EMV liability shift calls for renewed focus on employee security behaviors
The EMV deadline is finally here. The U.S. officially joins the rest of the developed world in deploying the new chip-based payment cards with the promise of making purchases at the check-out counter more secure. But the march to EMV-readiness has just begun. The banking and retail industries have made significant progress, but many businesses still aren’t ready, despite some high profile point-of-sale breaches like Target and Home Depot.
As many experts have put it, October 1 is a ‘soft deadline’ that will compel more businesses to make the transition to EMV. And those who have acted can expect positive results. Counterfeit card fraud is expected to drop by 51 percent or $1.8 billion due to the introduction of EMV chip cards, according to Aite Group. While counterfeit card fraud will significantly drop, card-not-present (CNP) fraud – fraudulent payments made via the internet, fax, mail, or phone – is expected to jump by 106 percent or $3.3 billion.
Moreover, lost-and-stolen card fraud will continue to rise with chip-and-signature (not chip-and-PIN) as the primary cardholder verification method. Aite calculates that lost-and-stolen card fraud will reach $1 billion by 2018. It’s clear the liability shift deadline won’t mark the end of payment fraud; it simply means the bad guys will shift their fraud behaviors to focus on weaker threat vectors.
Retailers have their work cut out for them. Education is key to preparing for this ‘fraud shift’ which will impact retailers, banks and consumers in new ways. All we have to do is look at our global counterparts to understand the new vulnerabilities that come with EMV adoption. After the introduction of EMV in Europe, online credit and debit card fraud rates in Europe doubled from pre-EMV levels. Additionally, CNP fraud accounted for an alarming 60 percent of total fraud incidents across Europe in 2012 and, at the time, was projected to increase in 2013 and 2014.
With a more fraud-proof card technology, criminals will turn to the path of least resistance, which in many cases will be the unsuspecting or poorly-trained employee. Technology alone isn’t enough to protect cardholder data, especially when employees create an added security loophole. Retail and financial services employees will be a first and last line of defense against the new wave of payment card fraud.
Many of the fundamentals of PCI Compliance will be vital for employees tasked with handling and processing payment card data in this new era of CNP fraud. For example:
- Processing Transactions: When processing payment card transactions, using cardholder data obtained via phone, fax, e-mail, online, or any other instance where the physical payment card is not present, employees must understand how to secure the information received and verify the identity of the payment card owner. There are several red flags employees must understand and react to properly so they can assess possible payment card fraud.
- Responding to Fraud: Employees must understand protocols for alerting supervisors if they have any suspicions about the validity of a payment card or a person’s behavior. They should not alert the person without consulting with their supervisor first.
- Retention, Access, Distribution: Some tried and true principles for protecting cardholder data remain: employees should be retaining only the cardholder data needed for business, legal, or regulatory purposes; protecting cardholder data by allowing access only to the people who have a “need to know”; and distributing cardholder data to other departments and third parties only under approved conditions.
Getting employees to recognize the guidelines is simple, but translating these fundamentals into sound security behaviors is where most businesses still struggle. The only way the retail and financial services industries can achieve a risk-aware culture is through a well-designed awareness training and reinforcement program that helps build security-minded habits and behaviors.
Take Paradies, for example, which is a leading airport concessionaire and restaurateur. It operates over 550 stores in more than 76 airports and hotels across North America, serving more than a half-billion customers each year. These stores include original, one-of-a-kind brands unique to individual airports, as well as nationally-recognized brands. Paradies has ramped up its employee risk-awareness program designed to ensure PCI compliance while also making employees a critical line of defense against payment card fraud. The company has built this culture of risk awareness through a comprehensive training and reinforcement program for all of its employees. Paradies employees understand what it means to be PCI compliant and know that data security isn’t just a point-of-sale issue.
Knowing just how important data security is, local general managers have made PCI compliance and data security ongoing topics at team meetings, to ensure Paradies’ team leaders and associates are continuing to maintain compliance. Comprehensive training and reinforcement is important to Paradies, as they recognize they are only as smart as they are today; it takes adaptive, ongoing training to address the concerns that tomorrow’s security challenges bring. Going forward, Paradies is working to implement additional training programs to further-strengthen employee defense.
Companies like Paradies get it. They recognize the coming era of payment data protection requires a twofold solution: better technology and better-trained employees. Achieving excellence in security awareness isn’t simply a matter of presenting information in an annual company meeting. Knowing something isn’t enough to cause change. The only way companies can expect sustainable behavior and cultural change, is for employees to feel something. They have to be motivated. They have to understand and connect with the importance of achieving the goal. And then they have to practice it.
The same holds true with the rollout of EMV. While it is certainly a more secure step forward for the payment industry, to truly advance towards a more secure payment ecosystem, we must secure the employee – still the most critical line of defense against payment fraud.
For more than two decades, MediaPro has been helping enterprises of all kinds improve the professional performance of their people. We’re passionate about our work in adult learning, and it shows in the quality of our courses, the delight of our clients, and in our many industry awards. More importantly, it shows in the way our approach to e-Learning works like no other to help our clients achieve their business goals.
Pointofsale.com has over 4,000 articles. Use the topics on the Menu Bar, or our Point of Sale Search tool.
Current articles about EMV and important topics can be found in these categories: