Clearly two of the biggest buzz words this year are EMV and tokenization. Although they are frequently talked about together, EMV and tokenization represent two different initiatives and present opportunities as well as challenges for banks.
There has been a seemingly endless spate of data breaches in the United States. Recent breaches have occurred at health care providers, major retailers and the U.S. government. The retailer breaches in particular spurred the banking and card industry to take action against payment fraud through the rollout of EMV.
The EMV standard for using a microchip to store encrypted card data combined with a PIN requirement is aimed at reducing fraud at the point of sale by preventing the use of counterfeit mag-stripe cards. This technology has been used in Europe for nearly 20 years and has successfully reduced counterfeit cards being used at POS terminals. The United States, on the other hand, has resisted the deployment of EMV for years and is actually the last of the G20 countries to adopt EMV. There are many reasons cited for this delay from the cost of replacing cards to the cost of deploying new terminals to expected confusion by consumers. What is important to note here is that EMV chip enabled cards will clearly reduce card present fraud but do little in the way of reducing online fraud.
The October deadline for liability shift for card transactions have caused most issuers to make decisions around how and when they will replace their existing cards with chip-enabled EMV cards and they will have to determine if those cards will follow chip-and-pin and chip-and-signature.
Many have proactively replaced cards, particularly those that related to retailer breaches. Still there have been some bank issuers who have indicated that they will follow a phased approach to replacing existing cards, timing replacement with card expiration in order to space out the costs. Issuers have to upgrade their data infrastructure, update and redesign their cards, train their branch and call center employees and educate their clients as they coordinate the reissue of cards to their customers.
There are some best practices that can be taken from EMV rollout in other G20 countries. The rollout of EMV was successful in the United Kingdom, at least in part, because of the effort made by banks to educate their customers and employees about the changes that were happening. Frequent communications, having educational material and commonly asked questions available online are good approaches. U.S. banks need to emulate some of these practices around communication and education as the transition to EMV chip cards will present a different customer experience at the point of sale for consumers. Steps should be taken by banks to explain to consumers what they will need to do differently at the point of sale and discuss how these changes will help improve safety and security. This will be instrumental in mitigating the impact of these changes and driving smooth adoption.
The introduction of Apple Pay has introduced the term tokenization into the banking industry lexicon. Arguably it is the biggest topic to ever hit to payments ecosystem. Tokenization itself is not a new concept in payments and financial services. Tokens have been employed for many years to encrypt cardholder information post transaction authorization — so called data at rest on the acquiring side. What Apple Pay did was introduce the concept of payment tokens created on the issuing side by the networks. These tokens replace account numbers when payment transactions are initiated. These payment tokens are presented to merchants during a transaction to authorize payment. The tokens are managed by a new player in the payments ecosystem — a Token Service Provider or TSP. The TSP creates and stores tokens in a vault and coordinates with wallets, issuers and processors. Today, the card networks are providing token service provider services but it is entirely possible for other entities such as an issuer or a processor to provide these services.
Tokenization opportunities are expanding as financial institutions and other fintech providers begin to recognize that it’s not just a solution for payments. Tokenization can be viewed as a solution for any organization handling any sensitive data set from personally identifiable data like account numbers or data around a client’s financial accounts, tax information or other similar sensitive data. The proliferation of devices will continue to grow and token delivery devices will expand beyond smartphones and into wearables, Internet of things and technologies and devices that have yet to arrive.
The breadth of possibilities for tokenization uses in financial services means that it is very likely an issuer will need to support multiple channels and integration points. If you further have issuers eventually launch their own mobile wallets, they may consider it a beneficial to manage their own tokens and to support the wide variety of integration needs.
Consumer driven demand for payment security and convenience is key driver both EMV cards and tokenization. Consumers want to be able to pay where they want, when they want, with whatever card they desire and on whatever device (smart device, wearable) that they chose while ensuring that the security of the personal information is maintained.
The article was originally published on BankNews on August 25, 2015 and is re-posted here by permission.