information from the stripe. They primarily targeted points of purchase that stored this magnetic stripe information from paying customers. The larger entities that stored this information were highly vulnerable.

To combat rising incidents of account compromise, the Payments Council, comprised of the various card networks, created Data Security Standards (PCI-DSS) and insisted that all payment entities comply with these standards. A major requirement of this new standard was to not store sensitive card data in the clear, and to substitute card numbers with tokens.

This PCI-DSS standard, though it imposed a heavy burden on payments-accepting entities and their processors, had the potential to mitigate account compromise incidents. However, cyber criminals have continued to capture the information from stripe transactions. In some cases, they have done so directly from the terminal of a retailer, as was evident in the recent attacks on some retailers.

The card industry is therefore keen on implementing EMV. Transactions would be completed via a chip, as opposed to the stripe.

EMV vs. Network Tokenization

In reality, the decision is no longer quite so clear cut. When we look at the fraud landscape in the countries that have already implemented EMV, we find that EMV has only partially solved the fraud issue.

A good example is in the U.K., which experienced similar card fraud issues over ten years ago. Counterfeit fraud was on the rise, as was lost-and-stolen card fraud. Ecommerce fraud was low primarily because not much commerce was conducted in that channel. Starting in 2006, when the U.K. implemented Chip-and-PIN, counterfeit fraud and lost-or-stolen fraud plummeted.

However, the total fraud in the U.K. is still on the rise as the fraud has shifted to the ecommerce channel. Today, with proliferation of mobile devices and tablets, non- face-to-face fraud is growing rapidly in countries that have implemented EMV.

To solve this non-face-to-face fraud, the networks developed a solution called 3D Secure. This would allow a consumer to type in a password during an online purchase, and if there was fraud on that transaction, the liability would shift to the issuer and not the merchant.

While a good idea, merchants found that it slowed down the purchase experience, and given that consumers in the U.S. are currently financially protected from credit card fraud, the adoption rate for 3D Secure among consumers in the U.S. was very poor.

While EMV for face-to-face and 3D Secure for non-face-to-face have been two of the primary fraud prevention solutions available for the card industry up until now, network tokenization has emerged to shift the card protection paradigm.

In this method, a token associated with a card number is obtained from a central token authority, usually the card network. While the idea behind this is similar to the tokenization used for PCI-DSS, network tokenization ensures that sensitive card data is never available anywhere in the payment value chain, as opposed to within a single entity as in the case of PCI-DSS.

When a consumer makes a payment, their card number in their mobile wallet is replaced by a token and it is this token that traverses through the entire payments network. These tokens are currently tied to the mobile wallets in consumers’ devices, and could be limited to one-time use, thereby preventing fraud if the token was ever re-used, or could be allowed for re-use for a recurring payment specific to a retailer.

The concept of network tokenization has several advantages over Contact EMV and 3D Secure.

1. Network tokenization represents a single solution for multi-channel use.

A merchant could conduct a face-to-face transaction or a non-face-to-face transaction, treating the token the same way as they would a card number.

2. The retailer faces no burden to decipher the properties of this token.

That is, if the token has expired, if it is for one-time use only, or if it belongs to the consumer. The onus of preventing re-use of a token by someone other than the consumer will rest with the device operator where the token resides and the network that issued it.

3. There is no onus on the retailer to provide for fraud mitigation solutions at their end.

Compromises of the type we have seen recently at retailers may cease to exist as tokens are inherently useless after a single transaction or in another channel.

4. The need for PCI-DSS requirement will diminish as retailers sharpen their focus on safeguarding their customer data and not payment data.

The device operator will also likely provide encryption of transaction data in addition to tokenization, thereby further reducing the cost of data security at a retailer.

5. In the event tokens associated with a card are involved in fraud, the networks could re-issue the tokens, thereby voiding out previously issued tokens.

This could be done without having to re-issue the actual card number that was issued to the customer.

In the existing case of an EMV transaction, while there is encryption, the Primary Account Number (PAN) or the card account number is still transmitted through the network, and retailers will have to adhere to PCI-DSS compliance in order to protect card data.

Fraud patterns will evolve

The fraud patterns that may evolve when payments are made with encryption and network tokenization will likely be different from the trends we have seen since the deployment of EMV. The tokenization/encryption solution may prove to be superior in combating current fraud trends, including non-face-to-face fraud.

Enrollment fraud, however, will likely emerge as the biggest fraud type, as fraudsters will try to enroll or obtain tokens for their devices with stolen credentials.

While this could be controlled with biometrics and device fingerprinting methods for mobile devices, and with a PIN delivered securely to the consumer during enrollment for EMV/NFC (Near Field Communication) cards,  alternative and innovative solutions should be considered to mitigate this type of fraud.

While the advantages of this newer solution—encryption and tokenization—are compelling, the path to deploying this for all transactions will depend on the availability of devices to replace standard card transactions.

Getting there from here…

Apple’s introduction of Apple Pay™ mobile payments solution, which uses encryption and network tokenization through the use of NFC-enabled phones, has now set the bar high for the payment industry.

Apple Pay uses network tokenization in their secure element, combined with biometric technology to authenticate a customer. This way they have used card data parameters normally used in a Card Not Present environment to be treated as Card Present transaction, as the data is tied to the hardware of the device. [Read “Battle of chip-and-pin vs. tokenization begins”]

The fact that Apple Pay was downloaded by over a million customers in the two weeks immediately after its launch is testimony to the fact that consumers in the U.S., especially the Gen Y and the Gen X demographics, are inclined to use a product that is secure and easy to use.

But there are still many consumers without smart phones. The question for many retailers is how to service them while avoiding the fraud that we have witnessed recently.

This user group is driving the need for an alternative payment vehicle to serve the entire population. In three to five years, we are likely to see NFC cards with two-factor capability, such as a PIN, which will be capable of storing tokens with dynamic encryption. A customer could even reset the tokens by simply visiting an ATM or a retailer connected to any of the networks. There will likely be a proliferation of mobile wallets using tokenization and encryption with passive biometrics, such as the accelerometer of the mobile device or the pulse monitor of a smart watch. A proliferation of mobile wallets and the availability of NFC terminals at many large retailers will likely cause card issuers to issue plastic cards capable of NFC. Whether mobile or physical plastics, it is clear that NFC is here to stay.

While the solutions available in three or five years are becoming clearer, it is not clear what strategy a retailer should follow in the interim.

To define the interim strategy for a retailer, it will be important to know their size, the type of retailer they are, and the demographics of their client base.

For example, a local “mom and pop” dry cleaner could probably survive the next three to five years without significant fraud by accepting magnetic stripe transactions and then upgrading their terminals to NFC. A large retailer, on the other hand, will be hard pressed to keep accepting magnetic stripe cards in the short term. These retailers will have to upgrade to combo (magnetic stripe/EMV/NFC) terminals now, as they will have to cater to all demographics.

For some large retailers, such as gas retailers and ATM operators, the choice of switching to combo readers is impractical, as gas pumps and ATMs will have to be retrofitted with newer terminals capable of EMV and NFC. While the liability shift mandate for gas retailers is not effective until 2017, they will likely be a target for fraudsters as fewer and fewer merchants accept magnetic-stripe-only cards.

Layered-defense approach

If the objective of the liability mandate is to help reduce fraud eventually, many retailers can achieve the same objective by adopting a layered defense approach. This approach calls for four steps in preventing fraud.

Step 1 is to secure customer information and interaction.

Recent account compromise cases indicate that the environment containing unencrypted card data was vulnerable to malware. Securing the environment where customer payment data is captured is essential to preventing account compromises at the Point of Sale (POS).

Point-to-point-encryption (P2PE), where encryption takes place with a Tamper Resistant Security Module (TRSM), also known as Secure Reading and Exchange of Data module (SRED), within a point of sale device when the card is swiped, prevents the skimming of card data at the point of sale. This allows a retailer to send the encrypted data outside their environment to a third-party processor or their acquirer.

Once sensitive data is sent via PCI-compliant P2PE outside a retailer’s environment, there is now a very low probability of a potential compromise within the retailer’s environment. As such, the burden of PCI is greatly reduced. Of course, this assumes that card-not-present data are handled outside the retailer’s environment as well.

Additionally, the third-party processor or acquirer could in turn tokenize the data received from the retailer after decryption and send the token back to the retailer. (This tokenization is at the entity level and is not the same as network tokenization discussed previously.) This step is essential as a merchant will need a card account number associated with a transaction to issue credits or answer a chargeback.

This concept of using P2PE with SRED within a POS device and tokenization is similar to the method used by Apple Pay. The key difference is that Apple Pay’s wallet obtains network tokens ahead of any transaction, and sends encrypted token and transaction detail over to the merchant or the processor of the merchant. Apple Pay mobile payments solution allows decryption to happen outside the merchant environment, thereby reducing the scope of PCI at the retailer as in the P2PE with SRED and tokenization as described above.

This method allows a retailer to accept payments via a magnetic stripe card safely without the need for a terminal upgrade. This also provides merchants with options on the type of terminals to upgrade to in the future.

Step 2 entails extensive monitoring of transactions.

It includes the ability to monitor for breaches and violations with appropriate antivirus solutions; review of system logs for unusual activity and file transfer activity; and monitoring access to systems and third-party access to devices and systems, specifically remote access from outside a merchant’s network.

Step 3 involves the ability to detect and isolate suspicious patterns.

This could be related to suspicious system activity or fraudulent customer transactions. In the case of a mobile operator or a device using network tokens, the retailer or the merchant is unlikely to be liable for a fraud transaction. However, in the case where a retailer is using P2PE with tokenization offered by a third party, the onus of detecting and preventing fraud based on stolen or counterfeit customer credentials resides with the retailer.

To combat this type of fraud, a retailer would need to develop an analytics platform capable of predicting fraudulent activity based on previous usage patterns, capture information on devices used by customers and monitor and analyze each web session for potential “bot” or fraudulent activity.

Modeling the riskiness of each transaction would allow the retailer to approve or decline the suspect transaction depending on its level of comfort in taking liability for the potential loss. Even though the liability shift mandate would impose fraud liabilities onto a retailer that  is not EMV capable, analytics could significantly reduce these fraud and chargeback liabilities.

Step 4 is the ability to investigate transactions deemed to be high risk by the analytics platform and successfully stop suspicious activity.

An alert management module helps extract all data about a customer and their transaction, which helps an investigator analyze a transaction to determine if it is potentially fraudulent or if it is related to other past or current fraud schemes. The ability to link a particular alert to past or current alerts is instrumental in successfully determining if a suspicious activity is a random event or is associated with a bigger compromise.

Providing a complete picture of fraudulent activity data is important in the event law enforcement is involved in the ensuing investigation.

Making new approaches work

Ease of use and security are two important requirements for any payment method. With the push from Apple Pay mobile payments solution, the industry is rapidly moving towards these goals with network tokenization and biometrics for authentication.

Given the current state that is highly vulnerable, payment entities need to choose a path with the ultimate goal in mind.

However, the path cannot be piecemeal nor a patchwork of solutions. Fraudsters exploit the gaps or vulnerabilities that may exist when different fraud prevention solutions are used on different channels or products.

We need a standard solution that is available to all entities within the payment chain and is applicable to all channels, which could eliminate these vulnerabilities.

Few thought this goal would even be possible until Apple Pay was introduced this year. Now it is quite probable that we may see this near-utopian ideal within the next five years.  

About the author

Prakash Santhana is a director at Deloitte Transactions And Business Analytics LLP,  where he leads the fraud management practice for payments, banking, and securities. He worked in the fraud/risk management groups of large credit card issuers and payment startups for over 20 years prior to joining Deloitte. He is currently focused on helping domestic and international banks, card issuers, and retailers mitigate fraud by employing sophisticated fraud detection and prevention methods. Previously on www.BankingExchange.com he wrote “Death to contact EMV from Apple Pay?”