Goodbye mag-stripes, hello tokens, say payment security panelists

 

Nearly 90 percent of Americans believe identity theft is a serious problem in the U.S., according to a 2014 study by TaxAudit.com. It turns out they are correct.

“The U.S. is responsible for 25 percent of worldwide credit card use, but 50 percent of credit card fraud,” Maria Contreras-Sweet, administrator of the U.S. Small Business Administration, told a panel on payment security at the White House Summit on Cybersecurity and Consumer Protection held Friday at Stanford University.

In introductory remarks, Maria Contreras-Sweet, administer of the U.S. Small Business Administration, emphasized the growing concern over U.S. payment fraud. (Catalina Ramirez-Saenz/The Stanford Daily)

In introductory remarks, Maria Contreras-Sweet, administer of the U.S. Small Business Administration, emphasized the growing concern over U.S. payment fraud. (Catalina Ramirez-Saenz/The Stanford Daily)

She noted that credit card fraud also is growing faster here than that in other countries. U.S. credit card fraud grew 29 percent to $7.1 billion in 2013 versus just 11 percent in the rest of the world, according to Business Insider.

The reasons for this are many. For one, the U.S. lags Europe in adopting the EMV standard, which involves embedding a chip inside each credit card. The chip generates a unique code each time it is used in-store and makes creating counterfeit copies of physical credit cards virtually impossible. The switchover to EMV credit cards in Europe countries took place a decade ago.

The booming U.S. economy also has led to increased opportunities for cyber predators, whom industry leaders term “bad actors.”

Payment systems in the U.S. transfer nearly $4 trillion a day, or almost 25 percent of the country’s GDP, a sum panel moderator Sarah Bloom Raskin — deputy secretary of the U.S. Department of Treasury — called “mind blowing.”

The number of payment options customers have today — cash, credit card, debit card, prepaid cards, signature debit cards, mobile phones and online payment systems, to name a few — has created further opportunities for cyber hackers.

“Vulnerabilities for mischief are myriad,” Raskin said, referring to the increasing combination of payment systems.

“The fact is, there are just better ways to do [things] than we have today,” Visa Chief Executive Officer Charles Scharf said on the panel.

Visa, for instance, has begun rolling out EMV-enabled cards, which operate at point-of-sale terminals as well as automated teller machines. By the end of the year, Scharf said he expects that half of the Visa credit and debit cards and processing equipment will contain EMV chips or readers. EMV reduces face-to-face fraud by 75 percent, he said.

But EMV cards won’t completely solve the country’s payment security problem. “We’re also sensitive to the fact that as the brick-and-mortar world becomes more secure as we roll out [EMV] technology, those bad actors are going to increasingly shift online,” QVC, Inc.’s Chief Executive Officer Mike George said.

PayPal, Inc. President and CEO Dan Shulman said his company allows customers to make payments without sharing sensitive financial information, requiring only an email address or phone number to complete an online transaction. This process of “tokenization” essentially involves replacing an account number with another form of identification.

Bancorp’s Chief Executive Officer Richard Davis said the concept of tokenization would improve safety across industries: “Think of it as Mr. Phelps on ‘Mission Impossible’ where in 10 seconds, the item will self-destruct.”

EMV and tokenization could mean the end of signing for credit card purchases and entering PINs. “Both signatures and PINs are static forms of authentication that can be copied or re-used for fraud,” Stephanie Ericksen, Visa’s vice president of risk products, said in a written statement to Peninsula Press. “For the future of payment security, we want to build and invest in more dynamic security measures like chip and tokenization which help make stolen information useless to criminals.”

Stanford professor John Mitchell, an organizer of the event, said in an interview that tokenization could solve one of the biggest concerns for financial institutions. “Taking the merchant, in effect, out of the loop — so that the merchant never gets something that they could use in a devious or fraudulent way — is a huge issue for banks and credit card issuers.”

Mitchell added that he expected digital tokenization to be used for non-payment cards, like driver’s licenses and passports. “Ten years from now, instead of having a phone and a physical wallet, we’ll all be carrying around one thing,” he said. “Of course, we’ll have to be careful not to lose that one thing.”

But until tokenization becomes universal for both online and in-store payments, there’s a whole other side of payment security: stopping data breaches.

When the restaurant chain P.F. Chang’s was hacked last year, the company pressed into use old-fashioned knuckle busters, which make a physical impression of embossed information on the face of a credit card for processing at the end of the day — somewhat like the way checks used to work. Using knuckle busters makes it so that there is no data to steal from servers.

PayPal’s Schulman says the average American company is hit by seven million hacking attempts each year. QVC’s George added that online security often can be improved by simply educating a company’s employees.

“We employ sophisticated gaming technologies to engage our own associates in understanding how our company is as secure as the most vulnerable employee and what he or she decides to do with their PC,” he said.

Also, “[we] will tell our employees that we are going to send out a spurious phishing expedition. It looks like someone has emailed you and is trying to tell you to click on a link for some reason. And when they click on it, we’ll explain to them why they should not have clicked on that link, and help them learn.”

Schulman added that as security becomes more important, large payment processing companies have an advantage. “Scale is a very important differentiator, only insomuch as the data that we have and our ability to do our analytics around it,” he said. The company’s analytics use collected data to predict when fraudulent purchases are taking place.

With the threat of cybersecurity breaches especially severe in the U.S., President Obama on Friday signed an executive order to promote expanded information sharing between the government and the private sector.

The goal, according to the White House is to “[ensure] that U.S. companies work together to respond to threats, rather than working alone.”

Indeed, despite ferocious market competition, panelists said they are beginning to coalesce where security is concerned.

Bancorp’s Davis said he is seeing more cooperation within the financial marketplace and hopes it will become commonplace. “For the first time a banking contingent that has always competed have said, ‘Wait. Let’s not compete. Let’s work together on this one thing.’” Davis said he believes other industries will follow suit.

Homepage thumbnail of credit cards courtesy of Sean MacEntee on Flickr via Creative Commons.