Payment security standards like Europay, MasterCard and Visa (EMV), Host Card Emulation (HCE), and Point-to-Point Encryption (P2PE) have been given much attention and discussion this year. With Apple Pay, we now have a new hype payment security solution called Tokenization.
Tokenization replaces the payment account number (PAN) and expiration date with numeric codes of same length, called tokens. Tokenization, in my eyes, solves some of the security problems of the back-end process. It's solving the problem of exchanging information from phone to point of sale terminal (POS), and information processed and sent by the POS to the card processing systems. The timing for Apple to deploy this technology is perfect with stories of card breaches from hacked POS system.
Apple’s recent announcement is also coming out right at the time when EMV is starting to roll out, triggering a major shift in breach liability for 2015. We saw some headlines where tokenization was seen as an alternative to EMV. Tokenization and EMV are different but have complementary capabilities. Tokenization addresses the potential for fraud in the card-not-present scenario within the online/mobile payment channel, but it does not address the physical card risks at the POS terminal. EMV originally required the card to be used at the point of sale. In summary, tokenization allows a simpler and secure way to EMV using mobile devices, and EMV enables the secure use of token-carrying devices.
There is no single solution that is a magic bullet in the fight against cybercrime. Solutions like EMV, tokenization, and P2PE need work together to fully protect a merchant for the payment. Tokenization addresses the storage of card data, EMV addresses the authentication of the card using a chip, and P2PE addresses the transmission of card data.
While each of these solutions effectively address the payment ecosystem, we have yet to see the emergence of new solutions that address the credit card registration process. The process of validating cards remains the same as before which still has a lot of issues. For example, Apple didn’t disclose how they read card pictures to add the card account number. Also, the PAN is still transmitted from the phone to the payment network to get the tokenized PAN. Time will tell if this becomes a new fraud landscape however, as an industry, we are making progress in creating an ecosystem that better addresses the opportunity for fraud.