Tokenization Tussle

What do tokens, or digital replacements for sensitive payment account information,
particularly the primary payment card number (PAN), have in common with interchange and other fees linked to credit and debit cards?

Easy: Tokens, like transaction pricing, have become a battleground between competing interests in the payments industry.

For example, models under development include those from EMVCo, which is controlled by the major payment card networks, and The Clearing House, which is controlled by banks. Other proposals have come from the PCI Security Standards Council and the Accredited Standards Committee X9.

While there are plenty of technical matters to be settled, one of the hottest issues under debate is the use of static and dynamic tokens. Static tokens are easier to implement, but dynamic, or one-time-use tokens, offer even more security because they change with each transaction.

Meanwhile, some payments executives fear Visa and MasterCard are using closed token standards to extend the domination they enjoy in the magnetic-stripe card world into the emerging realms of Europay-MasterCard-Visa (EMV) chip cards and mobile payments. Others worry that separate groups are developing standards without enough back-and-forth among prospective token users and token originators.

In late July, several major merchant trade groups called for an open approach to tokenization, as did the Secure Remote Payments Council (SRPc), which represents debit networks.

The Mobile Payments Industry Workgroup (MPIW), a group formed under the auspices of the Federal Reserve banks of Boston and Atlanta and which includes payments executives, also urged the industry to find common ground on tokenization.

The 10 biggest issues in e-payments

The 10 biggest issues in e-payments

 

1. The Tokenization Tussle
2. Can Apple Revive Mobile Wallets’ Sagging Prospects?
3. Choking on Operation Choke Point
4. Will Anything Stop Data Breaches?
5. EMV’s Race Against the Clock
6. Meet the Value-Added Reseller
7. Look Who’s Coming to the Point of Sale
8. If at First You Don’t Succeed…
9. The Real Issues Surrounding Virtual Currencies
10. The Painful Sales Adjustment

How to have successful Banking Transformation Project?

Some thoughts on how to succeed in Core Banking Transformation Project?




Vendor – Once implemented a core typically stays in place for a long time. It provides a primary support function to any financial institution, so select a vendor like you would select a wife or partner….for the long term :). Good relationship, understanding of each others business, can work through issues (as they will arise), trust and a clear well defined agreement. It must be win-win to be a partnership.

System – Select a system that has a good fit for your current and future needs – the core is a moving, growing system – over time new channels, products, and customers will emerge and the system has to be scalable and flexible enough to change, adapt and accommodate new requirements. No point selecting a system that matches today’s need spot on, that is impossible/expensive to adapt later. There will be change…

Scope - Keep the scope well defined. Having an agreed and proven approach to project change management will ensure the impact of change requests are understood and dealt with appropriately.

Leadership – The Executive team of the bank must understand that this is not a side-project. Don’t underestimate the effort required – it is surprising how many tenders come out with ‘explain how it will be a seamless transition’ – organisational change management is key – recognise that this is the opportunity to change outdated work practices, embrace new work methods, and tighten control – it will need drive from the top. The change of core is a test of leadership – it’s why many try to avoid this …

Processes – Use an industry-standard process reference model – and try and work out why you are not doing your process that way. Many BIAN members (http://www.bian.org ) process millions of actions using a standard process – and there probably is a good reason – work it out, don’t surrender to “the way we do it”

Look – Try and make sure the new system looks ‘better’ than the old one – chances are the green screen or winapp looked ‘old’ or ‘clunky’ to users – spend a little on the look to make people feel it is modern and nice. They are used to the Web 2.0 – at least make it look like it was designed this century…

Training – Ensure that all users receive sufficient training – get buy-in from staff – pick at least 5 things that really grate in current system and solve with the new (regardless of if they have to be developed). Be wary of the parallel run – if not well managed it just delays the moment they realize they have to use the new system – test the users in the dry run leading up to conversion.

Project- There must be a project sponsor who is willing and capable of driving the project through internal roadblocks – and it helps if they represent a key profit center. Have a project team with representation from the whole business. They need to be supported by HR/Training, change/comms, finance/contract and process engineers – not just capable technical and business staff. If need be support this with skilled external consultants with direct relevant experience – but recognize that the those paid by the day have a conflict of priorities…


Commercial terms – Plan well with your vendor/partner and expect the unexpected. Ensure you have sufficient budget and appropriate commercial terms to see the project through to completion


Actually, above facts are applicable to all the projects. But, few things are more specific to Banking Transformation project.

Difference between Tokenization and Encryption

What is the difference between tokenization and encryption?

A lot of the time, encryption and tokenization are being used interchangeably to describe the process of protecting data stored in the cloud. Although they both essentially have the same function, they are different processes and have different effects on the data they are protecting.

Tokenization

Tokenization substitutes a value with a random 'Token" value. Each individual value has its own token assigned, so no matter when that value is inserted, the same token will appear. The token values are then stored in the cloud.

To retrieve the original value, the token value is pulled from the cloud through the company's firewall where de-tokenization takes place. A dictionary of tokens is stored behind the firewall to replace the token value with the original value.

Encryption

Encrypted data obscures the value using an approved encryption algorithm. To reveal the original value, the user needs a secret key. This makes it impossible to reveal the true value to any unauthorized user.

There are many different ways to encrypt data, including private keys, public keys, SSL, and TLS. The encrypted data is then stored in the cloud. As the data is pulled from the cloud, the user can access the true data if they can access the secret key to decipher the data

What is Payment Tokenisation?

Tokenisation, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no extrinsic or exploitable meaning or value.

The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenisation system. The mapping from original data to a token uses methods which render tokens infeasible to reverse in the absence of the Tokenisation system, for example using tokens created from random numbers.

The Tokenisation system must be secured and validated using security best practices applicable to

- Sensitive data protection,
- Secure storage,
- Audit,
- Authentication &
- Authorization.

The Tokenisation system provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data.

Tokenisation in Payments

Tokenisation is the process of replacing sensitive data with surrogate values that remove risk but preserve value to the business. In other words, a traditional primary account number (PAN) is replaced by unique identification symbols to create a ‘token’.

To tokenise a payment transaction, the PAN is sent to a centralised and highly secure server called a ‘vault’ where it is stored in a PCI-compliant environment provided by a payment service provider (such as a payment system). Immediately after authorisation from the card issuer, a unique, token number (with its expiration date) is generated and returned to the merchant’s systems for use instead of the PAN.


While payment tokens are reversible and can be ‘mapped’ back to the traditional PAN by authorised parties, this is a highly complex process. The token is therefore meaningless if someone gained malicious and unauthorised access to the data.


How are tokens used?

A token is generated for one time use within a given and pre-defined environment, such as to purchase goods from an online retailer. In most circumstances, it will perform just like the original PAN for business functions such as returns, sales reports, marketing analysis, recurring payments etc. It cannot, however, be used to conduct a transaction outside of that merchant’s environment.
The data only has meaning within the pre-defined environment for which it was created.

What is the aim of tokenisation?

The process removes traditional PAN information from environments where data can be vulnerable and, if stolen, used for illegal purposes. Tokenisation completely and quickly disconnects the real PAN and replaces with a token, while maintaining backwards compatibility with existing business processes.
For this reason, tokenisation offers a real alternative payment solution that could significantly reduce fraudulent activities.  In this way, tokenisation can retain all the essential customer data without compromising its security.

So, what is new?

The standardisation of payment tokenisation systems will promote credibility of this payment solution and encourage market interoperability. The framework provides different models and potential flows for several identified tokenisation scenarios, enabling suppliers to map existing solutions against these and develop new ones ready to meet new token service provider needs.

PCI Standards

PCI standards do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction. To be PCI compliant, merchants must install expensive end-to-end encryption systems or outsource their payment processing to a service provider who supplies a tokenisation facility. The service provider then handles the issuance of the token value and bears the responsibility for keeping the cardholder data locked down, for which they require industry proven secure solutions.

With Softwares which is available in the payments market, Banks and merchants can also become their own in-house service provider to manage their own mobile and e-commerce EMV payments solutions including tokenisation

Parties Involved in the Dutch(Netherlands) Payments System

The payment system plays a pivotal role in the Dutch economy.

Millions of payments are processed each day, by debit card and giro, both nationally and internationally. 

Different payment methods and rules exist in the Dutch and international payment systems. The payment market features many parties, each making stringent demands with regard to the quality of daily payments. It is a market that benefits from continuous innovation of products and services.

http://www.betaalvereniging.nl/en/organisation/parties-involved-in-the-payment-system/ à The Dutch Payments Association site

The Payments Association organizes the collective tasks in the national payment system for its members. Within its role, the Payments Association consults with numerous parties on behalf of its members. These parties include enterprise and consumer umbrella organizations, social interest groups, parties involved in infrastructure, brand owners and regulators.

Supply side

The members of the Payments Association are providers in the payment system. They are payment services providers that offer end products on the market (to both businesses and private individuals) independently. In other words: banks, electronic money institutions and payment institutions. The Payments Association works closely with its members and consults with them regularly on developments and activities.

Demand side

The demand side includes the end users of payment services, both business owners and consumers. The Payments Association is committed to actively involving representatives of end users in its activities. In this way, the Payments Association fulfils its social role in the payment system.

Legislation and supervision

The payment system must comply with various laws and rules, both nationally and internationally. The Payments Association consequently deals with government authorities such as the Ministry of Finance, regulatory bodies such as the Dutch Central Bank (Nederlandsche Bank, DNB) and the Netherlands Competition Authority (Nederlandse Mededingingsautoriteit, NMa), the European Commission and other organisations that monitor legislation and regulations.

Regulations and standards

Regulations concerning payment products are necessary in order to clarify which roles and activities parties in the payment market may carry out for a particular payment product. An example of such a regulation is the stipulation that transaction processors and banks must ensure that a merchant will receive the amount of a PIN transaction in his bank account within 24 hours on business days.

Standards help to enable the different parties and links in the payment chain to work together properly. For example, there is a standard that prescribes how cash register systems and POS terminals are to be linked together to ensure that devices made by different manufacturers can be connected properly. There are also standards for giro-based transactions.

The Payments Association keeps track of national and international rules and standards that are relevant to its members and stakeholders, provides detailed information on how those rules and standards can be applied and helps its members to develop their own rules and standards.

Infrastructure

The processing of electronic and giro-based payments requires hardware, software, communication links and communication networks. Parties involved in this include: document processors, debit card suppliers, transaction processors, data communication providers, POS terminal suppliers, cash register suppliers and software suppliers. The Payments Association administers rules and requirements for these parties in the payment system and certifies hardware such as POS terminals and data communication lines. It also monitors compliance with rules and agreements in order to ensure and further improve the security and reliability of the payment system.

Payments ECO System - Between Consumers and Merchants

Mobile Payment Definitions

Mobile Device

Personal device with mobile communication capabilities such as a telecom network connection, Wi-Fi, Bluetooth … which offers connections to internet. Examples of mobile devices include mobile phones, smart phones, tablets ...

MNO(Mobile Network Operator)



A Mobile phone operator that provides a range of mobile services, potentially including facilitation of NFC services. The MNO ensures connectivity Over the Air (OTA) between the consumer and its PSP using its own or leased network (the latter are sometimes referenced as MVNOs - Mobile Virtual Network Operators).

Mobile Payment Service

Payment service made available by software/hardware through a mobile device.

Merchant:

The beneficiary within a mobile payment scheme for payment of goods or services purchased by the consumer/payer.
The merchant is a customer of its PSP.

Digital Wallet

A service accessed through a device (e.g., a PC) which allows the wallet holder to securely access, manage and use a variety of services/applications including payments, identification and non-payment applications. A digital wallet is sometimes also referred to as an e-wallet.

Merchant Wallet

A type of wallet where the payment gateway and the mobile wallet gateway are integrated services at the merchant’s website.


Mobile code

A user verification method used for mobile card payments. It is a code entered via the keyboard of the mobile device to verify the cardholder’s identity as a cardholder verification method.

Credentials

Payment/banking account related data that may include a passcode (mobile code, on-line passcode, etc.) provided by the PSP (issuer) to its customer which is provided via his/her mobile device for identification/authentication purposes in the context of mobile payments.

MCP - Mobile Contactless Payment



A mobile device initiated payment where the cardholder and the merchant (and/or his/her equipment) are in the same location and communicate directly with each other using contactless radio technologies, such as NFC, for data transfer (also known as contactless payments).

TSM - Trusted Service manager 



A trusted third party acting on behalf of the secure element issuers and/or the mobile payment/authentication application issuers in the case where a secure element is involved, or on behalf of the mobile wallet issuers.

MPP - Mobile Proximity Payment

A mobile payment where the communication between the mobile device and the Point of Interaction device takes place through a proximity technology (e.g., NFC, QR code, etc.).

MRP - Mobile Remote Payment

A payment initiated by a mobile device whereby the transaction is conducted over a mobile telecommunication network (e.g., GSM, mobile internet, etc.) and which can be made independently from the payer’s location (and/or his/her equipment).

NFC - Near Field Communication



A contactless protocol specified by ISO/IEC 18092.

Payment Gateway

A service operated by a beneficiary’s PSP or a trusted third party that manages the authorisation of payments for merchants.
It facilitates the transfer of information between the payment portal (such as a website or mobile device) and the beneficiary’s PSP.

Payment Scheme

A technical and commercial arrangement set up to serve one or more payment systems and which provides the organisational, legal and operational framework rules necessary for the payment services marketed (e.g. card scheme, e-payment scheme, …).

MPOS

The usage of a (consumer) mobile device to facilitate payments and enable acceptance of payment instruments.

Mobile Wallet Issuer

The service provider that issues mobile wallet functionalities to the customer (consumer or merchant).

Mobile Wallet Passcode

A code entered by the consumer/payer via his/her mobile device that may be required to activate a mobile wallet.

Payment Gateway

A service operated by a beneficiary’s PSP or a trusted third party that manages the authorisation of payments for merchants.
It facilitates the transfer of information between the payment portal (such as a website or mobile device) and the beneficiary’s PSP.

Mobile Wallet Gateway

A service operated by the mobile wallet issuer or a trusted third party acting on its behalf, which establishes for mobile transactions a link between the consumer/payer and its mobile wallet and between the mobile wallet and the payment gateways.
During the payment transaction, it allows the payment gateway to receive authentication data directly from the mobile wallet.
For life cycle management, it establishes a link between the mobile wallet and the mobile wallet issuer to download credentials, payment and/or authentication applications from the PSP.

Mobile Payments Will Make Credit and ATM Cards Almost Obsolete

This article is by Matthew Friend, managing director of Accenture Payment Services.

Eight-track tapes, rotary phones, videocassette recorders.
Think of outdated technologies and these probably spring to mind.

Will plastic cards eventually join the list? 



Certainly the demise of credit and debit cards isn’t imminent,
but they’re going to begin to lose their appeal in a world where transactions can increasingly be done by smartphone.

With payments more and more going mobile, retailers, banks, card companies, phone operators and just about everyone in between are scrambling for position.
Mobile payments will hit

- $720 billion a year by 2017,
- Up from $235 billion last year,

according to the research firm Gartner.

To be sure, many consumers still walk around today with a stack of plastic jammed into their wallets.
Nearly 550 million credit cards and roughly 590 million debit cards are in use in the U.S.

Plastic cards are used for 75 billion transactions a year, worth more than $4.7 trillion. 

That translated to $21.5 billion in collective profits for seven of the largest U.S credit card issuers last year.

But change is coming, and failure to adapt will carry great risk. For banks, the question boils down to whether they will lead the change or allow rivals to take the payments business away from them. With payments bringing in up to a quarter of banks’ revenues, this is not an idle question.

Payments are a highly contested arena. 

• Google
• PayPal 
• Square 
• American Express
• MasterCard
• Visa, among others, 

have all developed mobile payment platforms. 

Paypal is now the number one or two online payment method in a half dozen countries, including the U.S. Starbucks, whose mobile app is the most used digital payment app, gets more than 14% of its U.S. payments through its mobile app, up from 10% a year ago. 

And Starbucks captures a third of its revenues through its own loyalty card. 

Wendy’s has announced a new program that allows customers to pay using their smartphones at its 5,800 locations, following a similar announcement by Burger King.

Apple’s shadow also looms large. It is reportedly looking into jumping into mobile payments by deploying its devices and the credit card data of more than half a billion customers to handle how they pay for things online as well as at brick-and-mortar retail stores.

Of course, plastic cards will continue to have a presence in the coming years, that’s why card companies are spending big on digital wallets and social media propositions connected with their plastic. But they must reinvent themselves by developing ways of paying for goods and services that don’t rely on plastic or digital cards.

That’s because consumers expect their smartphones to improve and simplify their lives. They demand greater immediacy and convenience in their day-to-day activities. Increasingly, airline passengers can present electronic boarding passes displayed on their phones. New York and Washington are moving toward electronic fare payment systems for their buses and subways. Using plastic cards online, on the other hand, is arduous, requiring an awkward process of entering 16-digit numbers, addresses, start and end dates, and codes.

Smartphones increasingly act as a remote control for activities ranging from ordering taxis to programming central air conditioning. 

Controlling payments from your bank account is the next step. 

Danske Bank’s MobilePay app is an example. 

It allows the Danish bank’s customers to log in with a four-digit PIN, enter the amount and mobile number of the recipient, and send the money like a simple text message. The app can also be used at retailers that have registered. It has more than 1.2 million active users.

The U.S. isn’t as far along. JPMorgan Chase, Citigroup, Bank of America, Wells Fargo, Capitol One, and others are building their own mobile payments apps. The next step is to tie into proprietary networks such as clearXchange to enable widespread peer-to-peer payments and real-time business-to-consumer payments.

Banks have an inherent leg up on their new mobile payments competitors, because they own the accounts where customers keep or borrow their money. If they enable those accounts to make payments directly wherever a customer wants, they may be able to retain their dominant role in consumer payments. And despite the reputational damage they suffered from the financial crisis, consumers surveyed by Accenture trust them above any other providers when it comes to handling personal data. That’s another critical advantage.

How can smartphone-based payments be increased? 

More than half of the consumers we surveyed  said they were highly likely to pay by phone more often if they could in so doing track receipts, manage personal finances, and show identification or proof of insurance. 

They also said they would pay by phone more often if offered instant retailer coupons, reward points, and preferential treatment. 

Since the average U.S. household belongs to 21 loyalty programs, you can see the benefit of consolidating and managing these programs in a single place. Many mobile applications already available, such as CardStar and Key Ring, allow users to store all their loyalty card data on their mobile phones.

At the moment, U.S. payments players are focused on October 2015, when retailers and card issuers that haven’t adopted smart card technology—credit and debit cards embedded with microprocessor chips—will begin to be liable for fraudulent transactions. That technology has long been used in Europe and has helped increase security and reduce fraud there.

The transition to smart cards will be a milestone, but it is still just an interim step. Banks should not lose sight of the real revolution already underway, mobile payments.

For banks, it’s clear that digital payments will not generate the fees they currently derive from plastic card transactions. But they face a bigger threat, losing customers, if they get muscled to the sidelines in the payments business.

Next-generation credit cards aren't foolproof - From STAR Tribune

• Article by: JENNIFER BJORHUS , Star Tribune

New payment technology will make cards harder for data thieves to hack, but the protection features have holes.

As the United States lumbers toward a new credit card technology to thwart data thieves like the ones who struck Target Corp., payment security experts say the new system is far from foolproof.

The chip-based smart cards, already in use in much of the world, make it much harder to produce counterfeit cards. But the cards are less effective against the widespread and growing threat of bogus online transactions that require only account information.

EMV, as the technology is known, changes the game but won’t prevent all fraud.

“It’s not a panacea,” said Paul Tomasofsky, an electronic payments expert who heads Two Sparrows Consulting in Montvale, N.J.

EMV, which stands for Europay/MasterCard/Visa, is a fairly old approach rooted in experiments to deter fraud with microprocessor chips embedded in payment cards in France in the 1980s. It spread throughout Europe and became a global standard.

But because of the sheer size of the fragmented U.S. payments system, and the huge cost to convert, the United States is one of the last countries in the world to make the change.

There’s general agreement that EMV alone would not have prevented the Target breach, in which thieves accessed data from as many as 110 million customer accounts. But EMV would have reduced the value of the information by making it almost impossible to clone the cards.

That’s EMV’s biggest boast, that it prevents counterfeit card fraud. “It does that spectacularly,” said Jeff Hall, a security consultant in the Twin Cities for Overland, Kan.-based FishNet Security.

However, that’s only part of the challenge. Online fraud that doesn’t require the presence of an actual card now accounts for nearly half of all credit card fraud in the United States, according to Fair Isaac Corp., and studies show that adopting EMV drives crooks to this card-not-present fraud.

EMV has a vulnerability

EMV has a weakness at the point of sale. While data in the card’s memory chip is encrypted when the card isn’t in use, the data is momentarily vulnerable when customers pay.

Proponents of EMV say this isn’t a big flaw because the chip spits out a unique, one-time-only security code to encrypt the data for transmission.

But critics say that if thieves compromise the card terminal or the register at just the right point, they can access the data before transmission, circumvent the one-time security code and get access to the information they want. The bulk of online merchants don’t ask for the 3- or 4-digit security code on a card, Hall said.

There are other security concerns. In the U.S. rollout, banks issuing EMV cards are not required to put a personal information number, or PIN, on either the debit or credit cards. A PIN, which only the cardholder knows, makes transactions more secure.

More important, magnetic stripes aren’t going away. In an effort to ease the conversion, the new EMV cards will still have magnetic stripes so they will work in stores that lack EMV equipment.

But magnetic stripes are easy to copy and clone. Avivah Litan, a financial services security analyst at Connecticut-based Gartner Research, called the existence of magnetic stripes on EMV cards “a very big security threat.”

U.S. companies are grappling with these issues as the country’s gargantuan payments system undergoes the seismic shift from magnetic stripes to chips. Retailers, banks and myriad other payments players face an October 2015 deadline to be ready.

At that point, Visa, MasterCard, American Express and Discover are shifting the liability for fraud that happens in stores from the card-issuing banks to the merchants, unless the merchant is equipped for EMV.

So problematic is the EMV migration that there are questions about crossing over at all.

“Is it the solution? Honestly, I don’t think it’s ever going to happen,” said J.D. Oder, chief technology officer at Shift4 Corp., a card processing gateway company he co-founded in Las Vegas.

Is EMV worth the bother?

Retailers are understandably concerned that they are spending huge sums to update their card processing equipment for an EMV implementation that has potential security potholes.

“As long as magstripe is around, there will be major breaches, I don’t care how much EMV is out there,” said Mark Horwedel, a former Wal-Mart executive who heads the Merchant Advisory Group, aMinneapolis group working on payments-industry issues. “Visa and MasterCard, in my view, are preoccupied with making the EMV migration in the U.S. as simple as possible for the banks.”

That’s what bothers Dean Sheaffer, chief compliance officer at Boscov’s Inc. in Reading, Pa. His company is spending “hundreds of thousands of dollars,” he said, to install EMV terminals at its department stores when he’s not convinced that EMV will offer enough fraud protection.

“We don’t feel good about it at all,” Sheaffer said. “I see a number of clear issues that I think have to be vetted and resolved.”

At the top of Sheaffer’s list: PINs and magnetic stripes.

Target, a big proponent of EMV, has been rolling out EMV-enabled point-of-sale terminals at its stores since 2012. It declined to discuss EMV security concerns.

“While the new hardware has the capability to process EMV, the software is still in development,” said Target spokeswoman Molly Snyder.

A multitude of technologies are being promoted to make EMV cards more secure, although they aren’t part of this country’s official EMV rollout. One is to encrypt all card data from the instant it’s read in the store until it’s processed by the bank. Another is tokenization, in which card data in the payment processing network is replaced with a meaningless value the minute the card is authenticated.

Add the end-to-end encryption and tokens to EMV cards and you have a “pretty airtight solution,” said Oder at Shift4 Corp.

Other approaches also are circulating.

Hall, at FishNet Security, advocates a single transaction code. It’s a one-time 15- or 16-character transaction code generated by a smartphone or other smart device at the start of a purchase that replaces the card account number. The code could be displayed as a bar code on the phone that could easily be scanned by bar code equipment that retailers already have at the checkout.

“Once it’s used, it’s done,” Hall said.

Time to do away with plastic?

The cards themselves are the root of the problem, Hall and others say, and it’s time for a paradigm shift.

Richard Crone, head of Crone Consulting in suburban San Francisco, calls for ditching the country’s existing card infrastructure altogether and moving to cloud-based mobile payments, in which everything is stored more securely through the Internet in a server farm somewhere.

All payment credentials would be stored behind an encrypted firewall accessible only through strong authentication with only indecipherable tokens provided to the merchant for transaction authorization, Crone said.

“EMV as a fraud deterrent is a complete joke,” Crone said.

Still, proponents say it’s a vast improvement over the magnetic stripe system. Regardless of whatever percentage of fraud EMV doesn’t prevent, it’s better than where we are now, said Madeline Aufseeser, a payments analyst at Boston-based Aite Group.

Litan, at Gartner, agrees. Ultimately, the security arguments over EMV are “a red herring,” she said. It’s not perfect, Litan said, but EMV will significantly improve security compared to magnetic stripes and is the most realistic approach given its widespread adoption everywhere else. Companies will have to layer on other protections to thwart card-not-present fraud.

“It’s crazy to say don’t lock your front door because someone will get in your back door,” she said. “You’ve got to lock both.”

“There really isn’t any better proposal out there.”