August 19, 2016
Crashing Waves: Security Breaches, Fraud Detection and What’s Next for CNP – Part III
CardNotPresent.com presents a three-part series stemming from a conversation with industry executives about the recent spate of massive security breaches that have exposed the payment-card information of more than 40 million U.S. consumers. The breach did not occur in a vacuum—there were warning signs. And, the story is not over. While news from Target, Neiman Marcus and Michael’s is devastating, the next 18 months could be worse. And, beyond that are even more waves that will rock the CNP industry. Part III of the series looks at the post- EMV landscape in the U.S. The POS may be protected, but the storm in CNP has just begun.
Part III – The Next Wave
By D.J. Murphy, Editor-in-Chief, CardNotPresent.com
The spate of recent security breaches—in addition to creating headlines no business wants to deal with—has been an unmitigated disaster for retailers, card issuers and service providers up and down the payments value chain. Just about every one of them can point to real financial impact from the events that began unfolding in the last year and continue to threaten them into 2014.
Under the network mandates, after the liability shift for EMV comes along in October, 2015, the hope is news of this sort will slow down and the pressure on many of those companies will ease somewhat. But, for merchants that accept card-not-present payments and the companies that support them, the forecast could be not only continued unsettled conditions, but a full-on storm to rival what the industry at large just went through.
In Part II of this series we looked at the next 18 months and the prospect that the security breaches of recent months could become even more frequent as fraudsters race to gather information at the POS before the EMV standard becomes prevalent in the U.S. But, then what?
“[Fraudsters are] not going to say, ‘hey, we had a good run guys, but it’s over,’” Rich Stuppy, vice president of operations for Boise, Idaho-based antifraud technology provider Kount. “We see it in every country that EMV is rolled out in. E-commerce fraud explodes. And it stays that way for several years until people get their house in order.”
EMV combined with the glut of personally identifiable information (PII) that has flooded the market in the months since breach activity ratcheted up spells only trouble for the CNP industry. And, as the aftermath of the Target breach has shown, government is eager to have its say, too. In the long term, card-not-present merchants must prepare for a permanently altered risk and regulatory landscape.
Tide Turning for EMV
In the months following the card networks’ announcements of their EMV road maps, a narrative emerged that most merchants simply would not be ready for the liability shift. Deadlines were being missed and incentives were not there to make the costly investment in upgrading their POS systems. Momentum seemed to be building to delay implementation of the EMV standard.
Target changed that.
Whether it would have helped in this specific case or not (and both positions have been argued), the narrative shifted significantly towards the U.S. being the last EMV holdout and that consumers’ personally identifiable information will be at risk until the migration is completed. This heavily, publicly and loudly echoed sentiment got the attention of Congress, which has already held hearings, and probably played a role in Target’s announcement accelerating its EMV plans.
“Up until the breaches started to happen, I think there was a good chance [the EMV liability shift] was going to get pushed out,” says Stuppy. “I don’t think it’s getting pushed out.”
So EMV is on track. The liability shift is coming on schedule and merchants and service providers have to prepare. E- and m-commerce merchants will need to be especially vigilant, but Stuppy says service providers will be on the hook with the government, along with everyone else, as stories of voters being defrauded make it to Washington in greater volume.
“These problems are not going to go unnoticed,” he says. “Already, people are testifying in front of the Senate about the harm that can come to consumers through various aspects of the payment system. When the OCC, the Fed, the FDIC, the CFPB—the alphabet soup of regulators—starts to get their hooks into this? The entire payment processing ecosystem is going to come under extreme scrutiny including payment processors and acquirers. They’re a choke point and they’re associated with the big banks. The regulators are waiting to pounce as soon as they hear the stories of consumers being defrauded.”
Partnerships and the New Face of Risk
With the entire payments industry at heightened risk not only from breaches, but from the regulatory fallout that inevitably follows, merchants and financial institutions—factions that have been skirmishing over payments for years—have already begun working together to address security, including the coming surge in card-not-present fraud.
Just last week, the Financial Services Roundtable and the Retail Industry Leaders Association (RILA) announced the formation of a new partnership of national trade associations representing both sides formed specifically to combat these issues.
“The partnership in its founding recognized we have big challenges in cybersecurity and we recognize that the best way to solve many of those is to work together,” says Brian Dodge, senior vice president of communications and state affairs for RILA. “The interconnectedness of the ecosystem is such that solutions need to translate throughout all the players. Card-not-present is a major hole we need to address. The solutions there now are imperfect.”
Imperfect or not, with the next wave of fraud bearing down on them, players in the card-not-present payments industry can’t operate in the usual manner, says Kount’s Stuppy.
“The traditional methods of risk control will no longer be viable,” he says. “Now it’s about real-time data analysis across multiple channels. If you don’t have that, you are a sitting duck as a merchant, you’re a sitting duck as a processor.”
Dr. Paulo Marques, chief technology officer of antifraud technology provider Feedzai, agrees and says the company’s experience in countries that have already migrated to EMV confirms Stuppy’s assessment.
“This is where having a global experience and view of the business is key,” Marques says. “Our clients realize that locking down only one channel leaves the other exposed. This is especially true as commerce shifts to omnichannel to include new ways of buying—from mobile in-aisle checkout to tablet-enabled couch commerce—merchants need to have a 360 degree view of their business.”
The card-not-present industry has arrived at a time of great change that, through unprecedented circumstances could be far more tempestuous than the normal evolution of the payments business. A technological shift has enabled commerce and payment with a wider variety of devices than ever—not only smartphones and tablets, but a trend toward wearable tech seems to be accelerating as well. A move toward implementation of the EMV standard, which U.S. merchants and service providers have been struggling against for years, is changing the rules for security, acting as a catalyst for cybercriminals and funneling fraud efforts toward card-not-present channels. And, a new security threat has emerged in the last year that puts the PII of hundreds of millions of consumers at risk as the industry struggles with several huge breaches and perhaps many more that have not yet been discovered or disclosed.
The confluence of these events will reshape payments in general and card-not-present payments in particular, says Stuppy. Hopefully, in the end, for the better.
“There’s more than a handful of things coming together,” he says. “You’ve got all sort of techniques and technology happening that make commerce easier. But it’s going to be tough for all the players in the ecosystem. They’re going to have to deal with some pretty unpleasant things in the short term. It’s all part of the journey to make things better, but along the way it’s going to change for many of us the way we look at and manage risk.”
We hope you found “Crashing Waves: Security Breaches, Fraud Detection and What’s Next for CNP,” our three-part examination of the prelude and the aftermath of December’s large security breaches, informative. Part I and Part II are available here .