Could these new developments have helped avoid the Target compromise?
By Michelle Thornton
Perhaps the most common security question asked about Apple Pay’s tokenization technology and EMV (“chip”) cards is whether they could have prevented the Target breach, the first anniversary of which the industry just marked during the 2014 holiday shopping season. The short answer is no, but let’s look at what these security technologies can do. EMV—which secures card-based transactions, using a specialized computer chip housed right in the plastic—couldn’t have prevented the breach itself. But it could have prevented compromised numbers from being used to create counterfeit cards. EMV cards are difficult to reproduce, so fraudsters typically don’t attempt it. Tokenization—which removes the credit card number from an online, mobile or contactless point-of-sale transaction and replaces it with a randomly generated number--couldn’t have prevented the breach, either. But any tokenized numbers would have been worthless to the fraudsters. Tokenized numbers (at least in Apple Pay) are tied to a specific device (aka phone). So if the fraudsters got the number and tried to use it, the transaction would fail because the unique elements of that device would not be present in the transaction. Behind the scenes, the cryptography used in tokenization would know that this transaction was not initiated from the correct device. Result? Worthless to the thief; card number still protected. In all, these technologies can’t prevent security compromises at major retailers. But they can prevent additional fraud being perpetrated with card numbers exposed by a breach.
Michelle Thornton is manager of core products for CO-OP Financial Services, a credit union service organization and CUES Supplier member based in Rancho Cucamonga, Calif. Reach her at 800.782.9042, ext. 6162. CUES and Best Innovation Group are partnering to bring the industry Apple Pay, MCX & Beyond: Your Mobile Pay Strategy, Jan. 15 in Dallas. Read a previous CUES Skybox post by Thornton about why CUs need both Apple Pay and EMV.
