EMVCo was formed in the early 1990s and for many years concentrated, almost exclusively, on developing the detailed specifications for chip-based payment cards frequently referred to as EMV cards. In a similar way to PCI SSC branching out beyond PCI DSS (that I covered in an earlier blog), you will now find that EMVCo now spends much more of its time and effort in creating other non-card specifications to support a wide range of emerging digital payment methods – these cover areas where fraud is expected to grow rapidly if preventative action is not taken.
Chip cards proving successful at reducing fraud at physical point-of-sale
Before we get too carried away with new types of digital or mobile payments, it is still worth noting that payments made using chip cards in a face-to-face environment are still increasing year-on-year. Looking at some of the statistics quoted in a recent EMVCo press release it is evident that:
- More than 50% of all cards issued globally are based on EMV chip technology;
- The past 12 months saw an additional one billion EMV cards in circulation worldwide, bringing the total to 7.1 billion; and,
- The percentage of card-present transactions using EMV cards increased from 52.4% in 2016 to 63.7% in 2017.
The primary security purpose of the EMV chip is to make counterfeiting of cards practically infeasible for fraudsters. It is proven that all countries to date who have adopted the technology have seen significant reductions in this type of fraud. The downside is that the fraudsters then change their tactics and try to exploit other areas where security weaknesses are evident. Just about every payment analyst talks about the migration of fraud from face-to-face to digital or online channels which is currently the hotspot of fraud for the industry to tackle. You may wish to view an excellent summary of this topic from 451 Research here:
Big focus on security specifications aimed at tackling online fraud
EMVCo is still working on enhancements to its core EMV chip specifications – the ‘next generation’ specifications are expected to deliver greater levels of security while simplifying adoption-- certification, and ensuring the necessary global interoperability for a wide range of payment instruments that are no longer just cards. However, one of the short term challenges for EMVCo is to evolve other specifications to provide the necessary secure and interoperable foundation for remote payment environments.
Over the past two to three years, we have witnessed a ramp-up in EMVCo’s activities relating to the next generation of 3-D Secure and payment tokenisation The former is designed to strengthen security and remove friction in the consumer authentication part of an online transaction whereas the latter is designed to provide isolation between payment channels to devalue cardholder data that may be captured fraudulently. Both solutions are expected to be important elements in one of the more recent EMVCo initiatives announced, Secure Remote Commerce or SRC which is aiming to protect and exchange card data in a consistent and secure manner in a remote commerce environment. Stated simply this could ultimately mean a ubiquitous ‘buy’ button on merchant websites or apps that have a consistent look and feel - analogous to the well-known ‘one click’ Amazon experience. To achieve this EMVCo will need to leverage its considerable security and interoperability knowledge to facilitate this type of solution. Based on press statements from Visa and Mastercard, there is considerable momentum building behind the SRC concept to make it a reality. The days of manually entering payment card details into numerous web sites could be coming to an end. EMVCo is no doubt working hard in conjunction with the payment brands to get the merchant community on-board. This is quite interesting after all the previous attempts at securing online commerce with the first version of 3-D Secure achieved only partial success in a few countries.
SRC could become a significant game-changer for the payments industry if it delivers on its core stated security objectives, paraphrased as follows:
- Leveraging the security knowledge gained from physical POS transactions to support transactions initiated by applications and browsers on mobile phones, tablets, desktop computers and Internet-connected devices;
- Defining a consistent approach to enable the secure transmission and interaction of payment card data among participants; and,
- Enhancing the security of remote commerce websites and applications through the introduction of dynamic data to enable the secure transmission of payment and checkout information.
Thales will be reviewing the more detailed SRC technical specifications later this year (when they become available) and working with its technology partners to ensure merchants and service providers have early access to the resulting security solutions.
Significant industry collaboration
EMVCo has changed significantly from its early days where the first generation of the EMV specifications were developed largely behind closed doors by Europay (which would later become part of Mastercard) together with Mastercard and Visa. For the past 10 years the organisation has expanded to include the other major global payment brands (American Express, Discover, JCB and UnionPay) and has invited the broader payments community to participate in its Business and Technical Associate programs. It is significant that EMVCo has also forged strong partnerships with other leading industry bodies such as PCI SSC, GlobalPlatform, NFC Forum and GSMA – collaboration is key in the pursuit of both stronger security and global interoperability.
Thales eSecurity is a Technical Associate within the EMVCo Associates program that helps to contribute ideas and feedback on the latest EMVCo specifications.
Please visit our website to learn how our payShield payment HSM family continues to evolve to address the growing security threats in the payments world, especially those associated with digital payments.