Did Obama's Cyber Summit Miss the Mark?Critics: Action Items Lack Specifics for Payments Security
Payments security was a marquee topic at last week's White House Summit on Cybersecurity and Consumer Protection. But was it all just talk, or will decisive action result from the Summit?
Some observers say that, despite commitments made by leading payment card brands to enhance security, the Summit produced no specifics about how public and private sectors will collaborate to curb cyber-fraud. They also say the card brands' plans fail to address tokenization concerns that banking/security leaders and retailers have been at odds over for the past several months.
Fraud expert Avivah Litan, an analyst at the consultancy Gartner, says most of the payments security initiatives noted by the White House are more of a roundup of innovative private-sector initiatives, rather than specific action points the government plans to take to curb cyber-related fraud.
Most notable of all, Litan says, is the lacking specificity the Obama Administration has provided about action it plans to take to stop data breaches, "for example, by coming up with a method to tokenize Social Security numbers."
In a fact sheet issued about the key payments security initiatives announced during the Summit, the White House calls out, among other things:
- Visa's commitment to tokenize all credit card transactions by the end of the first quarter of 2015;
- MasterCard's plans to invest more than $20 million for the deployment of new cybersecurity tools that will reduce the risk of large-scale cyber-attacks;
- A commitment made by Apple, Visa, MasterCard, Comerica Bank and U.S. Bank to make Apple Pay a tokenized and encrypted service available to all users of federal payments and benefits programs;
- American Express' plans to roll out new multi-factor authentication technologies for consumers;
- MasterCard's plans to later this year to pilot facial and voice biometrics for payments authentication and verification.
These commitments came as no surprise, say retail payments experts such as Liz Garner, vice president of the trade association the Merchant Advisory Group.
But Garner says the promises made by the card brands don't address lingering concerns about how tokenization should be standardized to meet the needs of all industries.
The card brands and Apple Pay currently rely solely on a tokenization specification designed and developed by EMVCo, a global standards body for EMV that Garner says is managed by the card brands.
"We all agree tokenization is a good technology," she says. "We just have major concerns about specifications for tokenization being developed by a group, EMVCo, that is owned by the payment card networks."
The Tokenization Standard
Gartner's Litan shares Garner's concern about tokenization and standardization.
"MasterCard and Visa are only committed to their own EMV token standards to perpetuate their own card-brand payments - it's not an open universal standard," Litan says. "The White House is going to just cite some very high-level bullet points. ... Unfortunately, they give Visa and MasterCard too much mindshare, relative to other innovations they should be backing, reflecting the market and lobbying power of the banks and credit card companies."
Garner's concern: If Visa and MasterCard rely solely on EMVCo's specifications, and fail to cooperate with open standards organizations such as the International Organization for Standardization for the development of tokenization technologies, "it will be harmful to U.S. commerce in the long-term, from both a security and a competition standpoint."
Garner also says that Visa's and MasterCard's commitments to tokenize EMV credit card numbers only apply to contactless and mobile payments. "Why aren't they focusing efforts more on contact cards here?" she asks. "Some would argue it may be a market power play for mobile, as well as a transaction data and routing control issue."
Apple Pay Adoption
Dave Jevans, co-founder of the Anti-Phishing Working Group and founder and chief technology officer of mobile security firm Marble Security, says one of the most surprising announcements to come out of last week's event was the White House's commitment to Apple Pay, which is now going to be used to support all federal employee and benefits programs.
Apple Pay will now be a complement to President Obama's Buy Secure initiative announced in January. The initiative calls for all federal employee and benefits programs, such as SmartPay and Direct Express, to be EMV chip-and-PIN compliant by the end of the year.
Jevans says Apple Pay's deal will likely raise questions about why the government is supporting a proprietary mobile payments system, Apple Pay, rather than more open systems that are not controlled by a single company.
"I think it is a play by Apple to become the standard smartphone for the federal government," he says. "Expect Google, Samsung and all the Android vendors to follow suit. I feel that the vision of Tim Cook at Apple around creating a full virtual wallet, including electronic passports and licenses, is a good one. Snuggling up to the federal government will be required. It's a long-term (decade-long) vision."
What About PCI?
What makes Apple Pay attractive is that it's EMV-compliant and has tokenization built in, says Jeff Man, security strategist and evangelist at network monitoring specialist Tenable Network Security.
But Man fears all of the discussion surrounding tokenization could distract the industry from focusing on compliance with the Payment Card Industry Data security Standard.
"The history of tokenization and encryption within the payments industry is the desire for merchants to be able to avoid having to do PCI altogether," Man says. "PCI compliance revolves around the presence of the primary account number (PAN). If there is no primary account number present. then PCI does not apply."
He says the security solutions promoted by the card brands at the summit all circumvent existing PCI standards.
"It sure feels like they are trying to distance the brands from the program they helped put in place," Man says.