Exactly one year ago today (December 19, 2014) Target announced that its point-of-sale system had been breached and that the data associated with approximately 40 million credit and debit card accounts was now available for purchase on the black market. At the time, it seemed to be the payments security apocalypse, the worst Christmas gift ever for a major retailer and just the payments Black Swan that EMV needed to get merchants excited about an expensive security upgrade.
As 2014 rolled on and Home Depot, P.F. Chang’s, Michaels and Dairy Queen were among the many, many POS breaches that followed, it became increasingly clear that the Target “Black Swan” wasn’t so much an aberration as a grim harbinger of the shape of things to come in terms of protecting the sanctity of cardholder data at the merchant point of sale.
That led to a number of developments for the payments industry. One of them was the formation of the U.S. Payments Security Task Force, a group of leading U.S. issuers, acquirers, merchants, payment networks and other electronic payments participants.
Their published white paper and roadmap for how to improve the security of cardholder data was released on December 16th, and their observations and recommendations are unsurprising.
“Both traditional plastic cards and mobile payments are built on a core foundation of trust and security,” said Chris McWilton, President of North American Markets, MasterCard. “As we work across the industry to drive new innovations and services, it’s crucial that we also continue to invest in enhancing the security of the payments system. This white paper outlines some of the best practices every participant can take to strengthen that foundation.”
Among those best practices are moving away from mag stripe cards to EMV (or Chip-based card) technology and embracing both NFC and tokenization.
For a mobile technology that built its platform using mag stripe transmission technology to enable mobile devices to work with readers that also accept mag stripe cards, that sounds like it could be a bit of an inconvenience. MPD CEO Karen Webster caught up with George Wallner, LoopPay’s Chief Technologist, about those the PST’s recommendations, and what it means for a mobile wallet provider like LoopPay.
Wallner told Webster that the PST’s recommendations are a huge improvement that LoopPay is looking forward to being a part of, since LoopPay is also all about tokenization. Wallner told Webster that while EMV, Chip and NFC were all fine security technologies, he believes that tokenization has the best chance of pushing the security envelope forward.
“The reality of upgrading the POS is that it takes a long time. Mag stripe is dead. Chip is fine, works well, provides good security. But Chip is being superseded by tokenization. and whether a token is delivered through NFC or through the LoopPay magnetic technology, I think it will be a huge improvement to security.”
Unfortunately, LoopPay’s future with tokens has its foot firmly rooted in the thing that everyone is trying to leapfrog: mag stripe technology. LoopPay pushes its tokens via technology that works with magnetic stripe readers. However, as Wallner notes, if consumers are to have immediate access to the security benefits tokens offer, then having a security standard that is compatible with the payment method they are currently using (the mag stripe card) makes sense even if the mag stripe is on its way out.
“The magnetic strip card is obsolete, but the magnetic stripe reader can be used to deliver tokens through a magnetic coupling. So the mag stripe readers that are there and will continue to be out there are capable of delivering tokenized transactions. That’s really the key here just to convert as many transaction into tokenized transactions as possible– today. The means is not important.”
So why not just jump on the NFC bandwagon, if the means aren’t important, Webster asked? Wallner notes that the means may not be important from a technological standard, but from a consumer ease of use standpoint it’s actually quite important. At the end of the day, Wallner said, it doesn’t matter how secure a payment method is if almost no merchants take it and almost no consumers use it.
“We use this [magnetic stripe] method because tens of millions of merchants accept it today. Other technologies will evolve and be adopted at their own pace. We have seen how quickly things change at the point of sale.” Which, Webster pointed out, just isn’t very fast.
New technology will move in, of course, but the old stuff - the mag stripe cards - have a long good-bye ahead of them.
“The whole idea here is that the mobile wallet should work today, it should be accepted at all merchants,” Wallner noted.
And that is what Wallner says that LoopPay offers that others don’t - a merchant acceptance rate of about 90 percent. When Webster asked why 90 and not 100 percent since mag stripe is accepted everywhere, Wallner explained that there are simply some esoteric POS systems out there that barely work with plastic payment cards, let alone something that emulates them.
“There are some very poorly designed USB swiper-based PC systems that are very rare but exist. And these are not certified, they are not working according to proper specifications and sometimes we find they do not read the LoopPay transmission correctly.”
Still, 90 percent is not exactly something to sneeze at, especially if it is ready to roll with tokenized transactions today. “If the goal is urgent improvement of security via tokenization, the most immediately available channel should be used. That is LoopPay's magnetic transmission technology. LoopPay has a POS acceptance of 90 percent. When will NFC have a 90 percent penetration? If we want to cut fraud today, we need a solution that exists today,” Wallner emphasized.
A year ago today, pundit after pundit was asking if the Target security breach would permanently change customer’s reaction to retail and payment security. It seems the answer to that was no; as it turns out, consumers can get used to anything, including their data being boosted by Russian cybercriminals every so often. That’s, in part, because consumers trust that their banks have their backs if bad things happen. But just because consumers kept (and keep) shopping, doesn’t mean they don’t want secure transactions, especially if those transactions are secure but still fairly easy to make.
Which leaves the question: if 2014 was the year of the breach, will 2015 will be the year of the token?