As part of CO-OP’s “Innovation in Payments” webinar held November 18, Caroline Willard, EVP, Markets and Strategy, and Michelle Thornton, Manager, Core Products, fielded questions about the latest security technology. What did credit unions want to know?
Q: Is it true that if you hover over an EMV card or an iPhone using Apple Pay, you can capture the data on it?
A: One important thing to remember is that both of these technologies use cryptograms to secure data. So the data that someone might capture as part of an EMV or Apple Pay transaction isn’t repurposeable.
In Apple Pay, the token that is on a particular phone for Apple Pay is specific to that phone: That phone has identifying data. So if a token were used from any other device, it wouldn’t work because the cryptogram wouldn’t have the identifying information from the correct phone.
On the EMV side, there are transaction counters that would show that a new transaction wasn’t valid because the number and cryptogram were already seen in a previous transaction.
Q: Does EMV use tokenization?
A: EMV does not use tokenization; they’re two different technologies. It’s possible to become confused because they do both use similar kinds of technology, so you hear them talked about in the same breath. They both use cryptography, but EMV and tokenization are two distinct things.
Q: In Apple Pay, are tokens assigned per card or per transaction?
A: The token is static, but it’s specific to that phone and that card. So, for example, if you’ve got a card and you’ve got three phones, you would have three different tokens. Each phone would have a static and a unique token for that one card.
What is dynamic is the cryptograms around those tokens. Those are unique each time you do a transaction.
Q: Would Apple Pay or EMV have prevented the Target breach?
A: It wouldn’t have prevented the breach itself, but what EMV would have done is prevented compromised numbers from being used to create counterfeit cards. EMV cards are difficult to reproduce, so fraudsters typically don’t attempt it.
The other part of the question was about whether Apple Pay would have prevented it. Again, it wouldn’t have prevented the breach, but it could have prevented certain types of transactions using those numbers.
CardNav by CO-OP, for a third point, would absolutely have been able to prevent some fraudulent activity by alerting members to suspicious transactions and enabling them to shut down their cards if there was a compromise.
In each case, it’s not so much a question of preventing the breach, but what happens with compromised numbers after a breach occurs. These three technologies can absolutely help in different ways.
Q: Can CardNav by CO-OP be fully integrated with existing CU mobile apps, so that members can access it using a single sign on?
A: We will be deploying on an API version of CardNav by CO-OP, so you can tuck it into your existing mobile app and have it be accessible to your members without having a separate sign on. That’s on our roadmap for 2015.
To watch a recording of the full “Innovation in Payments” webinar, click here.
Find out more about Apple Pay and tokenization for your credit union here.
Learn more about EMV for your credit union here.
Get the latest on CardNav by CO-OP mobile card controls and alerts here.