October 1, 2015 was a landmark day for the U.S. payments industry. It marked the official start of shifting liability for fraudulent payment card transactions to retailers and other businesses that have not upgraded their payment systems to accept the new EMV payment cards, commonly known as chip-and-PIN cards. Proponents of EMV cards say that switching from traditional card swiping for point-of-sale (POS) transactions will dramatically reduce incidents of payment fraud. Others point out that EMV does not address the growing problem of card-not-present (CNP) fraud, such as on online commerce websites.
Is EMV Enough?
Online fraud notwithstanding, there is also another concern about EMV security that has been raised. Currently, during EMV card transactions, the primary account number (PAN) embossed on the card is transmitted openly to the particular card network for approval and sent back with a confirmation. The problem with this approach is that the PAN can be intercepted by criminals during transmission and then used to commit fraud.
One way to prevent fraudsters from stealing PANs is to take an approach that is already being used by mobile payment services like Apple Pay and Android Pay. Tokenization replaces the actual PAN with a unique set of unrelated data called a token. The token represents the PAN for the purpose of the card transaction instead of transmitting the real card number out in the open.
Using tokenization converts the consumer’s PAN into a series of numbers, letters, and special characters that are useless to thieves when they are captured on their own. In some forms of tokenization, a new single-use token is generated for every transaction, even when the same card is used. This can provide additional protection against fraud, since there is no unique token that can be associated with a given payment card.
A key advantage of tokenization is that it reduces the exposure of sensitive data by consolidating it on encrypted and heavily protected tokenization servers. This means that there is less duplication of account information and fewer opportunities for it to be stolen. Tokenization can be used equally for both CNP and POS transactions.
What Else Is Needed?
While tokenization adds an important layer of protection for consumers, businesses, and financial institutions, is it enough on its own? There are known limitations to tokenization, such as security vulnerabilities in how tokens are generated. Although new tokenization approaches have been developed that claim to address many of the concerns, there are additional measures that can further strengthen the security of payment transactions.
Encryption is something that most of us are already familiar with when we browse secure websites on our computers or phones. This technology converts information that we transmit online into something unreadable by anyone other than the intended recipient. When encryption is combined with EMV and tokenization, there is a strong defense against fraud for in-person transactions.
Without a doubt, protecting against fraud is critical, but any good prevention system should always be backed up by a strong fraud detection system. This is especially important in the case of card-not-present fraud, which is expected to see exponential growth as a result of U.S. payment cards switching to EMV. Systems such as behavioral analysis tools can detect fraud by monitoring for suspicious activity or patterns, and online identity verification can weed out fraudsters using stolen credit card information.
Now that the U.S. is adopting EMV, the amount of fraud originating from POS transactions should finally begin to see a decline. Although industry experts and observers have all predicted a sharp rise in CNP fraud, there is still hope that the considerable investment in prevention capabilities in recent years will help mitigate the effects of increased online attacks.
What do you think is the best way to prevent card payment fraud?