Steve Mott
When EMV stalled last year, a battle royal erupted across the payments business to draft the rules for a key security technology. Here’s who’s winning—and whether that’s a good thing for the industry.
The spate of mag-stripe-based data breaches over the holidays sent the industry into convulsions and produced rare resolve to actually fix the problem. But how to replace the mag-stripe?
That’s hotly debated, and the resulting scramble to push into an industry standard technologies that will produce the fix has ushered in another volatile and fascinating chapter in the politics of payments.
The stakes couldn’t be higher. The solution that’s finally adopted will define the next generation of card payments and the terms of engagement for both legacy providers and new digital giants alike—notably, rules and rates. The first ones to create a critical-mass standard—which many believe will include tokenization of payment-account credentials—will not only provide the architecture around which the rest of the industry has to integrate, but also become the lead dog in providing ancillary security services for additional fees.
Mad Scramble
With tokenization, random, digital representations of the personal account number (for example, the 16-digit PAN could become ‘Ag3F45xHi2nwR’) and other payment-account credentials are created and distributed by the account issuer.
This secure, digital token is offered to merchants for payment—just like the actual numbers contained in the mag-stripe. Eventually, the merchant routes this payment token to the appropriate authorizer, and the resulting consummation of the payment occurs pretty much as it does today.
Unlike encryption, in which account credentials are masked with bit strings that are mathematically derived from the original numbers, tokens are random and bear no relation to the data they represent.
Tokenization’s big benefit is the account credentials do not appear in the clear and are therefore not exposed to data breaches and fraud. If stolen, tokens typically can be used only one time, so they are of no value to the fraudster. So both fraud and PCI-compliance concerns pretty much go away.
Coupled with point-to-point or end-to-end encryption, today’s tokenization services have the potential not only to fix the plague of mag-stripe vulnerabilities, but also make chip-based alternatives—namely the Europay/MasterCard/Visa (EMV) standard—actually deliver meaningful security.
EMV, like its companion technology NFC (near-field communication), decrypts the PAN and other important card-account data at the point-of-sale terminal in card-emulation mode, exposing the account to online fraud and perpetuating PCI compliance. (The only enhancement the basic EMV deployment offers today is dynamic encryption of the three-digit card-verification value, which does prevent man-in-the-middle interceptions and fraudulent use—but that attack accounts for probably less than 2% of fraud today.)
Adding tokenization (and deploying the full, end-to-end encryption option) to EMV has the potential to make this global standard palatable for U.S. merchants and banks, and might actually produce a return on the $8 billion-to-$10 billion investment projected for chip-based infrastructure they are expected to pay.
That’s important because most experts agree that EMV in its current state would have done little to lessen the damage from the Target case and other recent data breaches. Moreover, EMV doesn’t address the large problem of online fraud.
“EMV alone would not have prevented the theft of card information in the recent data breaches because it relies on merchants receiving and processing the same static account numbers in use today,” reported David Fortney, senior vice president of product for The Clearing House (TCH) in testimony before Congress early last month. A major check clearing house, New York City-based TCH is a surprise and leading contender to be first to turn tokenization into a standard.
“Those customer account numbers would still be significantly valuable to cybercriminals for committing fraud online, [which] is where most fraud occurs. Additionally, as EMV was designed prior to the Internet, mobile smart phones and tablets, it does not address transactions initiated via those means.”
And that makes the industry’s growing movement to tokenization good business for everyone. What is less certain, though, is who will be making the rules and paying the costs for the new payment system when the current mad scramble to declare a new standard is over. You practically need a scorecard to follow all the maneuvering to “own the fix.”
Lightning Chess
Exhausted by the wretched excess and ineffectiveness of PCI, merchants began deploying tokenization (and encryption) on their own more than five years ago. Industry leader TransArmor, a First Data Corp. business unit, counts some 500,000 merchants as customers.
It costs a little more (merchants might pay a penny or two to tokenize a transaction, and 3 cents to 5 cents to detokenize it when needed to research a problem or analyze a customer account), but compared to waiting for the inevitable data breach to happen with mag-stripe, tokenization has been a godsend.
By contrast, EMV deployment came to a crawl in the U.S. by early 2013, when the industry realized that the 18-year-old chip card system wasn’t designed to do debit card payments in a Durbin-compliant way. EMV contemplated support on the chip for only a single brand’s credit, debit, and/or prepaid offerings, while Durbin mandates that merchants get to choose from two unaffiliated debit networks.
Until a lawful debit solution can be crafted, just about everyone in the industry has asked Visa Inc. and MasterCard Inc. to postpone their October 2015 date for mandating a liability shift on fraud to the party—issuer or merchant—not equipped to handle EMV. But the card brands haven’t budged, and instead have continued to push their own solutions for Durbin compliance.
With EMV at an impasse, and NFC still not out of the starting block, skepticism mounted in the industry over when, if ever, the U.S. would go to chip cards. Many merchants and issuers put their EMV deployment plans on hold.
This is when the scramble to own the fix started in earnest. From this point on, the moves and countermoves became a blur, with Visa, MasterCard, banks, and merchants playing lightning chess to control the card-security agenda.
Pig in a Poke
On July 1 last year, The Clearing House (a consortium of large banks that expedites automated clearing house, check image exchange, and funds-transfer transactions among the owner banks) made the first move. It broke the ice on bank support for tokens when it announced a pilot using quick-response (QR) codes and tokens as an alternative to Secure Elements (SEs—the computer chips housing payment account credentials) in mobile devices.
The industry was captivated by the notion of Visa’s and MasterCard’s biggest banks going in a new direction on their own. That message wasn’t lost on the card brands.
Cryptically, TCH at the time reported that a significant non-bank entity had announced tentative support for TCH’s proposed standard. Some industry analysts speculated that the entity might be MCX, the Merchant Customer Exchange consortium fielding its own QR code, token-based, cloud-accessing mobile wallet—believed to be debuting in a pilot any day now.
With the prospect of both big banks and big merchants heading off in a different (and independent) direction, Visa, MasterCard, and American Express Co. jumped to play catch-up. Early in October, they proclaimed that they would develop the industry standards for tokenization.
But nobody paid much attention.
Then in November, Google rocked the payments world by announcing it could bypass the secure element in mobile handsets with a technique called host card emulation (HCE)—effectively rendering passé the secure-element infrastructure and the expensive rents the mobile carriers were charging to load account credentials on the SEs for NFC payments.
For not only could Google (and others) spoof the NFC infrastructure into thinking it was getting card credentials from the SE (getting favorable card-present interchange rates and treatment in the process), but the transaction could be generated from within the mobile operating system with a security-enhancing token.
The industry speculated that this might be the nail in the coffin for NFC—despite years of heavy support and investment from the card brands.
Meanwhile, concerns over EMV being an excessively expensive pig in a poke had grown to a small roar, prompting even the Federal Reserve to get involved.
The Fed convened a special conference early in December to discuss whether the EMV standard, as owned and controlled by the six biggest payment brands under EMVCo, needed to be updated and perhaps enhanced by transitioning to a chip standard operated by a broader (and more objective) group—such as the Accredited Standards Committee X9 Inc. (X9, which governs most financial transacting, had previously announced its intention to accelerate efforts to derive a global, interoperable tokenization standard.)
Reasserting Supremacy
Just a week later, at a meeting of the EMV Migration Forum, a cross-industry group trying to smooth the way for EMV, Visa announced that its new tokenization program was likely to carry new services and fees for merchants (and probably issuers as well), but, incredibly, acknowledged that its new program did not address the critical element of preventing fraudulent tokens from being obtained when stolen account credentials were used for enrollment.
Merchants and some issuers choked at the prospect of paying even more to the brands with no assurances they could be rid of fraud coming in the “front door.”
Perhaps sensing an opportunity for differentiation from its much larger rival, MasterCard told the Smart Card Alliance Payments Summit meeting that its tokenization program would include tools for issuers to authenticate account enrollments—using mobile and other digital information to validate the funding account enrollment.
By early February, “who will be first” got even more complicated when EMVCo itself announced that it, too, was fast-tracking a global standard for tokenizing the account PAN in transit—ostensibly for incorporation into the EMV specification.
Then, a week later, the table stakes grew even bigger. Visa and MasterCard proclaimed that they would now embrace and support HCE, creating a huge stir in the industry. Were the card brands actually open to real alternatives to the SE, observers wondered, or were they just content to squeeze the carriers out of the payments business by tolerating a software option?
When the dust settled on this announcement, though, the plan was clear. HCE support effectively meant riding on the EMV infrastructure, meaning that the brands were doubling down on the chip-based option.
In early March, EMVCo further spread its wings by announcing that the EMV standard would expand to accommodate HCE, Bluetooth Low Energy/Beacon, and any other last-mile interface that potential competitors to legacy payment brands might offer. Rather than let the future of the global payment system slip into the hands of outsiders like X9, the big card brands were clearly reasserting their supremacy.
Yet, that same week TCH testified before Congress that it would require both EMV and tokenization to prevent the data breaches that occurred with the Target and other intrusions, and gamely offered to work with the rest of the industry to find its way to a fair and open tokenization solution.
True Value Providers
Then, just a day later, Visa and MasterCard announced that they would form an industry ecosystem group comprised of several payment constituencies to shape the best path to secure payments.
This unprecedented—and long-resisted—move seemingly came just one step ahead of growing calls for the Fed to assume that same role—sitting above the brands and the banks and the rest of the payments ecosystem to adjudicate fraud-mitigation efforts in the interests of all parties—just as the U.K. Payments Council and its equivalents in countries around the world do.
“With a priority on delivering meaningful solutions that benefit consumers, merchants and financial institutions of all sizes,” the Visa/MasterCard joint release proclaimed, “this group will focus on a broad range of security-related topics, including:
1. Advancing the migration to EMV in the United States.
2. Promoting additional security solutions like tokenization and point to point encryption.
3. Developing an actionable roadmap for securing the future across all segments of the payments industry.
Perhaps the card brands have succeeded in out-maneuvering everyone else who proposes to fix today’s broken card-payment system—particularly if the Fed retreats into the shadows again.
But the industry fully realizes that Visa and MasterCard were the ones who fostered the fraud-prone mag-stripe paradigm far beyond responsible limits in the first place. And they’re the ones who have been pushing inferior, non-PCI-compliant EMV and NFC card-emulation approaches on the market. And the ones who apparently joined the tokenization movement only after being embarrassed by their own constituents, as the threat of regulatory intervention looms.
Industry skeptics can be forgiven for viewing these developments as tantamount to letting the fox guard the henhouse. They also have concerns that the card brands don’t seem to be showing much in the way of meaningful contributions to fraud-mitigation technology with respect to tokenization—or much of anything else affecting payment security.
The essence of fraud mitigation is getting payment-account credentials out of the clear, and never setting up a new account with credentials that have ever been in the clear.
If it has taken the card brands more than a decade of rampant fraud to figure that out, and finally decide to act only when their constituents felt compelled to, wouldn’t the industry be better off letting the true value providers of payments—banks and merchants—figure out what works out best?
Steve Mott is principal at BetterBuyDesign, a payments consultancy based in Stamford, Conn. Reach him at stevemottusa@yahoo.com.