There’s a massive card fraud problem in the US, and EMV isn’t going to solve it. Instead a number of new security protocols are being implemented for in-store and online payments to try to mitigate card data theft. Each of these protocols has strengths and weaknesses, but one of the newest security protocols — from Apple Pay — has security measures above and beyond the rest.
In two new reports from BI Intelligence, we look at the five new payments security protocols and the strengths and weaknesses of each, and then take a deep dive into the security behind Apple Pay, which we believe could fundamentally limit card fraud as it is conducted now.
Here are some of the key takeaways:
Apple Pay combines a number of existing security technologies to solve the major problems in payments security: Apple didn’t invent an entirely new payments security standard. Instead it found a solution to weaknesses in payment security and applied it in a way that does not require existing payments players to upend their systems and processes.
- Data protection: Apple Pay uses both encryption and tokenization to protect data and reduce sensitive data transmission down to one instance.
- Device authentication: Each Apple Pay transaction has a unique value that ensures that the transaction is coming from an authorised device.
- User authentication: Apple requires the user’s bank to have an additional user authentication system in order to further authenticate suspicious card registrations. In addition, Apple Pay requires fingerprint authentication through Touch ID in order to make fraudulent transactions from a stolen phone extremely difficult.
- Point-to-point encryption is the most tightly defined form of payments encryption. In this scheme, sensitive payment data is encrypted from the point of capture at the payments terminal all the way through to the gateway or acquirer. This makes it much more difficult for fraudsters to harvest usable data from transactions in stores and online.
- Tokenization increases the security of transactions made online and in stores. Tokenization schemes assign a random value to payment data, making it effectively impossible for hackers to access the sensitive data from the token itself. Tokens are often “multiuse,” meaning merchants don’t have to force consumers to re-enter their payment details. Apple Pay uses an emerging form of tokenization.
- 3D Secure is an imperfect answer to user authentication online. One difficulty in fighting online fraud is that it is hard to tell whether the person using card data is actually the cardholder. 3D Secure adds a level of user authentication by requiring the customer to enter a passcode or biometric data in addition to payment data to complete a transaction online. Merchants who implement 3D Secure risk higher shopping-cart abandonment.
To access the full reports from BI Intelligence, sign up for a 14-day trial here. Members also gain access to new in-depth reports, hundreds of charts and datasets, as well as daily newsletters on the digital industry.