MasterCard, Visa and American Express Call for Hard-to-Counterfeit Credit Cards and Tokens Replacing Account Numbers to Help Plug Breaches

Posted on February 10th, 2014 by Dan Rampe

Breach

“Once more unto the breach, dear friends, once more; Or close the wall up with our English dead!” (Shakespeare, Henry V).

Piling up English dead to stop hackers sounds a mite extreme – especially if you happen to be English. However, MasterCard, Visa and American Express are pushing for new technologies to make it more difficult for cybercriminals to exploit businesses and their customers.

MasterCard CEO Ajay Banga said merchants and payment processors have to work toward chip technology and tokenization to improve security. “We’ve got to get ahead of this as we go forward otherwise you’re going to have [more breaches like Neiman Marcus and Target]. The more often it happens, the worse it feels.”

Chris McWilton, MasterCard’s president of North American markets, wrote merchants reminding them a “liability shift” is in the works. Merchants not upgrading to a safer technology would be responsible for paying for defrauded customers.

One of those technologies, writes Christina Rexrode on marketwatch.com, is the EMV (Europay, MasterCard, Visa) chip, which is “sometimes called ‘chip and PIN’ or ‘chip technology’ [and is] supposed to be harder to copy than cards with only magnetic stripes.”

Visa’s CEO Charlie Scharf says he’s seen “a large number of the big merchants” commit to chip technology and “a number of the banks” already issuing chip cards.

Banga says, “Everyone needs to be on the bandwagon. Banks need to be there, merchants need to be there, governments are clearly there. We need to get the networks there and the acquirers there, and I think there’s a lot of progress on that front.”

Rexrode writes that “in markets where chip technology was installed, MasterCard [reported] it saw a 60% to 80% decrease in counterfeit fraud.” And, while chip technology would not have prevented a data breach like the one Target suffered, MasterCard’s Banga said chip technology would make stolen data, “much, much, much less valuable to a fraudster, because it’s tough to counterfeit the card, and it’s almost impossible to duplicate all the unique data that flows for that transaction to get approved.”

Tokenization is another safeguard that MasterCard, Visa and American Express are urging be adopted. Tokenization lets customers shop online without entering their account numbers which are replaced by other identifiers known as tokens.

ThreatMetrix secures Web transactions against account takeoverpayment fraudidentity spoofing, malware, and data breaches. The ThreatMetrix Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 160 million active user accounts, 2,500 customers and 10,000 websites across a variety of industries, including financial servicesenterprisee-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

Join the cybersecurity conversation by visiting the ThreatMetrix blogFacebookLinkedIn and Twitter pages.

 

MasterCard, Visa and American Express Make “Token” Gesture. Propose to Replace Account Numbers with All-Purpose Tokens for Online and Mobile Shopping.

Posted on October 14th, 2013 by Dan Rampe

Payment standard

Quoting U.S. Census Bureau figures that approximately six percent of all retail is done digitally, MasterCard, Visa and American Express jointly announced they were working on a new global standard “to enhance the security of digital payments and simplify the purchasing experience when shopping on a mobile phone, tablet, personal computer or other smart device.”

The proposed standard would replace account numbers with digital payment tokens in online and mobile transactions, and merchants, digital wallet operators et al. would no longer have to store customer account numbers.

According to the release, tokens, which would be available to payment networks and “other payment participants” (whoever they are), contain the following key elements (Note: bulleted items are verbatim from the press release):

  • New data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process
  • Consistent methods to identify and verify a consumer before replacing the traditional card account number with a token
  • A common standard designed to simplify the process for merchants for contactless, online or other transactions

Ed McLaughlin, Chief Emerging Payments Officer, MasterCard, offers, “This continued transition from plastic cards to digital is all about providing consumers with the ability to easily and safely make a purchase. They would no longer need to store their actual card account number when shopping online or with a smart device; the token would serve as that stand-in.”

Don’t know if it’s really safer or easier, but according to the release the token would work this way:

“Once a standard is agreed to and implemented, issuers, merchants or digital wallet providers would be able to request a token so that when an account holder initiates an online or mobile transaction, the token – and not the traditional card account number – would be used to process, authorize, clear and settle the transaction in the same way traditional card payments are processed today. Tokens can be restricted in how they are used with a specific merchant, device, transaction or category of transactions.”

Supposedly, tokens and the development of a global standard make it possible to create “a new generation or payment products while “maintaining compatibility with the existing payments infrastructure.”

MasterCard, Visa and American Express explain that the key principles driving the development of a token standard for digital payments are in the words of the release:

  • Ensuring broad-based acceptance of a token as replacement for the traditional card account
  • Enabling all participants in the existing ecosystem to route and pass through the payment token
  • Enabling digital wallet operators, mobile application developers and others to easily and securely develop innovative payment products
  • Improving cardholder security with tokens that are limited for use in specific environments

The framework that’s been proposed is intended to be presented to other “partners and independent industry bodies. These include The Clearing House, PCI Security Standards Council and EMVCo.”

ThreatMetrix™ secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix™ Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.

To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.