Tokenization no POS panacea; retailers need balanced security strategy

Payment security technology is top-of-mind for most retail IT executives who are seriously considering, if not aggressively adopting, EMV chip card systems, tokenization, Apple Pay and point-to-point encryption. All are important, but none are complete solutions in and of themselves.

For example, new tokenization security standards were recently released, but CBI Labs pointed out that retailers need a more comprehensive approach to point-of-sale security. Data from CBI, an IT risk management advisor, shows tokenization is effective at preventing breaches at the server level, but the majority of data theft happens at the point-of-sale, where tokenization technology is ineffective. Therefore retailers need to do more to secure the POS, said Wolfgang Goerlich, a cyber security strategist at CBI.

"The payment landscape is becoming increasingly crowded, with new entrants and technologies," he told FierceRetailIT. "Plus, with the approaching arrival of global EMV standards in the U.S. market, traditional card-based payment systems will be affected, forcing retailers to bring their point-of-sale and payment systems in line."

Of the 22 major data breaches in 2013-2014, CBI Labs found that 59 percent of the breaches would not have been prevented with tokenization technology, accounting for 154 million—or 97 percent—of the stolen records. Nine, or 41 percent, of the breaches occurred on the database/server where tokenization is helpful. Thirteen, or 59 percent, of the breaches occurred at the POS where tokenization, which allows users to access the cloud application and data, is not applicable.

Tokenization is a technique for safeguarding sensitive information, Goerlich explained. Tokens replace the credit cards or banking numbers for transactions. That way, the information that leaves the bank or retailer is the token, not the sensitive information.

"With tokenization, sensitive customer data stays within the bank's control and external systems do not have access to the actual data," he said. "If a criminal was able to penetrate the cloud service, the only thing the criminal would see would be meaningless tokens."

However, tokenization takes effect after the credit card has been swiped, protecting the data from that point forward. It doesn't protect the memory in the POS machine, he said.

EMV and Apple Pay are two solutions being considered as retailers work to determine what can be done to secure the POS.

"The weaknesses of end-to-end tokenization are at the ends where credit card data is available," Goerlich said. "Apple Pay tokenizes the credit card and passes the token to the point-of-sale. The endpoint is no longer the point-of-sale, where breaches such as Target and Home Depot occurred. By tokenizing earlier and moving the end, Apple Pay avoids the way credit cards are commonly stolen." 

EMV is effective in reducing fraudulent transactions and preventing credit card fraud. "Through increased security features via chip cards, fraudulent transactions will help to be reduced," Goerlich said. "EMV also will open the way for countless payments to be conducted via the chips embedded in the cards or via smart mobile devices. However, EMV-capable terminals are more expensive to manufacture, and will be expensive for retailers to upgrade."

Healthy security means "a balanced diet" of investments in the entire payment processing system. While retailers should consider POS systems that allow for EMV transactions, they should also plan to upgrade internal payment systems and offer shoppers both traditional swipe and chip options for the foreseeable future, Goerlich said.

"Retailers can protect their customers and their business with POS technology that prevents criminals from reaching their system's data," he said. "Retailers also should consider choosing point-to-point encryption that is compliant with security standards and able to implement multiple safeguards."

Securing credit card information comes down to securing all points along the payment processing chain. "Though tokenization and EMV have a place, there is no silver bullet. Retailers must consider and assess the security along all points in their processing," Goerlich said.

For more:
-See the CBI Labs blog
-See Wolfgang Goerlich's blog
-See the CBI Website

Related stories:
Trader Joe's testing Apple Pay; Alibaba talking to Apple
Widespread EMV chip card adoption won't happen until 2020: Forrester
The importance of pushing back the EMV fraud liability shift deadline
Banks worried that retailers won't be ready for EMV
Card issuers ramp up for EMV, retailers lag