Apple Pay and the card networks' support is boosting tokenization as a security option for mobile payments, though fraud trends suggest an even more layered approach will be necessary.
Tokenization is the industry buzzword today, said Richard Moulds, vice president of product management and strategy for Thales e-Security, a data security and key management provider, in an interview during the Money2020 conference in Las Vegas Nov. 2-5. "The huge database of tokens linked with personal data still needs to be locked down" with other methods, said Moulds.
Cloud databases, such as what Apple is using for Apple Pay credentials, are "honeypots of tokens," Moulds said. "Hackers seem to be focused on the point of sale right now," but as soon as those systems are secured, fraudsters will move to the next best thing, he said.
Moulds believes as mobile payment systems move towards tokenization within the next year, fraudsters will focus their efforts on that infrastructure. This is especially distressing because tokenization is not well standardized, he said.
Because tokenization systems will allow for certain credentials to de-tokenize data, a fraudster could get their hands on those credentials. Or a fraudster could exploit a system through a man in the middle attack, where a fraudster inserts himself/herself into the transaction flow so providers think they're passing the token to a good guy.
Visa, which in September announced Visa Token Service to enable tokenization on mobile devices, agrees that a multi-layered approach is needed to protect data.
"In terms of encryption, tokenization and EMV, we think they'll work together," said Stephanie Ericksen, vice president of risk products at Visa. "EMV to combat counterfeit fraud at the point of sale, tokenization to bring payments into mobile devices so they can't be reused in other channels, and moving to encryption secures data when it's stored."
The merchant liability deadline for EMV migration is October 15, 2015. While the U.S. is transitioning to EMV, many merchants are adding encryption since they'll still be getting information from mag-stripe cards, Ericksen said.
And this is especially important in light of the hacks to EMV mobile card readers during the Black Hat conference in Las Vegas in August.
Many issuers think they'll issue less cards, cutting costs, once they get EMV chip-cards in consumer's hands, but Moulds said this won't necessarily be the case since most terminals will still accept mag-stripe transactions and most cards will still have the magnetic stripe on the back for consumers to fall back on.
The recent attention to security has been spurred by the rash of high profile data breaches over the past year. Only about 1% of accounts are ever harvested after a data breach, said Robert Hunt, vice president and director of the Payments Card Center at the Federal Reserve Bank of Philadelphia, during an interview at Monye2020.
But because consumers have to think about security more as they receive new cards in the mail after breaches, they may soon feel data breach fatigue which could lead them to switch accounts or look to new payment methods, Hunt said.
The industry "has pushed all the security to the edge," said Laine Donlan, senior vice president of e-commerce payments and commerce at Bank of America, during a Money2020 panel discussion on Nov. 3. "Tokenization is a good example of, we as an industry to get some control back and put security paramount."
Donlan is hopeful that bringing issuers and networks together in the tokenization effort will allow banks to pinpoint for consumers where they've been breached and what to turn off. "We couldn't do that before because all the security has been federated to the end points," he said.
Because Apple has made tokenization cool, the security measure could also benefit the industry in that consumers will feel more secure making mobile payments and in turn make more of them, said Dave Fortney, senior vice president of product management and strategy at The Clearing House, during the panel discussion.
Also during the discussion, Kristin McClemont, chief client officer at Payfone, said she sees a future where tokenization is applied to data outside payment credentials. For example, email addresses, phone numbers and preferences could be tokenized as consumers grow concerned about online identity and privacy.
Moulds also has high hopes that the Bitcoin ecosystem will create a more secure framework for payments. Unlike Bitcoin which sends real value in the form of keys over a secure network, traditional payments send fake (tokenized) information over an insecure network, he said.
With the introduction of multi-signature Bitcoin wallets, in which multiple parties must authorize a transaction before it's approved, and cold storage (offline) vaults, consumers should be more protected from wallet hacks.
Coinbase, a Silicon Valley-based Bitcoin startup that provides both consumer wallets and merchant services launched multi-sig vaults on Sept. 29.
But the Bitcoin community needs to stop talking about protocols and start talking about convenient services, said Moulds. Apple Pay is a prime example of an industry participant developing a system based on consumer want, he said.
Apple Pay's addition of Touch ID biometrics authentication is a positive step for payments security and adds significant convenience for consumers, said Moulds, although he sees that causing problems for banks in the future.
"In the next six months, consumers will think of biometrics as linked to payments and they'll want to be able to use biometrics to log in to their online banking app," he said. The consumer is then authenticating to the device instead of the app, which takes the control out of the hands of banks for authentication. Accepting Apple's approval would put banks at risk, but Moulds thinks soon a bank will accept Apple's biometric to differentiate itself.