For many tokenization has become synonymous with EMV, and while the topics are related (EMV’s encryption process involves tokenization), there are important distinctions between the two.
Moving the Action Upstream
EMV’s main selling point is its enhanced security, which is achieved through a special type of tokenization. The EMV process generates a one-time-use “token” or cryptogram, which is then validated by the card issuer or its agent to complete the payment transaction. After the transaction has been completed, the token or cryptogram becomes useless. Therefore, if a hacker is able to intercept the transmission, the stolen data will have no further value in online transactions.
The notion of message validation via a token or cryptogram did not start with EMV, however. In many areas of the world, magnetic stripe transactions have historically leveraged a process called Message Authentication Code (MACing, in industry lingo), which uses a hashing algorithm to create a cryptogram from the message field values. This cryptogram is then used to verify that the message data has not been altered during transmission.
The EMV encryption process produces essentially a glorified MAC, with the key difference being that while a MAC is generated by the point-of-sale (POS) terminal, an EMV cryptogram, known as an authorization request cryptogram (ARQC), occurs within the card chip itself. So even if the terminal itself is hacked – which has been the case with several recent breaches – the terminal does not touch any data of lasting value for online transactions.
A Step Forward, Not a Cure-All
EMV has proven itself as an effective deterrent to most instances of POS card fraud. In fact, we have already seen significant drops in fraud levels for chip enabled transactions, even though they still comprise only about one-third of overall U.S. card transactions. Counterfeit card fraud on chip cards is virtually nonexistent because at present it is virtually impossible for fraudsters to create phony chip cards. While crooks have attempted to disable chips and cause cards to revert to magnetic stripe processing (a process known as fallback), such efforts typically trigger alarm bells that either block the transaction, or at minimum alert the issuer to suspend the account soon after.
Where EMV falls short is in securing card-not-present (CNP) transactions. When there is no terminal available to process a chip, there is no means to activate EMV’s safeguards. In these cases, tokenization may hold the key to added protection – a particularly urgent matter given the continued growth of CNP transactions.
Implications for Testing Professionals
Experts believe the U.S. EMV changeover will extend well into 2018, and the number of testing scenarios will continue to expand in the transitional payments environment. QA testers must consider both cards with and without chips, terminals that are/are not chip-enabled (whether due to hardware limitations or the supporting software), chip cards that may revert or fallback to the magnetic stripe, CNP transactions, etc. And not to mention that we have yet to overlay the various smartphone-based payment apps, some with their own nearfield communication (NFC) brands of encryption.
To assist financial services organizations with their payments testing, simulators can make use of “soft cards” in transactions (those not involving physical interaction with plastic). These soft cards are very useful because testers can readily see or modify various EMV card tags. This provides a rich payments testing environment for good or exceptions tests to exercise their system’s encryption capabilities. Given the ever-expanding number of testing scenarios to cover, the adoption of next generation simulators and payments testing software is key to improving both your organization’s efficiency and your product’s in-market quality.