How online merchants can protect against data breach threats

Last updated: 09 June 2020

As consumers, we’re all familiar with the two very distinct payment situations in our daily lives: in-store, or online using our phone, laptop or tablet. In both cases, we generally use an EMV payment card.

At the store, these transactions are known as ‘Card Present’ transactions, as payment is performed using a physical card, a Point of Sale (POS) terminal and a processing network. For online purchases, the transaction is called ‘Card-Not-Present’ (CNP) and the card details must be manually entered in the online merchant interface – often at ‘checkout’ – to complete the transaction.

So far so familiar, right? The one thing that consumers aren’t always aware of is the fact that CNP transactions pose a potentially higher security threat than those in store. When the consumer agrees to have their card details stored by the online merchant, the data is then at risk of being stolen via a data breach – such as in the case of the recent Easyjet cyberattack. What’s more, as the presence of a physical card is not required to complete the transaction, anybody in possession of the card data or the user’s account credentials on the merchant site can essentially hijack the account.

How can online merchants defend against online data breaches?

EMV Tokenisation – also called Payment Network Tokenization – is one of the best available solutions to tackle these issues. In a nutshell, it enables a comprehensive set of risk management mechanisms for online store owners, essentially upgrading existing Card-on-File data protection and transaction management for the eCommerce market.

Here’s how it works:

  • An EMV Token is created by the Payment Network Tokenization Service Provider (TSP) and mapped to the original physical card Primary Account Number – or PAN. An EMV Token is assigned to a given merchant, thus stopping a fraudster from stealing the details for broader use. This means that EMV cards can, by definition, pay for anything, anytime, anywhere and any amount – but Tokens are only applicable for each online store.
  • When the online merchant enrols a new card for EMV Tokenisation, they are able to share risk management information with the issuer to define the assurance level of the Token (this includes email addresses, billing addresses and account scores).
  • For each payment transaction, a dynamic cryptogram is generated by the Network TSP and verified during the authorisation process. In some cases, a stronger cryptogram containing all the transactions parameters (merchant, date, amount etc.) can be used. That makes each and every transaction unique, meaning the fraudster cannot run a replay attack.

Additionally, payment networks are looking at leveraging EMV Tokenisation to support frictionless user verification and ensure the online shopper is the genuine owner of the card. Visa has been a pioneer in this regards with its Cloud Token Framework:

  • The Cloud Token Framework allows end-users to bind several trusted devices to a Merchant Token. In most cases, device-binding is reinforced by user verification, typically in the shape of a one-time password request to be entered in the online merchant interface.
  • Device binding lays the groundwork to implement strong, multifactor authentication via a device in the cardholder’s possession. What’s more, it can be completed by a biometric or knowledge-based authentication. Two-factor authentication is mandated in Europe in the wake of the Second Payment Services Directive (PSD2). For the consumer, this is a strong and visible security measure.
  • The unique cryptogram generation and validation also meets the PSD2 requirement for dynamic linking.
  • As a result, a delegated authentication can be performed by the online merchant using its own PSD2 compliant and frictionless authentication solution, bringing improved security with minimum disruption to the user journey.

How we’re helping online merchants stay secure

Thales can help online merchants and Payment Services Providers (PSPs) implement their EMV Token management framework, as well as providing extra value beyond the list of defence mechanisms detailed above. This includes card lifecycle management and enhanced transaction approval rates.

As a cloud-native platform certified by the payment networks, we fast-track the onboarding of online retailers and PSPs, dramatically cutting costs and time to connect to all the leading payment networks.

This allows PSPs and online merchants to focus on their customer journeys, with a seamless integration of Tokenisation services into their payment user experience, for any type of connected devices.

This is a new eCommerce era where cards-on-file will continue enabling innovative use cases and drive new consumer behaviour. Thales is committed to offering state-of-the-art digital payment solutions matching the great experience and level of security we already enable with EMV cards in ‘present mode’ at stores.

Leave a Reply

Your email address will not be published. Required fields are marked *