The Road for Keeping U.S. Payments Secure
The U.S. Payments Security Task Force (PST) – a group of leading U.S. issuers, acquirers, merchants, payment networks and other electronic payment participants – has dared to go where no task force has ever gone before: to create a roadmap for protecting cardholder data at the merchant’s physical or virtual point of sale.
It was a pretty daunting assignment.
Established in 2014, shortly after the Target breach changed the importance of the conversation about payments security, the PST team pooled their collective knowledge on the topic in an effort to streamline the direction and evolution of U.S. payments security. That collaboration resulted in a brand new white paper that outlines a direction and provides a roadmap for securing the payments ecosystem in the U.S.
“Both traditional plastic cards and mobile payments are built on a core foundation of trust and security,” said Chris McWilton, President of North American Markets, MasterCard. “As we work across the industry to drive new innovations and services, it’s crucial that we also continue to invest in enhancing the security of the payments system. This white paper outlines some of the best practices every participant can take to strengthen that foundation.”
It’s a pretty thorough piece of work that provides a pragmatic roadmap for what the payments ecosystem in the U.S. must do in order to keep the cardholder data secure and the fraudsters at bay. The report itself is long on thoughtful recommendations but short, by design, on silver bullets. The complexity of the payments ecosystem and the ways in which payments are evolving, the task force acknowledges, requires an equally sophisticated and “layered” approach to preserving the integrity of payments data. There’s simply no single strategy or tactic that can fix payments security and the PST acknowledges that point right up front.
Rather, the PST’s roadmap is a series of recommendations based on their analysis of the current environment in the U.S., the collective insights of key stakeholders across the payments ecosystem and recognition that stopping fraud in one place – at the POS in stores – isn’t nearly enough to solve the problem that brought them all together in March of 2014: how to create a cohesive payments security framework in a payments environment that’s being transformed by the mobile, apps, the cloud and new technologies. Many of the same tools that are transforming payments and commerce are also those that can most effectively advance the many recommendations contained in the PST report.
“There are many new and exciting technologies coming to market that will help make payments safer,” said Ryan McInerney, President, Visa Inc. “This new report is about helping everyone to understand how each technology works, and the type of fraud it can help reduce, so that we can better protect consumer payment information throughout the ecosystem.”
As important as the recommendations that the report contains for each player in the payments ecosystem, is PST’s belief that the ecosystem comes together to address the one issue that everyone can agree is the industry’s most critical priority: keeping cardholder data safe and preserving the consumer’s trust and confidence in the payments system.
PYMNTS has been given an early look at the work coming out of this group and has summarized it here for you.
TYPES OF FRAUD
The PST’s work and subsequent recommendations addressed two primary types of payment card fraud that result from data breaches.
Counterfeit fraud occurs when sensitive account data from a magnetic stripe card is stolen. This data includes the primary account number (PAN), expiration date and a static card verification code. Once a criminal obtains this information, he can create a counterfeit payment card.
Card-not-present (CNP) fraud occurs with the PAN and expiration data are stolen or otherwise compromised and then used for fraudulent transactions in remote-access payment channels like e-commerce, phone/mail orders or recurring payment situations.
Both fraud types can occur by using various methods including malicious software (malware), social engineering, and using insiders to gain access and control of data storage and processing systems.
MANAGING FRAUD: BETTER TOGETHER
While several measures to combat these attacks are currently in place, the PST believes that ongoing security challenges call for additional methods to take that extra step to protect against and prevent fraud. More specifically, the PST emphasizes the importance of focusing on devaluing or eliminating sensitive data as it moves within and between systems. This requires a multi-layered approach to security, all while complying with PCI standards.
According to the PST, the three technologies that play a vital role in managing fraud are chip technology, tokenization and encryption.
Here’s how the PST defines each:
Chip cards use a dynamic authentication code generated for each transaction to offer enhanced security over traditional magnetic stripe cards. In the event of a data breach, when the PAN, expiration data and dynamic authentication code are stolen, the authentication code of a chip card cannot be replicated, says the PST. Currently, chip technology is being implemented across the U.S. but has been successful in other countries for over twenty years.
Chip migration surveys compiled by the PST indicate that issuers surveyed estimate one in two U.S. credit and debit cards will be chip-enabled by the end of 2015. Acquirers surveyed said that 47 percent of terminals will also be enabled to accept these chip cards by that time. To encourage accelerated adoption of chip technology, the largest U.S. payment networks introduced a liability shift that will go into effect in October 2015 for POS terminals. However, while merchants are currently investing in the technology, the size of the U.S. market suggests that at least 3-5 years will be needed to reach full maturity of chip card acceptance, says the PST.
The PST also reminds us that while chip technology aims to protect counterfeit fraud, it does not protect against theft of the PAN or expiration data. Therefore, stolen chip transaction details can result in cross-channel fraud, specifically in some e-commerce and mail/phone order environments. Other technologies must therefore be implemented for further protection.
Thanks to the launch of Apple Pay and other mobile payments schemes, tokenization and its effectiveness in reducing fraud have become quite prevalent. As most people know, tokenization is the practice of replacing an account number with a substitute value – if that value is stolen, the criminal’s ability to use it for fraudulent transactions is limited.
According to the PST, there are three types of tokenization with which it is collaborating to establish alignment, increase industry awareness and enhance ongoing adoption efforts: EMV tokens, acquiring tokens, and issuer tokens.
In March of 2014, the PST reports that EMVCo released the first version of an industry-aligned tokenization specification that details a technical framework for securing digital payments. These specifications describe a token as a 13- to 19-digit number that substitutes for and has the appearance of the PAN. Created on or on behalf of the issuer, it provides protection from when the payment is initially made to de-tokenization, or remapping from token back to PAN, in a secure token vault. According to the PST, deployment of tokens is under way, with initial use cases focused on mobile device payment enablement and card-on-file merchants, but broad market adoption will likely take several years.
In addition, acquiring tokens, which have been in use for around 10 years, act as substitutes for PAN, expiration date and other sensitive account data shared between acquirer and merchant. These are created after the cardholder presents payment credentials, and allow for the removal of sensitive account data during storage. They are frequently used in card-not-present transactions like e-commerce, and are coupled with encryption. Acquiring tokenization solutions are proprietary, not based on an industry standard. Although they are not currently in place, they will play a role in reducing the PCI footprint of stakeholders in the payment industry, says the PST.
Issuer tokens are also known as virtual card numbers. These are created by issuers to provide the means to reduce risk in specific use cases like commercial card applications, or consumer-oriented services. They resemble the PAN so merchants and acquirers are unlikely to know that they are using a token.
Point-to-Point Encryption (P2PE) is the process of encrypting payment data in a secure terminal, then transmitting it through an internal or external network. There, it is decrypted in a secure environment. P2PE is currently in use in the U.S., and it can be used alone or with acquiring tokenization and chip. Encryption can be initiated at the beginning of the transaction to protect data from being compromised inside of a merchant environment by malware or other means, says the PST.
Encryption that occurs within the terminal itself, according to the PST, is generally more secure than encryption effected outside of the terminal and farther downstream in payment processing. The latter method leaves PAN and other sensitive data in the clear, therefore vulnerable to threats.
P2PE, like acquiring tokenization, is proprietary. The PCI Security Standards Council’s voluntary P2PE program addresses the security of the process, and while solutions are widely available in the U.S., they have still not widely been adopted. The PCI SCC program, however, is being optimized and promoted to gain broader industry support, notes the task force.
KEY RECOMMENDATIONS FOR STAKEHOLDERS
Electronic payments in the U.S. will soon evolve into something much different than what they are today, further blurring the lines between how payments are made at online merchants and at brick-and-mortar stores. Mobile devices are also fueling innovations in payments – and along with these innovations come the ability to include secure elements in mobile devices or within “the cloud.” This quickening convergence of the digital and physical world of payments makes security innovation imperative, says the PST, in effort to keep the pace.
The PST suggests that stakeholders in the industry recognize and push for the adoption of secure chip technologies in the U.S., something that will pave the way for further advancements in payments security. In addition, they explain that it is now time for these stakeholders to demonstrate leadership and implement additional layers of security like those mentioned above.
The following are the PST’s recommendations for Chip, Encryption and Tokenization by key payments industry stakeholders:
Merchants are encouraged to ensure that chip terminal upgrades are planned well in advance of that shift, educate store personnel about migration, consider the capabilities of the terminal to support hardware-based encryption and contactless/NFC payments. On the tokenization front, merchants that store PANS are encouraged to deploy/develop solutions to reduce reliance on PAN for value-added services which includes tokenization. Merchants are also strongly encouraged to avoid solutions that encrypt outside of the terminal only and consider implementing encryption solutions that decrypt transactions outside of the merchant’s own environment.
Acquirers/processors are encouraged to certify for chip transactions with payment brand networks and communicate the importance to merchants of moving to a chip-accepting environment, starting with the highest-risk merchant categories, first. On the tokenization front, the PST urges acquirers/processors to support a full range of tokenization solutions and to consider developing strategies for eliminating dependence on the PAN in back office. Further, the PST recommends that acquirers/processors consider partnering with technology vendors in order to offer merchants solutions that facilitate the ongoing protection of PAN and other sensitive data.
Issuers are encouraged to deploy chip cards now or as early as possible, and to play a primary role in educating consumers on how to use them. The PST also suggests that, as part of the continued deployment of a layered security approach, that issuers advocate for the elimination of the use of the PAN for value-added services outside of the issuer itself by working actively with industry groups.
Payment systems are encouraged by the PST to continue their efforts to reduce friction associated with the implementation of chip cards, and share best practices from other markets in moving chip migration forward in the U.S. market. The PST also views the publishing and sharing of best practices for coexistence of chip with all forms of tokenization to be potentially quite beneficial. They further suggest that payments networks consider developing payment account identifiers to ensure the existing merchant/acquirer systems continue to be efficient, and to ensure that the evolution of EMVCo tokenization meets needs of the payments system stakeholders. From an encryption standpoint, the PST would ask networks to consider publishing and sharing best practices for coexistence of chip with encryption, and consider identifying best practices for deploying software-based encryption solutions in environments where traditional hardware-based encryption solutions aren’t available.
Integrators and Value-Added Resellers (VARs)
The PST recommends that VARs do four things: ensure that all new terminals contain, at a minimum, chip capability hardware, and implementing support for contactless/NFC acceptance, consider developing integration strategies and architectures that weigh the impact of security upgrades and ongoing maintenance for technologies like chip, tokenization, encryption, and more, consider token integration as a part of the overall implementation of payments to reduce the exposure of sensitive data in non-payment systems subject to compromise and consider seeking guidance from the standards bodies on how all three categories of tokens should work together.