tokenex.com LAYERING SECURITY SOLUTIONS WITH EMV AND TOKENIZATION A TokenEx White Paper
White Paper LAYERING SECURITY SOLUTIONS WITH EMV AND TOKENIZATION September 2015 Revision 1.1 EXECUTIVE SUMMARY When a new technology is introduced as a mandatory requirement for doing business, it can initially cause confusion and consternation. Especially a technology that requires expensive upfront investments in equipment. Doubly so if it shifts liability for fraud. So it is today with EMV chip-based payments cards and the required card readers. EMV has, so far, been successful at reducing card present fraud and the proliferation of fake mag-stripe cards in Europe where it has been widely implemented. However, the high cost of implementation and its weakness in preventing card-not-present fraud has slowed the introduction in the United States. Confusion abounds as to what the approaching deadline for implementing EMV technology means to retailers and omni-channel businesses; what it does and doesn t accomplish; and how it fits in with other security strategies. This paper will help you understand these conundrums and how the TokenEx Cloud Security Platform, alongside EMV, can assist you in protecting your payment data while lowering costs of PCI compliance and reducing data theft riskwithout impacting your normal business processes. A TokenEx White Paper Page 1 of 9
SHIFTING LIABILITY MEANS MORE WORK FOR MERCHANTS AND CONSUMERS Card brands, payment card issuers, and merchants have been fighting it out for years over who gets to lose the most money over payment card fraud. Card brands want to hold the card issuer liable for the losses. Merchants lose sales and deal with chargebacks while footing the bill for the high cost of PCI compliance. In the middle of this muddle are the consumers. Most card-present fraud is perpetrated when black market hackers steal card data from all type of organizations. Brick and mortar retailers, e-commerce web stores, insurance and healthcare organizations, even charity and nonprofits are targets of borderless hackers. The stolen payment card information is commonly used to create new mag-stripe cards so that goods can be quickly bought and resold before the original accounts are cancelled. This cycle of theft creates problems for everyone: Card Issuers get stung by the unrecoverable charges and card replacement fees. Merchants get hit with chargebacks and lost sales as well as heavy fines if their business systems are breached and customer data is stolen. Consumers have to replace cards and cancel accounts and keep an eagle eye out for false charges. Card brands lose consumer confidence when a particular brand is targeted and bad press ensues. It s an endless cycle of data theft, fraudulent purchases, cancelled accounts, and money lost by everyone except the hackers. The root problem is that as long as the payment data is stored in business systems in the first place, the cycle keeps repeating, gaining momentum as more and more data is stolen and the finger pointing continues. CREDIT CARD COMPANIES LAUNCH THE EMV SALVO With all sides exasperated by losing the ongoing card fraud battles with the seemingly inexhaustible tricks and techniques of international hackers, the technology of chip and pin EMV cards was introduced over 10 years ago by the EMVCo organization s six members: American Express, Discover, JCB, MasterCard, UnionPay, and Visa. The result in Europe, where it was widely deployed, was at first encouraging, as card-present fraud declined sharply. The EMV technology proved nearly impossible for hackers to duplicate the chip and pin card combination to make fake cards. And then, like all successful organisms, the hackers evolved and changed tactics to card-not-present (CNP) transactions, and a literal feeding frenzy of online fraud ensued in countries using EMV. A TokenEx White Paper Page 2 of 9
Ironically, CNP fraud is not the fault of EMV technology, it s just the next logical avenue of attack for hackers that EMV wasn t designed to prevent. And it turns out that, in many ways, it s even easier than card-present fraud. Now that it s time for the mandatory debut of EMV cards in the United States, the largest market for transactions with credit and debit cards, expectations-and worries-are high. EMV essentially ensures that a card s primary account number (PAN) belongs to the card with the linked chip. At the time of transaction with an EMV card reader, the encrypted icvv data in the card s embedded chip is transmitted to the card issuer to verify the ownership and validity of the PAN on the card. Once verified, payment data is transmitted as usual to the payment processor on a separate channel. The EMV technology effectively prevents the use of stolen card data to create new cards, thus greatly reducing fraudulent card-present transactions. However effective for preventing card-present fraud, the rollout of new cards has a downside. The new EMV cards must coincide with the installation of new and expensive card readers at the point of sale (POS). But imagine you are a company that manages retail fuel stations over several states, with thousands of pumps. Every one of the pumps should eventually be retrofitted with EMV readers at a cost of millions of dollars. Or you are a retail chain with hundreds of stores and checkout counters. In many cases, accepting the occasional card fraud charge can be more cost effective than installing thousands of new EMV readers. In addition, consumers must learn to leave the card in the reader for the duration of the transaction, increasing the chance that a hurried and harried shopper may forget to retrieve the card from the device e.g., a gas station pump resulting in more hassles for the merchant and the consumer. Card issuers are using the traditional carrot and stick approach to convince merchants to implement EMV terminals. Carrot once EMV readers are implemented, any instances of card fraud are absorbed by the card issuer. Stick if EMV is not implemented, liability and costs shifts to the merchant for fraud at the POS. For merchants, that s big money up front, or unknown amounts of money if fraud occurs in the future. Merchants that historically have low occurrences of card-present fraud need to think twice about how quickly they move to EMV devices. But merchants actually have few choices in the long term to find ways to comply with the new EMV card mandate. Bite the bullet and install EMV readers and software in POS systems. Stick with existing devices and accept the risk and cost of fraudulent card-present transactions. Hope that ApplePay or other NFC (Near field Communication) services take off which still requires new POS terminals but will do away with physical cards altogether at some future time. Regardless of the path merchants take to deal with EMV and preventing fraud through POS cardpresent sales, there is another whole level of complexity with card-not-present acceptance channels with EMV cards. A TokenEx White Paper Page 3 of 9
CONSUMER AUTHENTICATION FOR CARD-NOT-PRESENT TRANSACTIONS E-commerce merchants or any organization that receives payments over the Internet need to implement additional authentication controls for CNP transactions since the security of the EMV is ineffective without a physical interaction at a POS terminal. Properly implemented on the web store checkout page, an additional authentication code, known only to the consumer and the cardissuing bank, puts the onus of fraud back on the issuer instead of the merchant. But the extra authentication step puts up a potential barrier for the consumer too. The main problem with this isn t technical, it s human nature. Looking at the transaction from the other side of the card, so to speak, consumers will be encouraged by card issuers to implement Consumer Authentication techniques known as 3-D Secure for CNP transactions for online purchases. Unfortunately, each card brand uses a slightly different implementation, so one authentication technique won t work across brands (Visa vs MasterCard vs Discover). Each technique requires passwords, codes, or PINs to be entered for every transaction via online web markets. This proliferation of YAP (yet another password/pin) frustrates consumers and can result in abandoned shopping carts, especially when encountered for the first time by the shopper. Once a web store incorporates a 3-D Secure checkout, the shopper must either have already set up their codes via their banks, or do it on the payment page a potentially complex and baffling process. The first time set up process for establishing unique authentications on the consumer side when online is often ripe for phishing. The Verified-by-Visa protocol, for example, recommends the bank s verification page load in an inline frame session on the merchant s checkout page. However, that process doesn t support any way to verify a security certificate. Hackers have already attacked this process in infected web stores by diverting the setup security window to a fake web page where the card owner literally hands them the keys to the account. How much worse can it get? A TokenEx White Paper Page 4 of 9
STOPPING FRAUD AT THE SOURCE Circling back to the real source of card fraud especially CNP is the fact that too many organizations accept, store, and transmit payment card data. This puts organizations at risk for data theft, as well as footing the bill for the high cost of keeping their business systems compliant with PCI Data Security Standards. If payment data is not stored in business systems where it can be stolen, the whole cycle of payment fraud is stopped in its tracks. The mantra of all organizations that work with payment card data should be If you don t need it, don t take it. This deceptively simple model is a guide to protecting your business, your customers information, and disrupting the cycle of fraud. It simply means that unless there is a powerful business reason to accept and store payment card data, you shouldn t touch it at all. With no payment data to steal during a successful hacker breach, organizations can attain three benefits: Reducing PCI compliance costs to the very minimum; Eliminating the risk of losing customer payment (and private) data to hackers; Removing the source of payment fraud because hackers can t steal what s not there. Let s explore how this simple concept can be efficiently implemented before or along with EMV payment technology. Preparing for EMV in Retail and E-Commerce Let s assume that you are a retail organization with both a brick-and-mortar and an online web store presence. This means you have at least two acceptance channels for payments: physical POS checkout and web page shopping cart/checkout. The approaching EMV deadline means you have to: Install EMV terminals in your store, replacing old mag strip readers and update your POS system software. Add a Consumer Authentication step to your web checkout page to protect against CNP fraud. However, even after making these changes, you are still accepting, transmitting, and storing payment data within your business systems. Implementing EMV, while great for protecting the card companies bottom line, does nothing to help you lower your PCI compliance costs or avoid the ramifications of losing customer data during a breach. Since you are revamping your POS and web store acceptance channels, now is the time to examine your need to accept and store payment data at all. By ridding your systems of payment card data, you can save considerable funds that would go to PCI compliance and invest in other security measures such as implementing EMV. A TokenEx White Paper Page 5 of 9
Layering in Tokenization to Disrupt the Fraud Cycle The most thorough way to flush your systems of toxic payment card data is to use a tokenization platform that captures payment data at the very edges of your transaction stream EMV POS terminal and web store server encrypts the PAN, stores it in a secure cloud data vault, and returns only mathematically unrelated tokens to your business systems for use in business processes. The TokenEx Cloud Security Platform does exactly that to ensure that all your business systems are cleansed of toxic payment data. A Semi-Integrated Payment Environment Provides Flexibility One of the options that organizations need to consider when implementing EMV and tokenization is whether to opt for a fully-integrated payment environment or a semi-integrated platform. A fully-integrated payment environment consists of one software platform handling all the data from the EMV terminal reading the card data, to Point of Sale software, to bank verification, all the way to the payment processor. While somewhat simpler to implement, this unified model severely limits the flexibility to add or change the components or architecture. For example, in a fully integrated environment, any changes to the terminals or POS software require recertification of the entire system from the card issuer. This includes adding or changing terminal hardware or upgrading POS software anything in your POS architecture that affects the acceptance of payment cards. Recertification can be costly and time consuming with most of the financial burden on the merchants. In addition, a fully-integrated payment system does not lend itself to a layered security approach because all the elements are tightly integrated. Here again, trying to insert extra security layers, such as tokenization, can be difficult and also triggers recertification audits. A semi-integrated payment environment uncouples the EMV terminal from the POS and the payment processer to provide more flexibility. In a semi-integrated payment environment, payment data transmission is limited to the payment platform and the processor. Payment data never reaches the POS system so it can be limited to the lowest levels of PCI controls, resulting in significant savings and reducing risk of data theft through terminal tampering. It s also much easier to layer in tokenization into a semi-integrated payment environment, which is critical to protecting an omni-channel acceptance environment. With a semi-integrated payment environment, you get flexibility, choice, and lower levels of PCI compliance. The TokenEx Cloud Security Platform integrates between the EMV terminal, just like the current P2PE terminals, capturing the encrypted PAN, relaying it to the TokenEx Secure Data Vault, and returning only a token for the POS system to store and use. The EMV authorization step is unaffected by the TokenEx integration. However, if the terminal is changed, for example with a new NFC capable version, since the POS system is isolated from the change by the TokenEx interface, it does not have to be re-certified by the card vendor, reducing costs and increasing flexibility. A TokenEx White Paper Page 6 of 9
TokenEx Hosted Payment Page Simplifies CNP Authorization The TokenEx Cloud Security Platform also helps simplify the 3-D Secure consumer authorization step on a web store checkout page.. As previously discussed, the additional steps required to setup and verify the authorization code can be complex, especially the first time a consumer encounters the requirement, so TokenEx supports this process by adding parameter fields. TokenEx can further simplify this process by hosting your payment page on our TokenEx Cloud Security Platform, alleviating the collection of payment data and processing of consumer authorization codes while maintaining the look and feel of your custom web site checkout page. You can read more about the TokenEx Hosted Payment page at our website. An Open Integration Platform Enables Layers of Fraud Prevention Even though your data is safely tokenized, there is still plenty of unguarded data stored in other organizations systems, and that stolen data can be used fraudulently against your business. TokenEx is provides an open integration platform enabling organizations to layer in additional security solutions with your payment processing and business systems. TokenEx can integrate fraud prevention services, such as Kount, directly into your tokenized payment stream, so you get real time alerts on suspect charges. Other real time or batch processing services such as account updater service can also be layered into your payment streams, lowering risk and protecting you against chargebacks. BEING PAYMENT PROVIDER AGNOSTIC IS ESSENTIAL FOR MAXIMUM FLEXIBILITY In addition to cleaning out your toxic payment data, TokenEx Cloud Security Platform is payment processor agnostic, so you can choose to work with one or multiple payment gateways and processors of your choosing. You can even switch among them to obtain the best service and pricing. In addition, once you have multiple payment vendors set up with the TokenEx Transparent Gateway, you have instant backup and redundancy should one provider go dark. Why is freedom of payment processor choice an important consideration for EMV implementation? In an omni-channel acceptance environment you ll need to accommodate retail POS, as well as web stores, call centers, and mobile apps. Depending on your business rules, you may want to have different payment processors or payment services (e.g., fraud detection) processing payments from the different channels. In a fully-integrated payment system, it s difficult to work with multiple providers. With a semi-integrated payment environment using the TokenEx Cloud Security Platform you can use any provider with any channel you choose, providing maximum flexibility. Freedom of choice also extends to being payment acceptance agnostic. Maintaining a semiintegrated payment environment with TokenEx also lets you accept all types of payment card brands, including merchant-branded loyalty cards. On the other hand, if you choose to let your sole payment processor or card brand issuer manage your tokenization, you lose the ability to work with other brands of cards. Your goal is to be as open as possible to accepting payments from any source that your customers want to use. Tokenizing your payment data with TokenEx gives you that freedom. A TokenEx White Paper Page 7 of 9
LAYERED SECURITY WITH APPLEPAY AND NFC PAYMENT PROCESSING As you shift your POS to EMV-enabled technology, you should consider the eventual upside to Near Field Communication (NFC), or contactless payments, such as ApplePay or Google Wallet. The NFC technology, while still in its early rollout, will undoubtedly become more prevalent and popular with consumers with its ease of use and security. EMV and NFC capable terminals are not that much costlier than EMV alone. Tokenization is an integral part of ApplePay, albeit a proprietary technique that only works with Apple services. But if consumers have an itunes account, they are likely to use the associated payment card with ApplePay to make purchases. While ApplePay and Google Wallet relieves the merchant of much of the responsibility of payment card fraud, not every customer will have or use this new channel. Plus these vendors exact additional processing fees for every transaction. However, many merchants will ultimately have to accommodate both NFC and EMV purchases. Relying on the TokenEx Cloud Security Platform to encrypt, tokenize, and store all non-applepay transactions provides the same or better level of security, keeping your payment data out of your POS and safe from data theft. With TokenEx, there are no additional costs per tokenization transaction, either. In essence, both EMV and NFC are just additional acceptance channels that merchants must incorporate into their payment strategy. At the end of the day, risk is based on not how you accept payments, but whether you choose to store customer data that can be stolen and used for fraud. Using tokenization to purge all payment data from your business systems is the only real way to ensure that when a breach does occur, there is nothing of value to lose. A TokenEx White Paper Page 8 of 9
EMV AND TOKENIZATION WORKING TOGETHER TO PROTECT YOUR ORGANIZATION The sophistication of data thieves and state-sponsored hackers requires layers of security to protect your customers payment and personal data that is the lifeblood of your business. The TokenEx Cloud Security Platform is the best way to get rid of toxic data, so that it can t be stolen from your systems, while lowering the cost of PCI compliance. Its high performance architecture ensures that tokenization integrates readily with your business processes, so that there are minimal changes or impacts to how you operate, while providing the highest level of security for payment card data. EMV is just another layer in the multi-dimensional security architecture required to run a business today. Along with tokenization, fraud detection, chargeback mitigation, and other payment support services, EMV is a necessary layer that keeps your business humming while minimizing payment card fraud, and keeping the burden of financial liability off your shoulders. Need to know more about how EMV and tokenization fits into your specific enterprise? Talk to us today about securing your customer data tomorrow. Contact us at sales@tokenex.com or call 1.877.316.4544. TOKENEX 1350 South Boulder Suite 1100 Tulsa, Oklahoma 74119 https://tokenex.com A TokenEx White Paper Page 9 of 9