Fast-developing technologies are dumping fresh risk on a payments industry already reeling from a parade of data breaches, placing more pressure on cross-industry efforts to improve security.
"We have to recognize that everyday payments technology is very diverse, and every day it becomes more diverse," said Troy Leach, chief technology officer of the Payment Card Industry Security Standards Council, which is working on a mix of guidance documents and updates to address the myriad changes, while it also engages independent sales organizations, financial institutions and other stakeholders to find ways to ease data management stress on businesses.
A convergence of issues requires attention from merchants and acquirers. These include the growth of hosted payment systems, the rise of Internet-connected devices, the spike in tokenized mobile payments driven by Apple and Samsung's mobile wallets and the boost in card not present fraud that will likely accompany the EVM migration, Leach said.
All of these developments impact how data moves between consumers, banks, merchants and other parties, creating potential vulnerabilities that the council hopes to address in the next few months.
Tokenization, in which a substitute ID is used to shield an actual account number during a mobile or Web transaction, will be vital to security as technology evolves. "It's a practice that's getting a lot of buzz right now," Leach said.
The card networks are pushing tokenization, while working on their own solutions. Apple Pay and Samsung's new mobile payment initiatives also use tokenization.
The council will publish best practices for tokenization in an attempt to establish standards for the technology's use in data protection, Leach said. "There are a lot of different technologies that are using the nomenclature of 'tokenization,' and our work is to ensure anyone who receives card information is able to protect that information from fraud," Leach said.
The steady increase of Internet-connected devices such as smartwatches also complicates data management, Leach said.
But there is more to this trend than just mobile and wearable devices. More merchants are turning to open development and third-party software to enable remote processing.
Both of these trends change the point of origin of a payment, which adds another variable to the data protection equation, Leach said.
"To protect data we have to look at where a cardholder may be when making a purchase," Leach said, adding possible solutions include encrypting data in the merchant's environment and shielding it through the processor. "What is returned to the merchant is the token from the acquirer, so the merchant does not have to store 'static' data."
While the PCI Council works to confront these trends, it also faces other challenges, such as the trouble smaller merchants have long faced in achieving and maintaining compliance with the PCI Data Security Standard. These challenges, which can remove PCI's "stamp of approval" for security, can pose marketing challenges for payment technology companies.
The PCI Council's ultimate goal is to eliminate the opportunity to compromise usable data by providing the strongest shield possible across the entire transaction path, Leach said. "The endgame is to get to a point where we have dynamic data that would be of no use to crooks on the black market."
The Council has its work cut out for it, as analysts say the threat to the payments ecosystem continues unabated.
While point of sale malware is not new, it's becoming less expensive for fraudsters to obtain and deploysome fraud tools cost as little as $2,000 in underground forums, said Julie Conroy, a research director at Aite Group. Attackers are also able to use corporate networks and to plant malware in point of sale environments.
"The deployment of EMV in the U.S. will make it more difficult for criminals to monetize these breaches, but the migration will have a long tail, so there are plenty of places criminals will be able to use compromised card data for years to come," Conroy said.
Fraudsters have also improved their skills at compromising retailer systems, said Al Pascual, director of fraud and security for Javelin Strategy & Research.
"These types of attacks are more efficient, as once the vendor has been compromised and remote access credentials are stolen, cybercriminals can then go on to breach the systems of hundreds of merchant locations with little extra effort," Pascual said. "The problem hasn't gone away on its own. It's just gotten worse, which is why the PCI Council's guidance is sorely needed on this topic."