The payments industry is quickly changing as new technologies become available and security concerns require financial institutions to react. As a result, a ton of new buzzwords and acronyms are making their way into our conversations. It’s easy to get lost in this alphabet soup. Here’s a rundown of what they stand for, what they do and in some instances how they work together to make our payments easier and more secure.
Tokenization is a method for protecting card data by substituting a card’s Primary Account Number (PAN) with a unique, randomly generated sequence of numbers. This “token” can be reversed to its true associated PAN value at any time with the right decryption keys. There are different kinds of tokens and different ways to create them, and a token can be merchant specific, single-or multi-use; tokens can be stored and managed in the cloud, in a token vault, or at a merchant location; and, once a token has been created, it may be tied to a card on file, an individual transaction, a payment card, or a device.
The random token sequence acts as a substitute value for the actual PAN while the data is at rest inside an issuer’s or retailer’s systems. Tokenization eliminates the need for merchants, e-commerce sites and operators of mobile wallets to store sensitive payment card data on their networks.Payment tokenization allows a consumer to register a payment card with a mobile wallet or online store, and replace the actual card number with a payment token number used for that merchant or wallet vendor. While tokenization is not a new concept, recent data breaches have increased awareness of the need to protect payment account credentials.
EMV (Europay, MasterCard® and Visa®) is a global payment system that entails putting a microprocessor chip into credit, debit and prepaid cards, making them less vulnerable to fraud for in-person transactions. These chip, or smart, cards generate dynamic data for each transaction, which prevents the transaction data from being reused fraudulently. That’s unlike the traditional magnetic stripe, which holds static data that does not change. This technology can be used in three main forms: contact, contactless and mobile. An EMV chip uses cryptographic keys to generate a unique code for each transaction, making it harder to clone and steal data.
EMV has been the talk of the payments space as the liability shift is less than six months away. After October first of this year, the liability for card-present fraud will shift to whichever party is the least EMV compliant in a fraudulent transaction. The cost of fraud will fall on the merchant if their point-of-sale systems are not in compliance with EMV changes, or chip-enabled. Javelin predicts that only 29% of credit cards and 17% of debit and prepaid cards will be chip-enabled by the end of 2015 and only 53% of POS terminals will accept chip cards.
NFC, or Near Field Communication, is a standards-based wireless communication technology that allows data to be exchanged between devices that are a few centimeters apart. NFC transmissions are short range and are used for more secure transactions – unlike radio frequency identification or RFID, which has a longer range and supports minimal security. An NFC-enabled phone is provisioned with a payment application and payment account information. That application and account information is encrypted and stored in a secure area in the phone. The phone then uses NFC technology to communicate with the merchant’s contactless payment-capable POS system. To pay, the consumer simply brings the phone to within a few centimeters of a contactless payment-capable POS system and the transaction occurs. According to security vendor association Eurosmart, a total of 350 million NFC-secure elements were shipped in 2014, a 30% increase over 2013. Eurosmart predicts that shipments may total 550 million this year.
HCE, or Host Card Emulation, enables NFC devices to perform contactless transactions in card emulation mode when the payment, other credentials and related card applications are stored somewhere other than the secure element. HCE introduces an option for the NFC controller to now additionally route communication from the contactless reader or POS terminal to an HCE service on the mobile device’s host CPU. In HCE, the payments application resides on the phone’s operating system and interacts with the cloud system and the NFC controller directly. There is no need for a card issuer to use SIM or other secure element for making contactless NFC mobile payments.
MST or Magnetic Secure Transmission technology generates an alternating current through an inductive loop of changing magnetic fields. The signal received from the device emulates the same magnetic field change as a magnetic stripe card when swiped across the same read head. MST works within a 3-inch distance from the read head.MST was patented by LoopPay, a mobile wallet solution that allows consumers to pay with their mobile devices and was recently acquired by Samsung. In order to keep the transaction secure, MST only exists during the transmission process. MST technology is not limited by form factor, making it a practical technology for mobile payments and is accepted by approximately 90% of merchants. MST does not require merchants to make changes to their existing payment systems.
How They Work Together
Technology is hard at work to secure consumer transactions and many of these advances in payment methods have similarities. The two best examples of these technologies working together are Apple Pay and Samsung Pay. Both use a tokenization process to keep card numbers private and both support NFC to transfer the card details. However, Samsung takes it a step further by offering MST technology, which allows consumers to conduct transactions at merchants that only support magnetic card readers. The other difference between the two wallets is that Apple uses the secure element to store tokens and payment credentials while Samsung uses HCE so that the credentials can be hosted outside of the secure element – in an operating system or the cloud, for example. In a sense, Apple Pay and Samsung Pay transactions are similar to an EMV transaction in that they prevent stolen card data from being used elsewhere. The unique device identifier that is created in a mobile transaction serves a similar purpose to the microchip on an EMV card, transmitting a dynamic cryptogram with every transaction.
We may never be able to eliminate fraud. However, with the big strides we are seeing across technology, payments and accreditations, we can expect a much more secure and complex payments infrastructure in the future, and one that will be harder to penetrate.