EMV or EuroPay-Visa-MasterCard is a term that refers to standards that have been created to enhance the security of transactions made through credit and debit cards. EMV makes use of advanced chip technology for these payment cards. Tokenization takes this security to the next level by substituting the sensitive customer information (such as payment card information) with dummy information (or token). The token generation, storage, mapping, and un-mapping takes place inside a highly secure system called the Token Vault.
On the face of it, tokenization may appear to be a straightforward process, but it has far-reaching implications in boosting the payment security environment with regard to its usage with EMV.
Risks in the Absence of Tokenized Transactions
A typical EMV payment card chip stores public information that is accessible to anyone without the need for any special authentication. Security experts around the world are now increasingly recognizing that this should be seen as a security threat because it has enabled criminals to create card transplants (fake cards) using EMV to carry out fraudulent transactions. The problem is that the confidentiality of the primary account number (PAN) is not maintained at any stage of the transaction. Some of the most serious credit card related data thefts in the United States have occurred at the host (processor) or the merchant level in a non-EMV environment. News about major security breaches involving data from compromised bank accounts continues to flow in every day because of the absence of tokenization.
How does Tokenization Work with EMV Payments?
The Payment Card Industry (PCI) Council has pointed out the security issues that are occurring because the EMV transactions lack encryption. The Council has emphasized that native EMV data in every transaction needs to be protected beyond what the EMV inherently provides. To address this issue, EMV has finally adopted tokenization with the introduction of the EMV Payment Token.
In the tokenized environment, the EMV transaction makes use of a new element called EMV PAR (Payment Account Reference), which links the transaction with the corresponding PAN. A PAR on its own cannot be applied to charge a payment card. As a result, it becomes useless to a criminal hacker. With the PAR, it is possible to link a single PAN to multiple devices. Thereafter, even if the criminals hack into a device, the corresponding token will automatically get de-registered with no effect on other devices.
Requirements for the Use of EMV Tokens
The EMV tokens that are used must:
- Pass a PAN’s validation rules, when interoperability is reinforced
- Be number between 13 and 19 digits in conformance to the account number rules of ISO messages (to ensure ‘like to like’ formatting)
- Not collide or conflict with a PAN assigned to an actual card
- Be associated and mapped with an existing PAN in the Token Vault by the entity that generated the token prior to issuing it
EMV Tokenization is the Future
EMV was originally developed as a safeguard against criminals who were able to counterfeit the magnetic strips of payment cards. However, as cybercrime has become more sophisticated, security breaches continue to occur even now because merchants develop information systems surrounding the EMV transaction environment that are not foolproof. New stories keep emerging about sniffing devices that are planted by criminals across all types of payment devices within the transaction chain and the leakage of credit card data when customers make payments at a store or a restaurant. Although these breaches do not occur all the time, they occur enough to cause concern.
EMV tokenization will be embraced more widely because of the continuing security breaches within the current payment environment. Moreover, with the increasing popularity of mobile transactions, the global penetration of the internet, and involvement of multiple actors in the transaction chain, EMV tokenization seems to be the future of credit card payment security.
To learn more about EMV and credit card security, talk to the experts at IntelliPay. Sales@intellipay.com or 855-877-6332.