An Expert’s Take on the Shift in Payments Security
If you read the latest issue of The Connection magazine, you may have seen Gabrielle Guerrera’s recent article with Terence Spies, the chief technologist at HP Security Voltage. Gabrielle and Terence discussed the imminent implementation of Europay, Mastercard, and Visa (EMV) standards in the United States and how they will affect HP NonStop users and the payments industry as a whole. Here Gabrielle dives even deeper to discuss with Terence where criminals may be shifting their focus, if mobile payments are as secure as one would think, and how tokenization and encryption play essential roles in the safety of consumer identities. This article originally appeared on the NonStop Innovations Blog.
Terence: POS systems are being updated as we speak, but some companies still have POS systems that are basically straight magnetic card readers. Soon there are going to be large incentives in place for merchants to upgrade to EMV-capable readers. Those EMV readers will have additional electronics inside allowing them to read and interact with the actual chip. Not everyone has them yet, but you will see those starting to get deployed with merchants in the coming years.
Gabrielle: In your opinion, now that security is increasing for POS purchases are hackers going to be focusing more on online payments?
Terence: That is certainly something we have seen in the past. If you look at the data from when the U.K. moved from magnetic stripe to EMV chip technology, there was certainly a huge shift to fraud in the online space because the chips only work for “card present” transactions. Since that has been the case in the past, I think people within the industry have taken that lesson regarding online fraud shifts and have invested in technologies that will help forestall it. There are always going to be people interested in attacking the payment system for profit, and increasing the security in one area is just going to cause them to shift their energy to areas with lower security. It is a good bet that increasing security around POS is just going to lead that criminals to start focusing on online and other mechanisms that do not have these dynamic identifiers.
Gabrielle: What significance does the shift to mobile payments have in the payments security world?
Terence: You can think of the EMV card as a shift to a smarter payment endpoint that lets data authentication happen in a much more sophisticated way than just having it stored on a magstripe. Mobile payments represent a little bit of a competition to the EMV card: rather than carrying around a card with a computer in it, I already have a computer that I carry around, so allows us to do payments in a way that is better for the consumer.
There are simply more sophisticated levels of interaction you can do. The significance in terms of security is the shift to mobile payments allows us to rethink the built-in aspects of the payments industry: tokenization and dynamic identifiers. It helps create a more secure kind of environment from the endpoint itself. It is definitely one entrant in this overall race to cure the payment space and is driving a lot of technology that is going to have an impact across the whole industry.
Gabrielle: Is tokenization better than encryption, or vice versa?
Terence: I don’t think of encryption or tokenization as better or worse than each other. You should think of tokenization and encryption as the airbags and the crumple zone of your car. They are different technologies that solve different things, but work together to make a more secure whole. Encryption is a technology that is intended to protect data while it is being transmitted. There is a huge amount of investment being done in encryption to protect the data from the point of swipe until it gets to a particular payment host – called point-to-point encryption (P2PE). It is not better or worse than tokenization, they are just solving different problems.
Encryption is fundamentally a technology that is about securing that data while it is being transmitted and pushed around. The fact that encryption is keyed is vital to being able to, for example, change and alter that key to prevent people from being able to get access to that data. Encryption can create an extremely strong barrier against information theft, so it is not regarded as something that is going to be weaker or insufficient to protect a piece of data.
Tokenization, on the other hand, is essentially the method of creating pieces of data that are going to be put into storage. Once the card data is going to be stored at a merchant store or processor, tokenization will take over and create that substitute value that can be used in place of the credit card number itself. So you can think of encryption as a pre-authorization activity, and tokenization as kind of a storage or post-authorization activity.
Tokenization protects specific data on items in such a way that tokens can be used in place of the credit card numbers. There are lots of different kinds of tokenization, and people use that word for different architectural solutions; for example, Apple Pay uses a token in order to create a transaction, and that is what is typically called “payment tokenization”. This creates a payment mechanism based off of a token where that token can be used in certain circumstances to actually initiate a transaction. Security tokenization happens post-authorization, creating what we call a “zero value token” that cannot be used as part of a transaction but can be used for analysis
The main differentiation in the tokenization space is going to be in payment tokenization, where the token will be used to replace a card for transaction purposes; and in security tokenization, where the replacement for the card is intended for analytic or backend office uses. They are similar types of technology, but operationally get used in different ways.
The biggest response I would have to your question would be that encryption and tokenization are not better or worse than each other; they can both be used in ways that create an enormously strong barrier against fraud and card theft. They just get used in different parts of the transaction lifecycle to achieve different aims.
Gabrielle: What are your thoughts on HP’s acquisition of HP Security Voltage so far? Is the transition going smoothly?
Terence: Things have been fantastic. Payment security is one aspect of what we do, but there has been an industry-wide interest in data-level security as a whole within the payment space. HP Security Voltage products form a really fantastic compliment to the Atalla products in terms of enabling us to do encryption and key management across a whole different set of application spaces and at different levels of the stack.
On NonStop, is NonStop being used to process PII (personally identifiable information) data or healthcare data, in addition to payment data? Or are there people interested in encryption at different parts in the stack, or in doing tokenization of other kinds of information? The combination of those two technologies gives them a lot of choices with respect to how they do that implementation. It enables them to secure a lot more applications than they may have been able to do in the past. We think there will be a lot of upsides as we start more actively integrating these technologies together to give people a comprehensive method for encrypted key management.
We are super excited. It gives us a lot of scope and visibility, and also I think the integration with Atalla presents a lot of technical opportunities to make a more comprehensive architecture for key management encryption.
Learn more about HP Security Voltage products.