Forget EMV — We Want Secure Mobile Payments

05 Jul
2016

Forget EMV — We Want Secure Mobile Payments

I think everyone in the payments industry is equally frustrated with the move to EMV. The sheer cost of implementation is prohibitive for organizations, and that’s not even considering the lack of security inherent in EMV, but nevertheless EMV continues to be pushed on merchants worldwide. The biggest problem is that EMV offers no extra layer of security or authentication for card-not-present(CNP) transactions. In fact, after mass implementation of EMV across Europe, CNP fraud skyrocketed there, followed by Canada— and now the US is getting crushed with fraud. Thanks EMV.

Furthermore, banks are pushing back on fraud liability, and any merchants who are found to be non-EMV compliant will have to shoulder 100% of the financial burden resulting from fraud. How can merchants possibly withstand this burden and remain financially viable? Expecting US merchants to pay for a cost-prohibitive “security” technology, even though this technology does not, in fact, make transactional data more secure, and penalizing those who don’t wish to throw good money after bad, is an across-the-board losing proposition for everyone—except those benefiting from the sale of EMV equipment and services.

EMV Doesn’t Fight Fraud in the Long Run

EMV was intended to eliminate card-present fraud by combating card forgery and card theft. But it’s not even doing that effectively. EMV devices pass some payment card information in clear text—the most basic of all data security risks. This is a prime example of why this technology is faulty. In today’s complex marketplace where merchants have multiple acceptance channels in play, passing clear text data from one point to another is a serious liability and presents obvious attack vectors. EMV is also subject to “replay attacks”, where hackers actually capture and replay the data that’s passing from the card chip to the reader device. There is already a growing list of instances where, after EMV is implemented, replay attacks are being used successfully.

What’s even more disheartening about EMV is that it’s already a deprecated technology. EMV has been around for 20 years. It was first available in the UK, then across Europe, and most recently Canada. Now, it’s being rolled out in the United States, but cyber thieves have had the past two decades to figure out how to commit fraud, working around EMV “protected” cards. The rate of fraud for CNP has skyrocketed in Europe, as well as the United States where e-commerce sales reached $92.8 Billion in Q1 of 2016 with CNP fraud slated to break $7.2 Billion by 2020.

Mobile Payments Are More Secure Than EMV

Mobile payments are quickly becoming a much more secure technology than EMV. This is due to the device-based tokenization that the major mobile payment solutions are deploying. ApplePay was first-to-market using encryption for data in transit combined with device-based tokenization. Mobile payment apps like ApplePay securely capture customer payment card data by storing only a token representing the PAN on the device. Tokenization offers an asymmetric value so that if a device transaction is ever breached all that is exposed is meaningless—to the hacker—data. The cyber-criminal will never have the satisfaction of selling payment data, holding an organization hostage for an absurd bitcoin payoff, or creating bad press as the lead story about the latest breach on Krebs.

Protect the Complete Payment Cycle with TokenEx

As mobile devices with biometric passcodes become more prevalent, the secure payment apps and platforms will dominate mobile commerce. Using secure payment apps like ApplePay protects consumers and merchants far better than EMV at far less expense to the merchants. As mobile payment platforms provide secure, fraud-free transactions from the consumer end, it’s time to protect your backend data as well. Just like the mobile payment platforms use tokenization to safeguard the payment information on the mobile device, so you can use tokenization to secure all the payment and personal data you keep on your back office systems, call centers, web servers, and databases. The TokenEx Cloud Security Platform is designed to do just that.

If you are planning on building your own e-commerce app, an even larger issue looms—keeping all those mobile devices out of the scope of PCI compliance. To do so you need to ensure that any payment data entered through a mobile app is never stored on the mobile device or transmitted to back office systems. Here again, TokenEx can help with our web API and secure data vaulting. With TokenEx, you can be sure that mobile data is safely tokenized and transmitted to back office systems. Bonus—you can easily work with your choice of multiple payment processors supported by TokenEx.

With the TokenEx Cloud Security Platform our motto is: No Data. No Theft. TokenEx is the industry leader in securing transactions with cloud based tokenization and encryption. Email sales@tokenex.com today to learn how TokenEx is securing omni-channel payments and reducing the scope of PCI compliance.

Learn about a TokenEx client using tokenization to protect their mobile app.