E-COMMERCE
By: Ruston Miles Chief Innovation Officer, Founder Bluefin Payment Systems
I
f 2015 was the year of EMV in the U.S., it seems only fair that 2016 should be the year of its complementary technologies – tokenization and point-to-point encryption (P2PE). Throughout 2015, the extraordinary focus on EMV in the media and elsewhere has sucked the oxygen out of any discussion of the pan-industry Payments Security Taskforce (PST) “secure-all-channels” strategy, of which EMV implementation is but one of three technological elements. Yet this strategy, implemented holistically, is the key to ending the “data breach era”. Whether 2016 can mark the beginning of a new era in payments security depends on a few things happening in the year to come As EMV adoption gathers pace,
28
Payment Quarterly | Q1 2016
we can expect stragglers - indeed gas stations have until 2017 to adopt chip technology. Nevertheless, as chip card use becomes ever more widespread and embedded, we can expect domestic counterfeit fraud to decrease and, to some degree (depending on the authentication protocols set by the issuing banks), lost or stolen card fraud to do likewise. We can expect this to be a relatively shallow but notable upward curve toward the end of the year. Meanwhile, as criminals are thwarted in these areas, they will turn to other areas of perceived weakness in the payments system; for example, card not present (CNP) fraud is expected to increase and merchant systems will be subject to renewed attacks. Reacting to this, and able to turn their attention and resources from EMV, merchants will begin to focus more on securing the data within their systems, through tokenization, which protects data at rest and P2PE, which protects data in transit, particularly at the Point-of-Sale. Protecting the Point-of-Sale is extremely important. Nearly all of the high-profile data breaches of recent years have been a consequence of a criminal attack using Point-of-Sale Malware and the Federal Bureau of Investigation (FBI) continues to warn
regularly of new forms of Malware, usually with exotic names, like Punkey or MalomPOS. We can expect these warnings, and indeed, data breaches to continue in 2016. Further to this, we can expect industries previously untroubled by the hackers to suffer. In late 2015, we saw an increase in attacks on hotels and hospitality management businesses. It is likely that we will also see medical practices and charities targeted, alongside universities where criminals have had considerable success. In the face of renewed attacks, we can expect merchants to focus more on P2PE to protect the Point-of-Sale. In fact, some merchants simply need to activate technology that they already have in place (it is one of the ironies of the Home Depot data breach that, according to an article in the Wall Street Journal, the Malware involved would have been defeated if existing P2PE systems at the Point-of-Sale had been turned on at the time). An increasing realization among merchants that the data breach challenge has to be addressed and that EMV has barely a walk-on role in doing so, will increase demand for P2PE, particularly given unprecedented steps taken in 2015 by the Payment Cards Industry Security Standards Council