The situation couldn’t have been much more choice for cybercriminals and the fraudsters they supported.  Billions of transactions were facilitated by payment data that would at some point be transmitted across systems under the control of organizations with strict cybersecurity policies and strong controls – where it was practically untouchable – it would often cross unsecured systems accessible from anywhere.  And that data was mostly transmitted in-the-clear, meaning it could immediately be read by anyone in the same form in which it was used.  It was inevitable that millions of cards would be breached and that fraud would ensue.  The year was 2016. 

But is it fair to be all “Doom and Gloom”?  Despite the bleak present-day picture painted above, things are changing for the better.  

It is true that EMV will make breached card-present data less useful and the targets less appealing, but EMV was introduced more than two decades ago and only found footing in the US after “data breaches” became part of the common vernacular.  And EMV ubiquity is still at least four years away.  

Encryption, a fixture of e-commerce, will grow more popular at the point-of-sale thanks to EMV and the reterminalization it necessitates.  Yet encryption is not a new technology – IBM introduced the world to Lucifer, which would become the Disk Encryption Standard or DES (the precursor to the now ubiquitous-in-payment-terminals 3DES) in 1976.  

Card breaches have become far too common because payment security was rarely a top priority outside of the financial industry.  So instead of relying on the same old parties to move the needle and secure mobile payments, issuer tokenization was introduced without the need for their buy-in.  Issuer tokenization is the culmination of decades of data obfuscation approaches and a desire by the card brands (and the technology company that shall not be named) to get a new type of card-powered payment solution started off on the right foot.  Other mobile payment solutions were soon to follow, but the market is still in its early days.  See Evolution of Tokenization in a Mobile Payments Environment for a better sense of just how early.

Not to mention that whole Internet of Things phenomenon that is expected to facilitate countless microtransactions from Dash buttons and connected refrigerators the world over, which could also benefit from issuer tokenization.  We all have those, right?

(And don’t forget Bitcoin: It doesn’t hurt that cryptocurrency burst onto the scene to motivate further evolution in payment security, either.) 

Yes, payment security is changing for the better, but is it the “beginning of the end” for card breaches?  It is, just so long as we’re patient, because things like this can take a while. 

Author

About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Research Director and Head of Fraud & Security. As Research Director, Al leads Javelin’s Advisory Services and Custom Research businesses. He oversees growth of these businesses while ensuring that Javelin’s research content meets quality standards and provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing payment data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. Al also serves on the board of advisers to the Information Security Media Group. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!