Tokenization key to card data security, says analyst
As businesses across the US prepare themselves for the mammoth task of upgrading their payment processing infrastructure to accept chip-and-pin cards, a banking industry analyst has warned that this won't in itself end the problem of card fraud, and discusses the importance of tokenization.
In an interview with the Information Security Media Group on Monday (December 1st), Nathalie Reinelt warned that merchants and other payment processors will still have significant security risks to contend with following the adoption of the EMV (Europay, MasterCard and Visa) standard, which the federal government has committed to speed up over the next few months.
For example, while retailers can rely on the technology to reduce counterfeit card use at the point of sale, it will not have an impact on card-not-present fraud. As such, it remains the responsibility of the original merchant to protect customers' card data, Ms Reinelt said.
"[The onus is] going to be moved further up in the payment-supply chain," she continued. "Encrypting or tokenizing card data at the point of capture will be key."
Both encryption and tokenization describe methods to devalue data as it moves through a computer system, rendering it useless to hackers should it be compromised. Ms Reinelt offered Apple's new mobile payment system, Apple Pay, as an example: "It tokenizes the credit card data as it is captured ... so from that point on, every time somebody transacts with Apple Pay, that data is passed as a token."
Her comments echo statements from Stephen Orfei, incoming general manager for the PCI council, at the group's Asia-Pacific Community Meeting in November.
He disclosed that the council might introduce mandatory tokenization in the fourth version of the PCI DSS regulatory framework, describing it as the "endgame" for card data security.
Many of the past year's biggest data breaches affected organizations that were ostensibly PCI DSS-compliant - hackers were able to simply swipe unencrypted card data from memory in point-of-sale systems.