On November 18, 2014, CSO’s Maria Korolov wrote an article about how, as of November 1, 2015, merchants that aren’t ready to accept chip-based cards instead of the current magnetic-stripe cards will become liable for fraudulent transactions that today are covered by the credit card companies.
In 12 Security Problems That EMV And Tokenization Won’t Solve, she explains how retailers will be switching to new, EMV-compliant point-of-sale terminals — and, while they’re upgrading, many will also roll out tokenization and end-to-end encryption as part of the package to dramatically increase security in the area of retail payments. However, according to the author, the retail industry will not instantly become bullet-proof and will likely experience some “bumps in the road” in the journey to credit card security.
Protegrity CEO Suni Munshani is quoted in a section describing how merchants will still need to keep some customer data:
“There probably are small stores out there that do not collect any customer information at all. ‘But larger merchants must have data for analytics, store planning, merchandising, up-selling and cross-selling,’ said Suni Munshani, CEO at Stamford, Conn.,-based Protegrity USA. ‘It’s impossible for them to do all that without data, so they must store the data.’”
“Some companies have reasons to store part or all of the payment data, as well — say, to allow customers to keep payment methods on file, for convenience when shopping.”
“Protegrity’s solution is to leave the code books in the hands of the merchants, instead of outsourcing them to the payment processors.”
“‘The merchant has to protect the de-tokenization process, since it’s all in the merchant’s hands,’ he admitted. “ ‘But it means that the company is not wedded to the payment processor.’”