Hurdles of Tokenization & Consumer Authentication for EMV - A Software Architect’s Perspective
My name is Justin Stanley and I am the lead software architect at TokenEx. When I was asked for my input on a tokenization and consumer authentication blog for EMV, I wanted to be as realistic as possible about security solutions. Every data environment is so unique and complex, that it is hard to make blanket statements that one security solution is going to be effective 100% of the time in protecting a company from cyber-attacks. Unfortunately, there is not one security solution that is 100%, but there are some solutions that get really really close. They push proper data security to the very edge of your data environment, significantly reducing your odds of a data breach and if you are breached, then you won’t expose any sensitive data of your customers.
Tokenization and consumer authentication are 2 things to become very familiar with the rollout of EMV across the United States. Banks have shifted the fraud liability to merchants who do not use the new chip and pin machines. The adoption for retailers is both expensive and labor intensive. The worst part about EMV is its inability to authenticate card not present transactions. While EMVco has developed a tokenization standard, it is not universal and does not necessarily play nice with other tokenization solutions that have been around much longer. I get to see first hand through my many integration experiences about the proper way to secure a network versus looking for patchwork solutions. One of the main reasons I decided to help build the TokenEx platform was that I believed in tokenization and saw how it revolutionized data security for so many different companies. You couple that with removing toxic data from an environment and you are really heading the right direction.
Adding consumer authentication to the layered security approach, simply put, eliminates risk points and strengthens the omnichannel payment acceptance model. EMV only works with card present transactions and as much as mobile and other payment channels are taking off, companies need a way to authenticate card not present transactions, as well. Europe saw a boom in card not present fraud when they implemented the chip and pin system. Consumer authentication is such a necessary agent for card fraud. Fortunately, companies like Apple and CurrentC are engineering ways to provide consumer authentication for mobile payments, so card not present transactions can now be as secure and authentic as card present transactions using EMV. ApplePay has been very successful with authenticating & tokenizing their mobile payments, while CurrentC has already been breached. With EMV, consumer authentication is still a wild west of sorts with development, but there are some solid technologies that are beginning to really distance themselves from the pack.
What are the largest reservations potential Tokenization customers have?
The number 1 concern/question I hear from current customers and prospects today is, “How is tokenization going to impact my existing business operations?” Once tokenization becomes the preferred solution, the next logical question is how to implement the tokenization solution without disrupting your core competency and way of making money. We have found that these concerns are often the easiest to overcome just by talking through them. Businesses want and need to run at maximum efficiency, so I have to demonstrate in specifics how tokenization does not create inefficiencies or latency in their core business operations. It is important for me to show the technology and business owners we work with how quickly sensitive data is tokenized with our platform. Since we integrate to our customer’s environment, we can remain processor/gateway/authentication agnostic, allowing our customers to the ability to pick a provider that best suits their bottom line.
What are potential environment obstacles to consumer authentication?
One of the main obstacles for consumer authentication is the staying power of mobile wallets. Amazon has already abandoned theirs’ as of today. Moreover, the methodologies behind authentication are also off-putting for consumers. There is a strong hesitation with consumers over using biometrics, because it gets too personal and invasive over time. Will people be comfortable using their fingerprints with solutions like Apple Pay? So far, adoption levels have not been as high as expected. However, people are doing it, because of a lack of better technologies. Post-biometric adoption, you then have to look at how companies will secure your biometric information and any payment card data. That is a whole other rabbit hole…
Would either consumer authentication or Tokenization prevent a breach?
Unfortunately, the answer is no. Fortunately, the breach would result in only insult that the breach occurred. The injury is removed because there is no sensitive data to steal. These technologies cannot stop a cyber-thief from gaining access to your data. However, EMV and Consumer Authentication solutions can reduce the chance of fraud by making it harder for stolen data to be used. While stealing tokenized data would simply supply the thief with a bunch of useless data that could not be used.
I’ve already implemented a consumer authentication model, why do I need tokenization?
You’ve basically only addressed one of two data security components by implementing consumer authentication. One addresses fraud prevention by authenticating a user, while tokenization addresses risk and compliance by securing data. If sensitive data is stored in your environment, it’s a target for cyber thieves. Tokenization replaces the toxic card credit card number with a surrogate value that is then stored in your environment. In the event of a breach, the thieves just acquired a bunch of useless data.
Tokenization sounds complicated…. Is it?
It may be a twelve-letter word, but it isn’t a twelve-step process! The entire premise behind tokenization is simple. As early as possible in your acceptance flow, replace the credit card number for a surrogate value, (token). Then, for <<Insert business process here>> use the token in place of the credit card number. You still have all of the “Big Data” analytics capabilities with the sensitive data, but now if it is breached the cybercriminal has a meaningless value in a token
Tokenization does not change your business processes, as the data is captured at the very far edge of your data environment and replaced immediately. Oftentimes cloud-based tokenization solutions like TokenEx will significantly reduce your PCI compliance burden by removing PCI data from your environment. Thus, reducing the number of assets in scope for your environment, rather than adding them like some on premise encryption and tokenization solutions do. TokenEx offers a solution where we integrate to your technologies as close to the point of payment card entry, as possible. Once we have it, we tokenize it and return the token back to you for use in your environment.
Why Tokenization & Consumer Authentication Are a Powerful Duo
Whether your business follows a traditional "Brick and Mortar" model and you have implemented EMV technology into your POS, or you are an online "eTailer" who has implemented a Consumer Authentication solution, you’ve drastically reduced the likelihood of fraudulent transactions and have shifted the liability back to the issuer should they occur. While these technologies can make it harder for a criminal from being able to use stolen credit card data, they don’t prevent the criminal from stealing it in the first place. In fact, by using these technologies on their own you still have a great deal of risk in the event of a breach. Let’s fix that… After you’ve validated the consumer at the acceptance channel, the next thing you need to do to protect yourself is tokenize the data. You see, with storing tokenized data, all a cyber-thief can steal from you is a meaningless value that cannot be used.