The Green Sheet Online Edition
August 11, 2014 • Issue 14:08:01
Insider's report on payments:
EMV alone is not enough, retailers push for tokenization
Leading merchants say they're serious about protecting consumers (and themselves) from cybercriminals and card fraud. They want everyone else to get serious, too – about tokenization. That's the upshot of a pronouncement issued July 28, 2014, by several groups representing merchants.
Tokenization is a security protocol that involves substituting sensitive data (like a credit card account number) with a unique identifier immediately upon swiping. The token, generally the same length as the primary account number, is then used to complete a transaction in lieu of actual account information. Merchants say they're drawn to tokenization because it has value beyond the payment stream, for example, in verifying age, health and pharmacy records. Tokenization can also be used to protect stored customer card data, a prime target of cybercriminals.
Industry consultant Paul Martaus said the recent statement from merchants could be an attempted end run around Visa Inc. and MasterCard Worldwide, which have been strong-arming U.S. financial institutions and merchants to embrace Europay/MasterCard/Visa (EMV), an international standard for chip cards that can authenticate credit and debit cards at the POS. "They're trying to take the pressure off of having to install [EMV-compliant] chip card terminals," he said.
EMV, intended as a replacement for mag stripe cards, enjoys broad international adoption, except in the United States, where many retailers have been reluctant to spend the money to swap out old terminals for EMV-compliant devices and supporting software. Some ISOs and acquirers are giving away EMV-compliant terminals. Ditto for encryption-enabled (tokenization) terminals. But card issuers have been EMV laggards, too.
According to the 2013 Federal Reserve Payment Study, of the 333.6 million general-purpose credit cards in circulation in the United States in 2012, just 23.6 million were chip cards; only 23.5 million of 282.8 million debit cards were chip enabled. The Fed's research also revealed that chip cards tend to be used for smaller purchases than non-chip cards. The average chip-enabled credit card payment was $47 compared with an overall average of $68; the average EMV debit card payment was $14, while the average for non-EMV cards was $34, according to the Fed's data.
EMV alone, however, isn't adequate to protect card data. It has to be combined with PIN entry on the front end, and with tokenization, according to Martaus. "Otherwise it's like having a V8 engine in a 53 Chevy," he said. The merchant statement released in July makes a similar point.
"Improving security and consumer confidence in the U.S. payments system is a top priority for the merchant community," the statement read. "We call upon all stakeholders in the payments industry to come together to ensure open and efficient standards to better protect U.S. consumers and businesses from payment card and system security threats. An open and universal tokenization standard will also help ensure sensitive personal information beyond just payment card account-level data will be more adequately secured across other U.S. commerce channels." Retailers also urged cross-industry cooperation in support of "an open interoperable platform."
The statement was signed by trade groups representing hundreds of thousands of merchants. The signatories are the Food Marketing Institute, Merchant Advisory Group, National Association of Convenience Stores, National Grocers Association, National Restaurant Association, National Retail Federation and the Retail Industry Leaders Association.
The statement followed news in February 2014 of a partnership forged by leading financial services and retail organizations to promote more secure payment systems. The partners said they had agreed to "focus on exploring paths to increased information sharing, better card security technology, and maintaining the trust of consumers." Many of the merchant groups that signed the latest statement are members of this original group, which also includes the American Bankers Association, the Consumer Bankers Association, the Independent Community Bankers Association of America and The Clearing House.
The Clearing House, formerly the New York Clearing House, is a payment company owned by 23 of the nation's largest banks, including Bank of America Corp., Citigroup Inc., JPMorgan Chase & Co., US Bancorp and Wells Fargo & Co. Note that many of these financial institutions are also major issuers and acquirers of Visa- and MasterCard-branded credit and debit cards.
"Data protection is a shared responsibility of everyone involved in the payments processing chain," Camden R. Fine, Chairman and Chief Executive Officer of ICBA, said in February. Jennifer Platt, Vice President of Federal Operations at the International Council of Shopping Centers added, "The solution needs to be through cooperation."
Shifting trends in payments and fraud
Third-party fraud involving general-purpose card payments (credit, debit and prepaid) account for a large and growing share of payment fraud. Often fraud is perpetrated using card numbers that have been hacked from card-accepting businesses and transactions processors. The Fed reported 92 percent unauthorized third-party transactions involved general-purpose cards in 2012; the remaining 8 percent of fraudulent transactions identified were split between checks and automated clearing house (ACH) payments.
The differences are less dramatic when looking at the total value of payment fraud – general-purpose cards accounted for 63 percent of total dollars lost to fraud; checks represented 17 percent of the total and ACH items 19 percent, according to the 2013 Federal Reserve Payment Study.
The complete Fed study, released in July, following a preliminary report in late 2013, offers a deep dive into payment and fraud trends based on analyses of 2012 data provided by banks and processors. A telling statistic involves rates of fraud for card-not-present (CNP) credit card transactions. At 11.4 basis points, the CNP fraud rate was nearly three times the rate for card-present transactions, at 3.9 percent.
Once EMV takes hold in the United States – if it takes hold – the differences are apt to become more pronounced, because most EMV-enabled cards also contain mag stripes. The United Kingdom experienced a surge in fraud following implementation of EMV there, primarily CNP fraud, but also fraud involving counterfeit cards and cross-border purchases. Similar trends were also reported in Canada following that nation's move to EMV beginning in 2008. It's apparent that merchants want things to play out differently here.
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.