The exchange of money in exchange for goods and services has always brought along the need for protection and security. Several protection methods have emerged over time when we focus on payment cards.
Cardholder authentication mechanisms such as PIN or CVV2, use of magnetic stripe data via the EMV chip, encryption of card data during transmission, and tokenization are examples of these.
How do mobile wallets collect and store payment card information?
Digital wallets are applications that allow you to store and organize your identity documents, bank details, concert tickets, airline tickets, cryptocurrencies, and payment cards on your mobile phone, computer, smartwatch, or tablet.
This information can then be sent to other devices that use wireless technologies (NFC or Bluetooth) to make payments or verify the information. Physical cards are no longer required with digital wallets and wireless transmission technologies. Apple Pay, Google Pay, and Samsung Pay are examples of mobile wallet providers.
It is simple to link or register a credit or debit card with these mobile wallets. It is only necessary to have a device that meets the installation requirements. Then, the payment card information is scanned or manually entered into the app and sent to the payment network for validation. As a result of this procedure, the user can pay at terminals using her mobile device rather than a physical card.
The most exciting aspect of this technology is that the merchant never sees the actual data from the linked payment card when you make payment. Card information is also not saved on the user’s device. This reduces the risk of fraud and disclosure of this information. This security feature is based on a technology known as “tokenization.”
Tokenization is the process of replacing sensitive data with non-sensitive data known as tokens. This token data provides the same functionality as before, with the added benefit of making it impossible to extract or infer the confidential information it refers to from the token data itself.
A token is a non-secret value used in the card payments industry to exchange Primary Account Number (PAN) data. However, in this field, not all markers are the same. Instead, they vary depending on many variables under three main categories: Acquisition Tokens, Issuer Tokens, and Payment Tokens.
Payment tokens, also called EMV tokens, are used in mobile payment apps.
A payment token differs from buy and issue tokens in that its format conforms to the parameters described in the EMVco technical specification. Payment network routing and processing follow the same steps as a regular transaction but without revealing the original PAN. This minimizes risk and the need for regulatory compliance for merchants using this method.
The management of such tokens is the responsibility of entities registered with EMVco as a Token Service Provider (TSP). These TSPs provide tokenization services to entities known as Token Requestors (TR), which must be registered with the TSP to initiate token requests.
When it comes to Apple Pay, Google Pay, and Samsung Pay, the companies behind these apps act as Token Requesters.
What is the relationship between payment tokens and PCI SSC standards?
PCI SSC standards apply to each element of the process. Implementing The PCI SSC standards apply to all aspects of the process. PCI compliance ensures that the payment token or EMV token transaction ecosystem is secure and reliable.
Contactless mobile transactions are an essential component of new digital payment technologies. Cell phones, smart watches, laptops, tablets, and wearables have changed the traditional payment method. As a result, carrying payment card plastics whose functionality has been replaced by mobile wallet apps is no longer necessary.
For example, one feature on Apple CarPlay’s roadmap is mobile commerce. The new UI will allow developers to add payments to CarPlay to purchase fuel at gas stations.
This way, it will be enough to go to a suitable gas station, approach a pump and write the pump number on your phone. So, if CarPlay is essential to you, whether you’re picking up your car with a closed or open vehicle, make sure the model you’re looking at has Apple CarPlay capabilities.
In terms of risk, using these devices exposes confidential payment data to a new attack vector. However, tokenization functions are now part of the fraud protection arsenal. Replacing sensitive data with non-confidential data reduces the value of card data, minimizing the impact of a potential attack.
One of the payment brands’ top priorities to support the growing use of digital payments is the widespread adoption of this new tokenization strategy. Integrating security standards such as PCI DSS with new standards applicable to tokenization service providers (PCI TSP) provides the digital payment ecosystem with comprehensive security.
- Apple Pay’s NFC uses EMV. EMV is a standard implemented for payments in both chip and contactless variants
- The technology that underpins Apple Pay’s security model is tokenization.
- From the consumer’s point of view, Apple Pay is an ideal way to transact with a merchant as it protects the consumer’s privacy during the transaction.
- During an Apple Pay transaction, the seller receives only an anonymized one-time code that simplifies and makes the transaction secure.
- The only NFC implementation of these technologies is Apple Pay. P2PE is not used. It’s simply the digital equivalent of the physical card. P2PE must be enabled in the terminal to be used.
- By default, EMV transmits some data that PCI DSS considers sensitive as routing information. EMV Tokens are transmitted over the system with this application, but these data also need to be protected just like a PAN. In the case of a regular EMV operation (chip), the PANs are open. To handle this, you should deploy some P2PE in the terminal.
How Can You Stay PCI Compliant by Accepting Mobile Payments?
Near Field Communication (NFC) technology has recently been increasingly integrated into mobile devices. This means examples of mobile contactless payments continue to grow as more retailers accept mobile payments in-store.
However, with new financial technologies, new ways are emerging for attackers to defraud both businesses and consumers potentially.
It’s clear that the technology that allows us to pay with our phones is a significant advancement, and mobile payments are a testament to the convenience culture we now live in. However, security should not be compromised for convenience regarding a person’s financial information.
Android Pay, Apple Pay, and Samsung Pay all seem very secure. The Security and Privacy Overview on the Apple website not only lets you know precisely who sees your information, where your data goes, and what Apple does. For example, to protect your information at various stages, it also allows users to verify transactions practically with a fingerprint on every purchase. Samsung Pay requires fingerprint or PIN verification.
However, these encryption protocols can be circumvented with the right set of information and conditions; This means that malicious people can still scam mobile payment app users.
For example, one of the reasons NFC technology is praised as safe is that the reading range is only a few centimeters. So it would be evident that someone is trying to interrupt communication between a phone and your Point of Sale (POS) terminal because their device needs to be right next to both.
However, studies show that the reading range can be extended up to 80 cm using inconspicuous equipment. Therefore, retailers must be on the lookout for technology users displaying suspicious behavior in their stores.
Additionally, while the payment apps are very secure, the NFC chip that makes them possible is optional. Therefore, it can also be highlighted that contactless cards are vulnerable to fraud as they do not require cardholder authentication to perform the transaction.
However, Apple, Google, and Samsung have authentication steps such as fingerprint recognition or PIN code in Apple Pay, Google Wallet, and Samsung Pay, respectively, to authorize the transaction.
Therefore, someone who has stolen a contactless card may spend on it until it is reported as stolen. However, if they steal someone’s phone, they will be blocked due to the need for a fingerprint scanner or a PIN code during the authentication phase, and they cannot buy anything using it.
Also, failing to complete a transaction with a device linked to its rightful owner should alert the retailer that something is wrong, hopefully leading to contacting the police.
Given that mobile payment apps use the same technology, it’s not yet clear whether criminals will find a way to bypass the authentication processes and security measures put in place by Apple, Google, and Samsung.
Mobile payments will be the future of next-generation payment systems. Therefore, it makes sense for retailers to offer customers the ability to pay from a mobile device. However, retailers also need to ensure that these payments remain secure.
While Apple, Google, and Samsung appear to secure their devices and payment apps, it’s up to retailers to make sure they’re doing everything they can to secure in-store payments and comply with PCI standards.