It’s fair to say that Jeremy King of the PCI Security Standards Council and I do not always see eye to eye on things. In fact we’ve disagreed more than once (in public) about the usefulness of PCI-DSS. But I have to say that Jeremy is absolutely spot on here:
King says it will take years for the rollout of tokenization and end-to-end encryption to be completed. And once the U.S. migrates to EMV, “we will see a move of the fraud to card-not-present,” he says[From How EMV Could Affect Role of PCI-DSS – BankInfoSecurity]
I think that when you look at the big picture you can see that there is a problem brewing. It is taken so long to get to the position where the US is finally on-board with the general concept of a shift to chip and PIN, even though most US consumers still do not have chip cards, that you can’t help but wonder whether the effort is going to be worth it. As Jeremy says, the shift to card-not-present fraud is about to accelerate and there’s not much that EMV can do about it. I saw the same point being made in another article a few days ago:
For one thing, EMV security only addresses the issue of counterfeit cards, which account for around 10 to 15% of credit card fraud in the United States.[From EMV s the 15% Solution for Card Fraud | PaymentsSource]
As it happens, that’s not true, at least according to Aite Group, who put counterfeit and lost/stolen fraud, the frauds that should be tackled by EMV (or at least if EMV cards are issued with correct ICVV, correct service codes and no fallback at ATMs) at around half of all fraud.
In the United States, card-not-present fraud is already a big problem. In fact, it accounted for 45 percent of credit card fraud in 2014, followed by counterfeit card fraud (37 percent) and lost/stolen cards (14 percent).[From Credit card fraud and ID theft statistics – NASDAQ.com]
Well whichever fraction it is you can see the issue. If the British patterns are anything to go by then the growth in card-not-present fraud will exceed the drop in card-present fraud and so the overall fraud rate will continue to rise. This is why I’ve said at a couple of recent events that I think that tokenisation is going to be more important than chip and PIN and I’d be curious as to your feedback on my three central arguments on this front!
First, tokenisation helps to reduce fraud in the fastest-growing areas, online and mobile. You can’t use a token outside of its defined domain and if you were able to steal a token out of my iPhone, you wouldn’t be able to use it in your iPhone.
Second, tokenisation could help to reduce fraud in card present environments if, as I anticipate, there is a shift towards in-app purchasing even in store. I can easily imagine standing in Tesco and paying using a Tesco app on my phone (using tokenisation) rather than by taking out a card and using it in the POS terminal in front of me.
Third, there are new things that we can do with tokenisation that we simply can’t do with the existing infrastructure. In addition to the “plain” token that the bank puts into my handset, it could load other tokens for a variety of useful purposes: I wrote before about the idea of issuing a stealth token for use in online dating, adult services and other privacy sensitive environments but you can also imagine tokens that are issued for specific purposes such as a campus, or just for a day, or just for a particular website. Given the significant investments that most of our clients have made in tokenisation infrastructure, the need to develop additional services on top of the infrastructure is pressing, so I expect to see innovation in that field.
In the long term, the ability to deliver and maintain consumer security and privacy through tokenisation will be a crucial function of banks. This is why I think my apparently outrageous claim that it is more important than chip and PIN is justified, but if you don’t agree I’d still love to hear from you.