Why Tokenization Is Crucial, Even for Merchants Who’ve Upgraded to EMV
With the October deadline rapidly approaching for US merchants to adopt EMV POS terminals, it’s important to remember that while EMV is an overdue upgrade, it’s not a cure-all for card fraud. In other markets where EMV adoption is complete, chip-and-PIN technology has reduced the rate of skimming, but EMV technology doesn’t always include an upgrade to data tokenization. That’s a missed opportunity for merchants because even in the absence of EMV technology, tokenization may be the most important security measure any merchant can adopt–for 3 reasons in particular.
Tokenization can protect against counterfeit magnetic stripe cards
EMV offers proven protection against POS skimming, but the research firm Forrester notes that after the EU adopted EMV technology, skimmers merely changed their tactics for exploiting magnetic card security weaknesses. Post-EMV, this was done by stealing PINs and chip data from EMV cards, making fake magnetic stripe cards with that information, and using those cards to make fraudulent purchases at backward-compatible EMV terminals. There’s no reason to expect that thieves won’t try the same thing in the US once EMV gains wide adoption, which means all merchants should tokenize their payment data, whether or not they’ve upgraded to EMV yet.
Tokenization protects against theft of card information from databases and other sources
In the world of fraud, the point of sale terminal is just one of many avenues thieves can use to steal card information. Hackers have other tools for stealing card data from merchant databases, traditional POS payment terminals, and near-field communication transmissions. But when data is tokenized then stored customer payment data, real-time POS transactions, NFC transmissions, and CNP payment information are replaced with tokens that are useless to would-be thieves. This gives tokenization much broader security applications and greater merchant value that EMV alone, especially when tokenization is combined with point to point encryption for security at every link in the payment chain.
Considering the high cost of remediation after customer data breaches—the Target retail chain spent more than $162 million cleaning up its 2013 breach– as well as the lost business and bad press that major breaches generate, implementing a tokenized payment chain is a proactive and cost-effective investment.
Tokenization evolves with the payments landscape
Forrester’s report on payment chain security points out that the US is the “oldest, largest, and most mature market for card payments,” which means there’s a patchwork of legacy systems and equipment that can be challenging, if not impossible, to bring up to the new EMV standards. Combine this payments infrastructure with a market that’s fragmenting as technology provides new alternative payment methods, and the sheer scope of the data security challenge is clear.
Because tokenization works like a meta-security measure that’s focused on the data rather than the hardware, it’s compatible with (and sometimes built into) new alternative payment methods like Apple Pay, and it can help to secure payment data captured by existing POS and CNP technology. Tokenization is also expected to be compatible with future payment methods that develop as technology and consumer habits evolve.
EMV is important technology that will improve security for merchants and their customers at the POS terminal. Combining EMV with tokenization, and deploying tokenization for other payment methods, can improve security even more dramatically for merchants and their customers.
Photo credit: Ryan McGuire