Card Brands Launch Security InitiativeCoalition to Push EMV Cards, Point-to-Point Encryption
Ending weeks of relative silence by the two major payment card brands in the wake of payments breaches at Target Corp., Neiman Marcus and others retailers, MasterCard and Visa have announced the formation of a cross-industry group to work on improving U.S. payment security. The collaborative effort aims to advance the migration to chip cards as well as point-to-point encryption.
In addition to the card brands, the coalition will include banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups, the card brands say in announcing the effort.
"The recent high-profile breaches have served as a catalyst for much needed collaboration between the retail and financial services industry on the issue of payment security," says Ryan McInerney, president of Visa Inc. "As we have long said, no one industry or technology can solve the issue of payment system fraud on its own."
The initial focus of the group will be on the adoption of payments cards using chip technology based on the EMV standard that's widely used in other nations. The cards offer greater security than magnetic-stripe cards that are now commonly used in the U.S.
Other areas of focus for the new group will include:
- Promoting additional security solutions, including tokenization and point-to-point encryption. "While EMV addresses the physical point of sale, the need to protect mobile and online transactions is critical," the card brands say in their announcement. "In tokenization, the traditional account number will be replaced with a unique digital payment code, providing an additional layer of security."
- Developing an actionable roadmap for security across all segments of the payments industry.
"One of the critical roles we play is to protect consumers and businesses against criminals and fraudsters," says Chris McWilton, president of North American markets for MasterCard. "Only through industry collaboration and cooperation will we address the real and immediate issue of security and maintain consumer confidence and trust. EMV will be the next step in these efforts, alongside enhanced security solutions for online and mobile channels."
The formation of the group, the card brands say, is an acknowledgement of the need for all parties involved in the payments process to work together and will "ensure all voices can contribute to the strategic direction of payment security."
MasterCard and Visa also expect the new group to engage with other ongoing security efforts, including proprietary risk councils, EMV task forces and standards management bodies.
Assessing the Efforts
News of the card brands' focus on tokenization and point-to-point encryption is encouraging, says Gartner analyst Avivah Litan. The efforts could make a meaningful difference if standards are created for the technologies "so that one vendor's solution [is] interoperable with another," she says.
"These standards have been lacking in the market, and, as a result, especially with point-to-point encryption, retailers and card acceptors are somewhat hesitant to adopt the technology out of valid fear of vendor lock-in and the pricing and competitive disadvantages that go along with that," Litan says.
"Visa and MasterCard have had plenty of time to work on these standards," she says. "Let's see if they do something meaningful and actionable this time."
Al Pascual, senior analyst at the consultancy Javelin Strategy and Research, notes: "There is a great deal of animosity between retailers and the financial industry, yet both sides, and everyone in between, wants to improve the security of card payments. ... This coalition initiative is the right move from both a practical and PR perspective. Neither industry wants to have to explain to legislators or the public that they are unable to secure payments because they didn't attempt to work together. ... Card payments are bigger than any one industry, and the solution is going to take some real solidarity to achieve."
At two Congressional hearings this week, cybersecurity experts stressed that adoption of EMV chip cards is just one of many steps that need to be taken to secure the U.S. payments infrastructure (see Target Hearings: EMV Not Enough). They also called for more education of retailers about card data security and stronger enforcement of Payment Card Industry data security standards.
Last month, members of Congress questioned executives from Target and Neiman Marcus about their breaches. Both retailers were attacked by malware that ultimately exposed credit and debit data collected in the clear at the point of sale before it was encrypted as the transactions were processed (see Breach Hearings: How Did Security Fail?).
On March 5, Target announced plans to overhaul its information security and compliance practices in the wake of its massive payments breach late last year (see: Target to Hire New CIO, Revamp Security). On Dec. 23, Target confirmed malware was to blame for an infection of its point-of-sale system that likely exposed details associated with 40 million debit and credit cards between Nov. 27 and Dec. 15. The breach also affected personal information on up to 70 million customers.
Neiman Marcus recently revised downward its estimate of the number of payment cards compromised in its breach last year (see Neiman Marcus Downsizes Breach Estimate). An investigation has determined that the number of potentially affected credit and debit cards was about 350,000, down from the original estimate of 1.1 million, the company reports.