To EMV Or Not To EMV

05 March 2014

Maybe not the question that our Congressional men and women are discussing today in DC, but one that’s on my mind, anyway, these days in spite of the speed at which the EMV train is moving in payments, post-breach.

The ripple effect from the breaches has, among other things, put this issue front and center for lawmakers. They have another hearing today in Washington to continue to gather information to assess basic the facts and to wrap their heads around what needs to be done to prevent it from happening again. This Congressional hearing will include a few people with relevant points of view on the topic.

One of them is Dave Fortney, SVP at The Clearing House, who will be testifying about the technologies that The Clearing House says will reduce the risk of future breaches. (Dave is also one of The Innovation Project 2014 panel participants talking about this very topic with former White House Cyber Security Czar Richard Clarke). His two areas of focus today are EMV and tokenization.
We had a quick chat about his testimony yesterday, and it has a few broad themes: EMV alone wouldn’t have prevented the breach, and tokenization is a superior way to protect cardholder data since it renders it useless to the bad guys. Moreover, a combination of EMV + tokenization is what will mitigate the future risk of a breach, but it will require the cooperation of banks and merchants to make it real and timely.

The punctuation mark here, though, is that today’s data risks are bigger (there are more people using more cards in more places), more pervasive (breaches are system wide, not just one location), and the product of a sophisticated and massive criminal ecosystem that, to use Fortney’s words, is totally “disaggregated” that it can create and distribute malware and then the compromised data products thru its network very quickly.

To make that point, Fortney drew the comparison between TJ Maxx and Target. TJ Maxx was the result of a solo hacker sitting in the parking lot in a 1989 Chevy stealing card numbers off of a Wi-Fi connection. He got caught and is serving time. Target is the result of a faceless cybercriminal(s) from a foreign country using high speed computers and software to plant malware that penetrated Target’s entire POS network. If they’re caught, they may never serve time if they operate in a country that provides safe harbor for them.

Cybercrime is a pretty big business now, too. The bad guys get up every day and go to work, but they just go to work figuring out how to steal money from businesses and people and, when they’re just having fun, otherwise wreaking havoc on our financial systems.
Fortney says that most of the post-breach security activity today is coming from big retailers getting ready to accept EMV cards. Merchants have witnessed the aftermath of the Target breach in terms of its hard costs (liability) and soft costs (reputational risks) and want nothing to do with either. The threat of the network-liability shift has merchants now scrambling.

Issuers are moving away from thinking that they wanted to just issue cards to certain customers in their portfolio to replacing all cards at the reissue cycle and in some cases, even accelerating those cycles to eliminate their risky mag stripe predecessors.

Tokenization is the “part two” of the security-deployment process. Part two, since the risk that merchants are insuring against now is card counterfeiting, thus the rush to EMV cards which are more expensive and harder to produce.

But, guess what. These EMV cards will be “hybrid” cards and also have mag stripes on them that, of course, will still contain static customer account numbers. It will be a while before all merchants have EMV terminals, so what we will have for a while is a situation not much different from what exists today – cards with mag stripes used at merchant terminals, but with more costs layered onto merchants and issuers.

The “standard” that seems to be gaining ground in the U.S. is something Fortney described as “Chip and Choice,” which could be PIN, could be signature, could be neither, depending. So it does sort of beg the question: if we still have mag-stripe cards with account information on them and no required PIN to make it harder to use stolen credentials, aren’t we just taking our eye off of where the puck in payments is really heading – the mobile and connected devices future and spending a lot of time and money along the way?

It’s also not as if EMV, where implemented, has eliminated fraud, it has just pushed it to other places, such as online. That’s why EMV alone is not the answer and something else is needed to reduce the risk of fraud.

As Fortney points out in his testimony, “EMV was designed prior to the internet, mobile smartphones and tablets, it does not address transactions initiated via those means.”

But tokenization does. And that’s the “something else” that is being paired with EMV to create a secure payments environment.

The Clearing House has something called Secure Token Exchange (formerly Secure Cloud). In his testimony, Fortney says that it’s in pilot mode with one bank now and will soon be expanded. Regardless of the technology used, it turns customer account information into a token behind the bank’s firewall and passes it back to the merchant for processing. It was designed to complement existing tokenization efforts and minimize disruption to the existing ecosystem. Secure Token Exchange has joined forces with the relevant stakeholders in payments to move the notion of tokenization along in a more cohesive and coordinated fashion.

Tokenization can be done on the back end in a way that eliminates merchants having to worry about safeguarding data since banks and processors take on that burden. Merchants get the best of all worlds: they don’t lose any of the data benefits – knowing what consumers bought and when and how they paid for it – but totally lose the liability associated with keeping that information around.

Tell me if I’m crazy, but isn’t there a way to move towards this more quickly, and even in a way that leapfrogs EMV completely while setting the stage for a secure, mobile-ready global payments standard? (BTW, leapfrogging EMV is an Innovation Project ThinkAThon question).

Now I realize it’s much easier said than agreed to. But you have to admit that it doesn’t make much sense to take a 30-year step backward, at the precise moment in time that we are gaining steam around mobile, just to make the point that we’re doing something to protect cardholder data. ‘Cuz as we all know, EMV isn’t the silver bullet.

It does makes for good PR though and gives our Congressmen and women something to take back home as an action item and talk about. Then again, about the last thing we need them to do be doing, and this is all me again, is to think that they need to devise legislation to make sure that the industry does “something” to keep consumer data protected. As quickly as technology moves and as slowly as Congressional bills move thru the system, any such requirement would be obsolete the moment it was drafted. And, the industry can only afford one 30 year step backwards at a time.

Dave Fortney and 5 other C-suite execs will debate the various approaches to ensuring the safety and soundness of our payments systems in the face of cyber attacks with Richard Clarke in The Innovation Project’s “Uber Solutions for Keeping the Criminals at Bay” on March 19, 2014. To request an invitation, please click here.