The situation couldn’t have been much more choice for cybercriminals and the fraudsters they supported. Billions of transactions were facilitated by payment data that would at some point be transmitted across systems under the control of organizations with strict cybersecurity policies and strong controls – where it was practically untouchable – it would often cross unsecured systems accessible from anywhere. And that data was mostly transmitted in-the-clear, meaning it could immediately be read by anyone in the same form in which it was used. It was inevitable that millions of cards would be breached and that fraud would ensue. The year was 2016.
But is it fair to be all “Doom and Gloom”? Despite the bleak present-day picture painted above, things are changing for the better.
It is true that EMV will make breached card-present data less useful and the targets less appealing, but EMV was introduced more than two decades ago and only found footing in the US after “data breaches” became part of the common vernacular. And EMV ubiquity is still at least four years away.
Encryption, a fixture of e-commerce, will grow more popular at the point-of-sale thanks to EMV and the reterminalization it necessitates. Yet encryption is not a new technology – IBM introduced the world to Lucifer, which would become the Disk Encryption Standard or DES (the precursor to the now ubiquitous-in-payment-terminals 3DES) in 1976.
Card breaches have become far too common because payment security was rarely a top priority outside of the financial industry. So instead of relying on the same old parties to move the needle and secure mobile payments, issuer tokenization was introduced without the need for their buy-in. Issuer tokenization is the culmination of decades of data obfuscation approaches and a desire by the card brands (and the technology company that shall not be named) to get a new type of card-powered payment solution started off on the right foot. Other mobile payment solutions were soon to follow, but the market is still in its early days. See Evolution of Tokenization in a Mobile Payments Environment for a better sense of just how early.
Not to mention that whole Internet of Things phenomenon that is expected to facilitate countless microtransactions from Dash buttons and connected refrigerators the world over, which could also benefit from issuer tokenization. We all have those, right?
(And don’t forget Bitcoin: It doesn’t hurt that cryptocurrency burst onto the scene to motivate further evolution in payment security, either.)
Yes, payment security is changing for the better, but is it the “beginning of the end” for card breaches? It is, just so long as we’re patient, because things like this can take a while.