Today our financial and personal information is everywhere. It is in our phones for mobile payments, in our wallets on our credit cards and in the data centers and clouds of the companies and third parties that complete transactions on our behalf. With so much personal information—quite literally—floating around various access points, it has never been more lucrative or easy for cyber-criminals to access and mine private information to sell on the black market.
The Target data breach at the end of 2013, which affected the card payment information of more than 40 million shoppers and the personal data of almost 70 million consumers, kick-started a continuous barrage of point-of-sale (POS) attacks affecting consumers, businesses and banks throughout 2014. Between the breaches at Dairy Queen, Home Depot and Neiman Marcus, it seemed like cyber-criminals were always one step ahead of the game, using malware and card-skimming techniques to gain access to confidential information.
According to the Aite Group, Americans lose $8.6 billion to fraud every year. This number was expected to reach $10 billion by 2015, according to the Nilson Report. POS systems are continuously hacked by criminals for the same reason WiFi and passwords are easy targets: It’s a numbers game, and POS terminals are widely available. In addition, the POS security mechanism is based on a legacy technology developed more than 30 years ago: the magnetic strip.
With half the world’s credit card fraud happening in the U.S., what can privacy professionals expect from 2015? What precautions can we all take to mitigate the risk of further attacks?
The Payment Networks' Liability Shift in October and subsequent move to “Chip-and-Pin” EMV card payment methods has been touted as the "holy grail" technology that will finally thwart security breaches in the U.S. According to the Federal Reserve, the encrypted code technology of EMV cards, coupled with PIN protection, will make transactions 700 times more secure than magnetic strip transactions. Additionally, reports have shown that EMV chip usage has cut forms of credit card fraud by more than 65 percent in Europe in the last decade.
Why So Late to the Game?
The U.S. is the word’s single largest user of payment cards; however, unlike in Europe and many developing countries, the move to adopt EMV technology has been slow until recently. Ironically, in the 1990s, American credit companies were ahead of their European counterparts at detecting fraudulent transactions at POS terminals. Because they could prevent against fraud, there was no incentive to move to EMV terminals, which were costly to install. For companies in Europe, moving to EMV was less costly than the sums of money they were losing to credit card skimming schemes. Additionally, regulations on credit card companies are tighter in Europe, placing the cost of paying for fraud on the credit card company, while the regulations stateside have been more lax in this regard.
The transition to EMV before the October 2015 Payments Network Liability Shift is expected to cost over $8.6 billion in upgrades to ATMs, POS devices and credit/debit cards according to Javelin Strategy & Research. This shift in liability will mean that the party, either the issuer, i.e. the banks and institutions, or merchant, who does not support EMV, assumes liability for counterfeit card transactions, rather than the merchants who have traditionally been held accountable. October is still many months away, so in the meantime, what does 2015 have in store?
Aside from the shift to EMV, many organizations need to take a proactive approach in how they secure payment card transactions. This goes beyond basic annual PCI-DSS compliance. Experian’s Date Breach Industry Forecast points to a number of threats that are still overlooked by companies. For instance, the threat posed by employees, either through negligence, human error or as a malicious insider, is considerably under reported.
The Experian forecast also predicted a rise in data breaches in the early part of the year, when the POS portals are still vulnerable to hackers. Even when the liability shifts, the transition will be costly for small regional retailers that may hedge their bets against the likelihood of an attack. Still, data breaches are likely to persist.
Remedies to 2015 Threats
- Educate employees. Rather than taking measures to educate employees about security best practices, many retailers are implementing new technologies focusing on external threats, which do not tackle the problem. Organizations that instill a culture committed to safeguarding data and conduct regular security training will be in a better position to prevent an attack.
- Make the switch and quick. EMV-compliant systems are expensive, which may deter companies from making the switch to EMV, particularly smaller companies with less capital. As larger enterprises make the switch to EMV, criminals will begin to target smaller outlets for the same data. Consider this: It can typically take a company a full year to recover from reputation damage after a data breach, and many small businesses do not recover at all.
- Consider end-to-end encryption. Cyber-criminals are well aware of the threat EMV poses to their livelihood, and no doubt they are already developing more sophisticated technologies to find other access points. By adding end-to-end encryption to the payment process, companies not only increase the security of POS devices but also protect against fraud from contactless payments.
- Limit access to the Internet. Unless a POS system needs Internet access, it should be completely firewalled from the Internet and WiFi to prevent external threats. If the system requires Internet access, make sure that your network is secure and that your company has robust proxy settings to inspect traffic.
- Educate consumers. Consumer adoption of new technologies can be slow. While many consumers are aware of the benefits of an EMV-secured card, getting customers to make the switch is easier said than done. All parties involved—banks, merchants and institutions—need to play their part in promoting wide-scale EMV adoption to safeguard against data breaches in the future.
If you want to comment on this post, you need to login.