By Jim Daly
With the U.S. payment card industry’s eyes glued on the coming of EMV chip cards, the main standards body for card security is trying to remind merchant acquirers, merchants, and card issuers that there is more to security than simply embedding a chip into a piece of plastic and deploying terminals that can read such cards. On Thursday, the PCI Security Standards Council published guidelines for products and services that provide tokenization—the replacement of primary account numbers (PANs) with so-called tokens that are useless to fraudsters.
The guidance from the non-profit that administers the Payment Card Industry data-security standard (PCI DSS) and its related standards comes at a time when tokenization is a hot topic in the industry. Security executives say tokenization and chip card payments work hand-in-hand. Tokenization also is an important element in mobile-payment security. Apple Inc.’s new Apple Pay service for the iPhone and Apple Watch, for example, uses a variant of the technology.
The new guidance provides technical best practices for the generation of tokens, and how tokens are retained for use, such as in back-office systems, and stored. The guidelines also cover tokenization deployments and mitigating risks from potential attack vectors hackers use to get into computer systems.
As is common when the PCI Council first issues guidance documents, the tokenization guidelines are voluntary, according to Jeremy King, the U.K.-based international director of the Wakefield, Mass.-based PCI Council. While the PCI Council doesn’t mandate use of specific technologies, some of the concepts therein could make their way into future updates of the PCI DSS, Version 3.0 of which just took effect.
For now, the Council wants to “get everyone comfortable” with tokenization, says King, who spoke with Digital Transactions News in San Francisco while attending the Electronic Transactions Association’s Transact 15 annual conference. Despite all the product announcements about tokenization in the past year or so, King says “tokenization is not new, tokenization has been out for some time.” But for many merchants, particularly small ones, tokenization is still a vague concept.
Tokenization can reduce the so-called scope, or extent of a merchant’s payment-processing system, that’s subject to the PCI DSS’s lengthy set of rules. It also addresses one of EMV’s vulnerabilities, which is briefly transmitting the PAN in the clear where it could be intercepted by hackers. A fraudster couldn’t use a stolen PAN from an EMV card to create a counterfeit EMV card because chip cards generate one-time cryptograms that can’t be replicated. But the PAN could be used to create a fake magnetic-stripe card for use where mag-stripe cards are common—the United States is the last big non-EMV country—or on the Internet.
The new tokenization guidelines come only about a week after the Council published guidance about penetration testing, which is used to identify vulnerabilities in a card-accepting organization's computer and network systems that could be exploited by hackers. Both the tokenization and penetration-testing guidelines and other recent PCI Council initiatives are occurring as the card industry prepares for the Oct. 1 EMV liability shift. That’s when the major card networks will assign liability for a counterfeit point-of-sale transaction to whichever party to that transaction, acquirer or card issuer, didn’t support chip card payments
“A lot of people who have EMV think you don’t need PCI,” says King, who was with MasterCard Inc. when the United Kingdom began switching to chip cards about a decade ago. “The best security is always where you get EMV and PCI together.” He adds: “We’re not separate … our standards intertwine.”
The view from Europe is that the United States can’t switch to EMV soon enough, according to King. Because of its 1-billion-plus magnetic-stripe cards, “the U.S. is the number-one market for cross-border fraud from all major European countries,” he says. “It’s great that the U.S. is migrating.”
But King, drawing on other countries’ EMV experiences, says fraud could jump as October approaches and criminals realize that the days of using fake mag-stripe cards with relative ease will be ending. “You get a spike around the liability shift because the door is closing,” he says. “In the U.K. our fraud figures spiked horribly, then fell back.”
Echoing other observers, King also says that the United States will likely see an increase in card-not-present fraud as criminals turn their attention to e-commerce. Card-not-present fraud now accounts for about 65% of the U.K.’s fraud, and it’s even higher in Canada, a recent EMV convert.