The Double-Edged Sword of Tokenization and EMV Smartcard Adoption to the Banking Community

It seems everywhere you look these days another major company falls victim to a massive data breach.  We all know about the Target breach, but other notables include The Home Depot, Apple, Sony, the US Postal Service, and Citibank and JP Morgan Chase, two of the largest financial institutions in the world.  The Privacy Rights Clearinghouse reports in 2014 alone, over 250 breaches have been made public involving tens of millions of sensitive personal records.  (The Sony breach alone involved more than 100 million records, most of which were e-mail addresses.)

In the wake of such high-profile security vulnerabilities, migrating the U.S. payment systems to the Europay MasterCard Visa (EMV) smartcard standard, and the somewhat competing push to adopt tokenization, have recently received significant attention from key players in the payment industry and from lawmakers.  Credit and debit card security also instantly became a high-profile issue for consumers, banks and merchants alike.  Moreover, even though customer protection and security are at the top of the priority list for most banks and merchants, the charge by the world’s largest banks for broad adoption in the U.S. of such payment card technologies will result in a disproportionate negative impact on small businesses and, primarily, community banks.

Cards based on the EMV standard utilize embedded microprocessor technology instead of the traditional magnetic strip to store cardholder data.  EMV cards are considered next to impossible to clone for fraudulent purposes.  Most of the world has been using EMV technology for many years, but the U.S. has been slow to adopt it.  However, the breaches by Target and many others have led to loud calls to adopt the standard.  MasterCard and Visa have said they want merchants and banks to be ready to start accepting EMV cards by October, 2015, and have stated that the liability for any fraud that occurs at point-of-sale (POS) terminals will shift either to the merchant or the card-issuing bank after that date.  (Jaikumar Vijayan, 5 issues that could hamper EMV smartcard adoption in the U.S., Computerworld, Feb. 11, 2014).

The problem is that transitioning to EMV will be difficult and expensive.  POS systems that read EMV cards cost hundreds of dollars each.  And U.S. merchants will need to replace or upgrade millions of these POS systems across the country.  And the card-issuing banks will be forced to spend millions of dollars to upgrade and enhance their networks and internal systems to be prepared for EMV PIN debit and credit transactions.  (Id.)

Moreover, there are inherent shortcomings in the EMV system.  EMV is very effective in securing card transactions at POS terminals.  However, it is much less useful for online payments and other payment transactions where the physical card is not being swiped; and payment card fraud is following the trend away from POS systems and toward online forums.  Accordingly, the world’s largest banks are also pushing for broad adoption in the U.S. of additional payment card technology called tokenization (whereby the cardholder’s primary account number is substituted with a unique randomly generated sequence of numbers known as a “token”) to enhance the security of EMV cards in e-commerce payment situations.  (Jaikumar Vijayan, Banks push for tokenization standard to secure credit card payments, Computerworld, Feb. 12, 2014).

Used in combination, EMV cards with tokenization are vastly more secure against payment fraud than the traditional magnetic strip cards.  However, this added layer of technology is another layer of expense, as the card-issuing banks will be required to store cardholders’ primary account number data, generate tokens, and keep track of them through the entire transaction process.  Most banks, particularly local community banks with limited resources and modest in-house IT capacities, will need to pay third party vendors to manage the token and decryption key process.

Apart from the technology upgrade costs, the adoption of EMV and tokenization present potentially substantial liability and legal costs for banks.  According to MasterCard’s and Visa’s implementation mandates, after October 15, 2015, if the merchant’s POS systems are EMV compliant, but the card-issuing bank’s cards are not EMV, the bank will be liable for the cost of fraudulent transactions connected with those cards.  And legal challenges will certainly ensue as banks and merchants debate over which one has ultimate responsibility for fraudulent charges as a result of alleged non-compliant payment technology.

However, in the present reality of almost daily reports of data breaches, banks are presented with a unique opportunity, especially banks which prioritize trust and relationship-building as part of their core business philosophy.  There is no debate that EMV and tokenization are far superior technologies to the present magnetic strip credit and debit cards for securing the cardholders’ personal information and guarding against fraudulent POS and e-commerce transactions.  And there is a lot of attention and effort by organizations like The Clearing House Payments Company going into developing standards for tokenization and EMV smartcard implementation for the U.S. payment industry.  By implementing these technological improvements, banks can position themselves on the crest of this wave and be at the forefront of secured payment technologies, and become vanguards in their respective communities for protecting their customers’ financial information and garnering a new generation of trust and good will.

– Jack Atnip, III is a banking and commercial lawyer with Hellmuth & Johnson, PLLC, and David Hellmuth is a founding partner and member of the Banking and Finance practice group.