Tokenization, compliance key to payment security

By Brian T. Horowitz, Editor and Contributing Writer

In 2013, up to 70 million credit card accounts may have been compromised when a data breach affected Target customers. In September, Home Depot reported a similar breach that may have impacted 56 million credit card holders.

To deal with these threats, the industry will need to adopt technology such as EMV Chip and Pin as well as embrace tokenization and ensure compliance with guidelines from the Payment Card Industry Security Standards Council (PCI SSC).

Managed by EMVCo, EMV is an open standard designed to ensure compatibility between chip-based payment cards and terminals.

Companies will also embrace trends such as 3-D Secure, which is an XML-based protocol that provides an extra layer of security for online credit and debit card payments.

Providers of payment card services include Braintree, Stripe, Square and PayPal.

Moving toward EMV

EMV Chip and Pin is known to be more secure than traditional magnetic stripe cards because they are more expensive to replicate. The EMV cards also differ from traditional payment cards because they encode information uniquely during each transaction, according to a white paper by CardConnect, a company that offers a proprietary gateway and patented tokenization to secure payments.

Although Europe and Canada have been using the technology for years, merchants in the United States must ensure that they’re EMV and chip compliant in 2015, noted Robert Nathan, chief technology officer at CardConnect.

“The whole EMV/chip thing is coming down in the U.S. really hard,” Nathan told Tech Page One at Techweek 2014 in New York City.

Use of EMV will expand beyond banks and manufacturers, and merchants will need to invest in the chip readers to replace “old-school swipe readers,” Nathan said.

“There’s a mandate in 2015 that everything has to be EMV and chip compliant,” Nathan said.

The value of tokenization

Visa Token Service uses the EMVCo payment standard and provides a way for customers to pay for services using digital tokens, which link back to the actual payment data. The service incorporates life cycle management so that customers can suspend, resume or delete tokens assigned to their mobile devices.

Visa will be a leader in tokenization because it produces its own tokens and has gotten a head start in working with card issuers, according to Nathan.

Mobile devices now include tokens as part of the mobile wallet technology being introduced by companies such as Google.

Despite the movement toward tokenization, the payment card industry should use caution when adopting this technology, according to a DarkReading article by Pat Carroll, executive chairman and founder of cybersecurity firm ValidSoft.

Fraudsters may target tokenization systems, and when companies build payment services themselves, a lack of standards results, noted Carroll.

Complying with PCI 3.0

A key part of payment card security going forward will involve compliance with the Payment Card Industry 3.0 standard, which went into effect in January 2014 and requires merchants to keep a list of payment card machines and their unique identifiers. It also requires merchants to inspect their devices, the CardConnect white paper noted.

PCI 3.0 mandates that merchants verify methods used to segment cardholder data.

Regarding PCI 3.0, “it’s much bigger and more thorough,” said Gartner analyst Avivah Litan in a video interview with SearchSecurity.

Merchants have to notify their customers in writing and “attest” to their compliance, Litan noted. Still, “PCI has definitely raised the bar among retailers and card accepters to strengthen their security,” she added.

About the Author: Power More