CHICAGO — Many different data security technologies exist, but the payments industry “does not have what it needs for a global standard,” said Marianne Crowe, vice president of the Federal Reserve Bank of Boston.
The various members of the payments industry can’t even agree on current standards, so it’s not likely there would ever be one standard that all would deploy to cover security concerns, Crowe said.
“There’s no such thing, really, and never will be,” Crowe said during a presentation at the annual Chicago Payments Symposium at the Federal Reserve Bank of Chicago.
However, the inability to establish one standard does not stifle the industry’s efforts to develop strong layers of security, Crowe added.
Currently, security vendors recommend that as the U.S. move to EMV chip-based cards, networks also support end-to-end encryption as the data travels and tokenization when the data is stored.
The Payment Card Industry security standards council earlier this year eased up its compliance guidelines in allowing merchants to establish their own encryption services, rather than lock them to specific vendors.
Merchants and independent debit networks have often stated that EMVCo’s efforts to create a tokenization standard represents another move by the major card brands to control the operation of a security standard. As MasterCard and Visa began to tout tokenization as a key e-commerce safety element, merchants began to consider other options.
“Standards do exist, but there is no agreement on how to apply them,” said Peter Tapling, president and CEO of Authentify, an Early Warning company.
Authentication and risk are locked together, but merchants and banks don’t always agree on how many layers or steps a customer should endure for a transaction to be authorized, Tapling said.
As EMV moves the fraud liability over to merchants not able to accept chip cards, more merchants are going to want a final say in the authorization process, Tapling added. “It makes it more difficult, because merchants won’t want others deciding [if a transaction should be declined].”
As the U.S. also moves toward a faster payments system, fraud detection and analysis will have to be faster as well.
Some banks in the U.K. discovered that gaps in the faster payments network enabled the activities of fraudsters, said Julie Conroy, research director and analyst for Aite Group. “As payments get faster, it becomes even more essential for two-factor authorization and a layered approach to security."
Real-time payments should not be confused with “computer real time” because a payment authorization can take many seconds, but still be considered faster, Tapling said. “Risk management and multi steps for security are not contrary to real-time payments.”
Crowe said the Federal Reserve’s secure payments task force has developed a set of sub-security products that will operate in a real-time network.
“There will be higher requirements for higher dollar amount transactions, but security remains a top priority of the system,” Crowe said.
Diligence of merchants and service providers in protecting their systems would help thwart much of the current data breach tactics, Aite’s Conroy said. “About 28% of attacks took place because of weak passwords, and another 28% occurred because of weak remote access security,” Conroy said.