U.S. merchants and banking institutions are gearing up for massive rollouts of EMV chip point-of-sale terminals and payment cards in 2015. But they also are implementing additional layers of protection to ensure card data is devalued and secured throughout the transaction, says Nathalie Reinelt, a payments expert and industry analyst at consultancy Aite, which recently published a report about emerging payments security.
Tokenization and encryption are rapidly becoming additional layers of protection for payment card data, she says - a trend that is being embraced by retailers throughout the world.
"It's going to be moved further up in the payment-supply chain," Reinelt says during this interview with Information Security Media Group. "Encrypting or tokenizing card data at the point of capture will be key."
The catalyst for these enhanced features is two-fold, she says.
For one, retailers know that EMV, which will reduce physical point-of-sale counterfeit card fraud, won't prevent all card breaches, and will have little impact on reducing card-not-present fraud among e-commerce merchants. Second, EMVCo, which manages testing and specifications for the evolving EMV standard, in March released its specification for tokenized payments.
Apple Pay, which has been lauded for being a trendsetter in mobile payments and EMV compatibility, deployed its mobile-payment application based on EMVCo's specification, Reinelt says (see How Will Apple Pay Impact U.S. EMV?).
"Apple Pay is a great example of how this is being rolled out," she says. "Essentially, it tokenizes the credit card data as it is captured and loads it onto Apple Pay, so that it is validated by the bank or the network. The card data is secured with a token on the secure element within the iPhone. So, from that point on, every time somebody transacts with Apple Pay, the data that is passed is a token, not the credit card data."
Apple Pay is the first deployment of EMVCo's new specification, but there will be others, Reinelt says. "Tokenizing at the point of capture - that will be key going forward," she says.
EMVCo's specification is addressing a void in payments security, Reinelt adds. "Anyone that deploys those specs, as long as the data is tokenized at the point of capture - will be properly devaluing data."
During this interview, Reinelt also discusses:
- How emerging payments, such as crypto-currencies like Bitcoin, will soon impact payments security;
- Why e-commerce fraud is more concerning than physical POS fraud;
- Why mobile payments will dominate conversations in 2015.
Reinelt is an analyst within Aite's Retail Banking & Payments practice, where she focuses on the global payments ecosystem, including alternative payments, cross-border remittances and emerging technologies complementary to payment processing and commerce. Reinelt has more than 16 years of experience in Internet, technology, e-commerce and financial services. Before joining Aite, she spent three years in Silicon Valley working for Apple and Facebook.