Apple Pay now has around 90 banks and credit unions signed up to support Apple Pay in some way, and credit unions make up nearly half of that list. Credit Union Magazine attributes the high percentage to “the credit union movement’s commitment to remaining relevant and increasing its growth momentum.” In other words, credit unions have a mission to serve members’ needs in changing technological times, and being “top-of-wallet” as far as payment avenues go is a way to achieve their goals and attract new members. But why Apple Pay in particular and not one of its competitors?
Last year saw breach after breach of customer payment information, and the way that Apple Pay makes itself appealing to banks and credit unions looking to put a stronger guarantee on member payment data is through tokenization. In a traditional credit card transaction, the card’s data moves through the following workflow:
- The merchant or vendor gathers the number, CVV, expiration data, PIN (for debit), and billing address – and maybe even more – from the physical card at the register or payment terminal.
- That data is then encrypted and sent to the “acquirer,” or payment processor (the merchant’s bank, for instance).
- The acquirer requests authorization from the customer’s bank – the “issuer” – who either sends an approval or denial status code to the acquirer.
Most breaches of payment card information, such as Target’s and Home Depot’s, often happen somewhere within this process, especially if the information is stored by the merchant (which it often is for advertising and analytical purposes).
Apple Pay improves upon the idea of tokenization – replacing information with unrelated information, like one number with a different one – to put an additional layer of protection on the consumer in the complicated payment process. With Apple Pay, the merchant or vendor is given a token specific to the payer’s device and a one-time-use security code instead of the credit card number, expiration date, CVV, etc. The token is only translated to the credit card number on the issuer’s end, so only the credit union/bank and payment network have access to the information.
Why does that appeal to credit unions?
Credit unions are calling for retailers to be held solely responsible for data breaches, since breaches often occur due to malware or other security flaws on their end of the payment process. Retailers do not agree. The financial burden has been shared in the past, with credit unions held fiscally responsible for the costs of compensatory measures like issuing new cards after a retail breach. But those battles will be decided in court and it will likely be a lengthy process. In the meantime, new vulnerabilities are regularly being discovered in different payment processes. For example, the Credit Union Times recently quoted Joseph Demarest, the assistant director of the FBI’s Cyber Division, as saying that mobile banking vulnerabilities “pose another new and highly sophisticated danger” to payment security.
Not only does tokenization reduce the amount of data given to retailers, but it can also be used for a wide variety of payment types – even in-app purchases and e-commerce transaction. Tokenization also lends itself to the larger shift to card-not-present payment environments and other technologies like EMV (chip-based payments).
With a dedication to staying ahead of the curve leading credit unions to jump at the chance to participate in Apple Pay, why are so many credit unions still using outdated or insecure methods to share files and collaborate? For instance, employees often still email or even print files with member information to share with other departments or third-parties, like payroll companies.
In a world where data breaches have become commonplace, protecting member payment card data is crucial and Apple Pay seems to be a step in the right direction for credit unions on that front. However, there are also member addresses, birthdates, even social security cards that can easily be exposed if the proper protections and sharing protocol aren’t put into place. Investing in simple, secure file-sharing and collaboration solutions with data loss prevention features is critical to keeping credit unions ahead of the curve and out of the data breach headlines.