Since late-2013 scarcely a month has passed without news of an incident of a major card data breach, most notable within the U.S.
These breaches ranged from the incredible Target hack in late November to mid-December 2013, to security issues at mom-and-pop stores across the States.
Hackers siphoned the credit and debit card details of 40 million Target customers between November 27 and December 19, 2013. Internet security expert Brian Krebs subsequently revealed that some 2 million of these cards were promptly sold on the black market with a median price of $26.85 per card: earning the perpetrators a cool $53.7m from the breach.
It was akin to the last great gold rush, occurring as it did just before the introduction of the EMV standard in October 2015. A host of other retail giants, including luxury goods retailer Marcus Nieman (January 2014); Albertson’s & SuperValu (August 2014); Home Depot and Kmart (both September 2014) and Staples (December 2014) have also been affected. It wasn’t just retail outlets that the hackers targeted as JP Morgan Chase bank and the UPS postal service also fell to these kinds of attacks in 2014.
The trend continued into 2015 with a major data breach at Walmart was followed by a curious trend of hotel groups being hacked one after the other with the Starwood, Hilton, and Hyatt organisations all affected on a global scale in late 2015.
The trend shows no sign of abating, even with the passing of a seminal moment in U.S. card payment industry history, October 1, 2015, a date that the hackers had earmarked. This was the date when the liability for any fraud perpetrated at the POS shifted from the card issuers to the likeliest weakest link – the merchant.
Why was there a need for EMV in the US?
Mag-stripe technology has been in use for nearly 60 years. In the modern retail environment it is too vulnerable, easily copied, and easily manipulated. It is an easy target.
The U.S. was the last G20 member to transition to the more secure EMV chip-enabled cards and EMV card-accepting terminals. The total cost of this transition has been calculated at $6.8 billion for cards and terminals. EMV chip-enabled cards are a deterrent to hackers as they are simply harder to copy. But, is the EMV transition worth it? Well, when you consider that the annual cost of card fraud in the U.S. alone has been estimated at $8.6 billion per year and was tipped to top $10 billion in 2015 then perhaps it is. Time, as always, will tell.
The EMV fraud liability shift has become a further burden (even though not mandatory) on merchants and their acquirers, especially when added to the ever-present and ever-evolving PCI compliance pressures.
The EMV standard – set by the members of the EMVCo (the credit card schemes) is seen as the best method to prevent fraud at the POS. To be successful, however, it needs complete buy-in on the merchant and consumer side. There are reports of continuing teething problems but with mobile payments still in their infancy EMV needs to be embraced. It will not provide a panacea to all of the POS fraud ills but it is the best solution for today’s payment card industry.
Carolyn Balfany, MasterCard’s Senior VP and Group Head for U.S. Product Delivery, recently stated in an wide-ranging interview that EMV is not the silver bullet but is one element of a multi-faceted approach that needs to be adopted by the retail industry: “In a chip environment, the unique data is much more secure even if the transaction data is obtained, it is virtually worthless to fraudsters who attempt counterfeit fraud,” said Balfany. “There is no one silver bullet to securing the payments environment,” Balfany added. “It’s not all about one solution, but the continual investment in multiple layers of new technologies that keep all of us safer.”
What we can be more confident about, however, is that the introduction of the EMV standard will drive increased fraud activity online. It has occurred in every other jurisdiction that introduced EMV and will also occur in the U.S.
The Aite Group recently predicted that online, or CNP fraud, is set to almost double from $3.3 billion to $6.4 billion between 2015 and 2018. This is the curate’s egg of the fraud battle for the payment card industry – fighting fires at the POS only to watch as fraud ignites online.
Encryption: kryptonite to super-hackers
There are, however, some significant solutions available to merchants in their fight against all types of card fraud (especially welcome in the modern omnichannel environment). These solutions range from End-to-End Encryption and Point-to-Point encryption, to Tokenization.
The beauty of all these solutions is that merchants never have access to sensitive card data, and will no longer be coveted targets of hackers who will have to move to other sections of the payment chain, i.e. to the banks or the card payment processors:
1. End-to-end (E2E) encryption
According to Brian Krebs there is an easy fix to card fraud. In this Guardian.com op-ed he outlined what the U.S. needed to do so as to significantly reduce CP and CNP fraud: “The US is already embarrassingly far behind the rest of the world in its adoption [of EMV chip cards] and as every other country that long ago moved to chip-and-pin can attest, this approach alone shifts more of the fraud to e-commerce transactions, where merely knowing a card number and expiration date is enough to push through gobs of fraudulent shoe purchases. There is an easy fix: if Target or Walmart adopted end-to-end encryption, the incentive for fraudsters to target payment terminals at all would be effectively removed, instantly. The data gets encrypted, and hackers have to go somewhere else – the bank or a processor – for a shot at your information.”
End-to-end encryption does exactly what is says on the tin. Sensitive card data is never revealed, it is encrypted using public-key encryption. This process produces a pair of keys, public and private. The encrypted keys remain with the transaction during every step of the card payment process, but the transaction details are only visible to the owner of the private key. A common usage of E2E encryption is DUKPT, or Derived Unique Key per Transaction. When DUKPT is used a unique key is derived from a fixed key for every transaction.
2. Point-to-Point Encryption
A subset of E2E encryption is P2P, or Point-to-Point Encryption, a PCI-approved security method that uses encryption keys on the card entry unit itself. Using P2P with ICC means that the encrypted card details constantly change.
The encryption also remains through all ‘points’ of the payment process. P2P encryption is proving extremely popular among merchants and their acquirers as it significantly reduces their PCI scope, thereby not only removing the potential damage of fraud liability but also removing a regulatory compliance burden.
Tokens are made to be worthless. When removed from their specific, one-time payment environment the tokens are pointless. Effectively, hackers are trying to steal thin air. Typically the tokens are created at the initiation of a transaction.
Tokenization is popular for mobile commerce solutions. The mobile device (e.g. an iPhone 6S) creates a one-time, transaction and device-specific token. This token is used solely for the purpose at that time, for that specific transaction, and on that particular device. If this token is compromised it is of no use to someone who is not making that specific transaction, at that time, and from that specific mobile device. Just like P2P encryption, tokenization is gaining rapidly in popularity as a means of reducing PCI scope for merchants.
Loyalty lasts just as long as security does
Why does it all matter, won’t there always be insurance for hacked credit card data – why do retailers have to worry about data breaches anyway? Well, data breaches are the bane of any retailer’s life as they instantly ruin years of groundwork building trust and loyalty with consumers.
According to a December 2015 Gemalto report titled ‘Broken Trust: ‘Tis the Season to Be Wary’ – which surveyed customers in Australia, Brazil, France, Germany, Japan, the U.K., and the U.S. – a data breach is very likely to end as many as half of their customer relationships.
The report states that “nearly two-thirds (64%) of consumers surveyed worldwide say they are unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen, and almost half (49%) had the same opinion when it came to data breaches where personal information was stolen, according to a global survey from digital security provider.
Unfortunately, data breaches have become all too common. But for merchants and their acquirers the security of a customer’s sensitive card details should never be risked. One breach will more than likely result in the merchant losing a customer for life.
The key for merchants and their acquirers in the encryption environment of today’s transactions is harnessing the security and key management aspects of the system. Transactions will need to be logged and the data collected will need to be stored for later processing and analysis.
The adoption of encryption and/or tokenization methods provides obvious security benefits, but also enables merchants to build trust with existing customers and attract new revenue via robust security processes.
Fexco Transaction Services provides a secure EMV and PCI DSS compliant transaction infrastructure incorporating the latest technology in security and data protection, reducing the cost of compliance for merchants and acquirers alike.