Compliance does not equal security: What the EMV Mandates Mean for You
By now, you’ve likely heard about the impending EMV mandate, where US retailers must be outfitted with POS readers to accept EMV card payments in their stores by October 1, 2015. Not complying with the mandate will cause issuing banks to shift the liability of fraudulent transactions to the accepting merchant. As a result, most merchants are actively updating their store systems with EMV-ready payment devices and going through the requisite re-certification process with their banks.
Look Out, eCommerce!
With its advanced cryptographic features, EMV makes the creation of fraudulent payment cards very difficult. In some markets, card-present use of an EMV must be accompanied by consumer PIN entry, making fraud even less probable. As a result, EMV transactions give retailers the assurance that they are accepting card payments from their rightful owner.
Unfortunately, EMV transaction security ends there. We all must recognize that EMV does not protect payments data in transit from the acceptance point to the card networks. The sensitive card-holder data contained on the card remains vulnerable to theft once it leaves the payment acceptance device.
EMV helps protects from what is called “Card present” fraud. But what about card not present fraud? In France, for example, “payment card-present fraud dropped by 35% between 2004 and 2009 after the implementation of EMV, but domestic card-not-present fraud losses increased more than 360% in that same time span.”1
In Europe, where EMV has been used for years, the European Banking Authority (EBA) reports, “Fraud on card not present internet payments alone caused €794 million of losses in 2012 (up by 21.2% from the previous year).”2 Earlier this year, various reports have estimated 6% – 8% of all dollars spent using Apple Pay, where no physical card is needed, were conducted with stolen payment card information.
A Honey Pot of Data
So EMV may be an effective tool to lessen card-present fraud but does nothing to stop the use of stolen card information in online and mobile transactions. Criminals know they can monetize their card data heists by using the information in card-not-present purchase environments. Using malware, memory scrapers and other covert technologies, criminals can capture all of the payments data they need from unsuspecting retailers in order to perpetrate these frauds.
A report in NetworkWorld.com details the severity of the problem. “In the first 9 months of 2014, 904 million records were compromised in 1,922 confirmed incidents” which included “20 incidents that compromised more than 1 million records each.”3 Further, USA Today reports, “[Target] is still recovering financially. The breach has cost the company $148 million, minus a $38 million insurance payment.”4 Data breach costs include restitution for consumers and banks, fines, legal fees and revenue lost due to brand damage.
A recent study on the global cost of data breaches states cost of data breaches have reached record levels. The study revealed that the “…average costs for each compromised record marked by sensitive information, whether lost or stolen, was up 6 percent to $154 from $145. Perhaps not surprisingly, healthcare stands as the industry with the highest data breach costs, with an average cost per record of as much as $363. The retail industry, where marquee names have borne repeated attacks but many smaller companies have also suffered, has seen its average cost per stolen record grow from $105 in 2014 to $165 this year.”5
New payment acceptance innovations, such as NFC mobile wallets and mobile POS, increase the complexity of the issue for retailers. The 2014 Lexis Nexis True Cost of Fraud study6 reports mobile commerce fraud rates at double the overall fraud rate – 1.36% vs 0.68% (see chart below). Security strategies like Payment Tokenization and Host Card Emulation hold great promise to secure mobile payments but are only in their infancy which limits their overall impact.
Layered Payment Security
The Lexis Nexis report shows retail fraud losses of 0.68% of revenue in 2014, which is up from 0.51% in 2013. For card-present businesses, EMV is expected to substantially reduce this for retailers. However, criminals continue to crave stolen card information and cardholder data theft is simple and repeatable. Retailers must recognize this and put solutions in place that protect payments data in transit to their bank. Point-to-Point Encryption (P2PE) has proven to be the most effective approach for this and is being ‘standardized’ by the Payment Card Industry’s Security Standards Council (PCI SSC) as a result.
P2PE removes all sensitive data from the payments authorization message. Encrypted data completely de-values the sensitive card data for cyber criminals. So as not to disrupt authorization activity, Format-Preserving-Encryption (FPE) can be utilized so data will retain its original format, on a character-by-character basis, to fit in existing fields, eliminating the need for database and application schema changes. Tokenization can be used to replace sensitive data like credit card numbers with tokens, or a random equivalent in its place. This data-centric security approach protects data in transit, in use and at rest.
The vast majority of security experts recommend a 3-pronged approach to payment acceptance; EMV for card authentication, P2PE for encryption of transmitted data and FPE/Tokenization for post-authorization storage of payments data. These three solutions work in harmony with one another to provide a blanket of protection that is highly effective and invisible to the merchant operations.
About the Author
For the past 20 years, George Rice has helped businesses use technology to enhance their acceptance of electronic payments. He has assisted many of the largest US retailers in implementing solutions that improve the speed, convenience and security of payment transactions. In his current role as HP Security’s Senior Director of Payments, George works with both merchant acquirers and large retailers to implement technology that protects the sensitive data entrusted to them by consumers, including payment and personal data.
Additionally, he manages relationships with the foremost payments solution providers, as well as the PCI council, the ETA and other industry organizations.
Click here to find out more about HP Security Voltage