MRCVegas16, the Merchant Risk Council’s (MRC) annual conference, is in full swing in Las Vegas. It’s considered to be one of the largest global events focused on payment and financial service innovation for connected commerce – mobile, retail, marketing services, data and technology – and on strategies to reduce fraud and optimize payments. Industry experts from eBay to VISA to the PCI Security Standards Council (SSC) will be presenting educational and commercial sessions for ecommerce payment and fraud professionals – and we are very pleased to also have our own Chief Innovation Officer, Ruston Miles, presenting on EMV, Point-to-Point Encryption (P2PE) and Tokenization, alongside Rick Ricker, VP of Business Development for Enterprise Payment Solutions for 3Delta Systems (3DSI), Bluefin’s P2PE partner.
The session, Paying for the Ripple Effects of EMV and the Future of Payment Card Security on Thursday the 10th at 9:30 am, overviews the state of EMV adoption since the October 2015 deadline, what EMV does and does not do from a security and authentication standpoint, and what roles of Tokenization and P2PE in a holistic security approach.
Here’s a sneak peek of tomorrow’s presentation.
The State of EMV in the United States
In October 2015, EMV came to its full fruition when the deadline for adoption hit and the liability for fraudulent card use at the point of sale shifted from banks to merchants.
The deadline has passed and the response from merchants has been less than stellar. As of February 2016, only an estimated 37% of U.S. merchants were reported to be EMV ready, and experts are predicting that widespread adoption in the U.S. – 2 out of 3 U.S. terminals using EMV – won’t occur until 2020.
There are several reasons for slow EMV adoption. There were timing issues, with merchants not wanting to mess with EMV migration during the peak holiday spending season, and a fear that consumers wouldn’t stand for the longer checkout lines as cashiers worked out the kinks in the new EMV transaction process.
Chip and Signature Does Not Equal Chip and PIN
There has been some confusion around EMV regarding the implementation of EMV as Chip and Signature in the U.S., compared to the Chip and PIN in the rest of the world. And this confusion has created concerns regarding the security of the entire process – particularly with retailers. Whereas Chip and PIN create an authentication process where only the cardholder knows the actual PIN number, Chip and Signature cards are much easier for criminals to steal and use. If the card is stolen out of your wallet, home or anywhere else, it can be used at a retailer – unless the retailer asks for identification to check your signature and name.
“There are two indisputable facts,” Conexxus Executive Director Gray Taylor recently wrote. “According to the Federal Reserve Bank, signature transactions have a 400 percent greater fraud risk than PINs, and consumers know that PINs are far more secure than signatures.”
Putting the EMV migration process in place will help curb face-to-face (card present) fraud, but the threat of card data theft is still very real for merchants who accept payments online or through a call center, where the card is not present for the actual transaction. A big reason for this is that the card data is not necessarily encrypted in the merchant system, which means it can still be stolen (through malware) and then used to purchase online.
EMV and CNP Fraud Migration
Cyber criminals know that when one door closes, another one opens. So it should be no surprise to see fraud shifting from card present to card-not-present (CNP) payment transactions. Even in the UK, where Chip and PIN was implemented in 2005, CNP fraud spiked 79% and continues at an alarming rate – in fact, 5-year rates for card-not-present fraud rose by 100% in the UK, 233% in Canada, and more than 360% in France after EMV adoption.
A recent post in UK’s Mirror proves that the war on cyber fraud has continued since EMV implementation in the UK, and experts admit that this war is currently being lost.
“We can point to lots of achievements around understanding the threats much better, about taking steps to mitigate those threats, addressing the national skills base and so on but, nationally, we are not winning the fight on cyber security. I think we would be losing a lot more if we hadn’t done all the things we’ve done over the past five years.”
While the current U.S. ecommerce fraud rate is 0.8%, only 40% of merchants have actually implemented EMV in the U.S., so by 2018, Aite Group expects CNP fraud losses in the U.S. to reach $6.4B, more than three times the $2.1B in losses reported in 2011.
The Burning Question – EMV and Data Breaches
By now we have all have heard about the large merchant data breaches – Target, Home Depot, most recently Wendy’s – and know that they are the result of malware. Malware is essentially a software virus that infiltrates the merchant’s POS system, locates clear-text card data that is stored or in transit, and then sends that card data to remote servers where the thieves access it and then sell it on the black market.
Many merchants and payment experts alike had the mindset that once EMV was implemented, their networks would be protected from fraud at the payment terminal, but this is a big misconception. While EMV authenticates the card and the users, it does not encrypt card data. Even with EMV in place, criminals are still able to hack into a point of sale system, install malware, and steal card data.
The Payment Security Triumvirate
Paying for the Ripple Effects of EMV and the Future of Payment Card Security will focus on the security technologies that work together with EMV to reduce fraud and losses – both at the POS and online: PCI-validated Point-to-Point Encryption (P2PE) and Tokenization. Together, these technologies provide a holistic payment security solution for merchants in every industry – whether retail, education, or healthcare.
- P2PE, an extensive set of encryption requirements defined by the PCI Security Standards Council (SSC), ensures credit card information is encrypted at the Point of Interaction (POI) so that is cannot be read or decrypted at any point within the merchant’s network. The SSC recommends that merchants use a PCI-validated P2PE solution to ensure strict controls, device security and chain of custody – all key factors minimize PCI scope and protect the cardholder and the merchant.
- Tokenization is a best practice security for all merchants that replace card data in a transaction with a random character string, or “token”. Tokenization enables merchants to safely “store’ cardholder data (at rest) for use in future transactions, and like P2PE, effectively renders the card data useless to hackers.
These three technologies are the future of payment security. If you are attending MRCVegas16, we hope you will join us on Thursday the 10th at 9 am to learn more.