September 1, 2016
By Sam Pfanstiel, Director, Solution Architecture, Coalfire
EMV cards have been trumpeted as a means of mitigating risk in card-present transactions for retailers. But for card-not-present merchants, the trouble is just beginning.
When it comes to chip-card technology, the U.S. is a late adopter. Whether this delay has been primarily due to the disparity of processing environments, politics among banks and processors, or any number of other distractions, is a conversation for another day. Irrespective of the reason, the U.S. can still benefit from lessons learned by the others that came before. The good news—for retailers and customers alike—is that more mature EMV markets have seen a reduction in card-present fraud. The bad news is that in each of those regions there has been an increase in fraud across almost all other payment channels.
The dramatic rise in card-not-present (CNP) fraud following EMV implementation—some markets experienced upward of 300-percent growth—is staggering. The situation in the U.S. is particularly dire. The U.S. alone accounts for almost 50 percent of global fraud but only about 21 percent of global payments transactions. Issuers in the U.S. lost nearly $4 billion last year to counterfeit transactions, according to The Nilson Report .
To combat the rise in CNP fraud, we must engage on two battlefronts: keeping card data from falling into the wrong hands, while also enacting controls in the CNP transaction that detect and prevent fraudulent transactions.
To effectively fight continued loss of card data, we must understand that, while EMV decreases the risk of fraudulent transactions in stores, it does not prevent criminals from stealing card details and using them online. Visible within the clear-text chip-card transaction is the very account data a hacker needs to conduct a MOTO or e-commerce transaction—personal account number (PAN), expiration date and cardholder name.
Standards compliance is not enough. The PCI Data Security Standard (PCI DSS) is written to provide flexibility for all merchants, including those with the legitimate business need to access or store card data. For most merchants, however, it is much better to never have access to card data at all. As hackers become more creative and aggressive in finding ways to access this data, merchants must become more circumspect in how they define their business requirements pertaining to cardholder data access and retention, and take on a more aggressive stance in how they manage security and reduce risk. Even if all compliance standards are met down to the letter, retailers should still go above and beyond to protect this data through enhanced security, or even eliminate the data itself wherever possible.
One of the ways retailers can go beyond the standard to help protect customers’ card data—especially when it’s being held for recurring purchases—is tokenization, the process of replacing sensitive data with a new value provided by the merchant’s acquirer or other processor. Even if the retailer’s database happens to be hacked, the tokenized data is useless because the token may only be re-used by that merchant.
Tokenization becomes even stronger when coupled with point-to-point encryption (P2PE). Through P2PE, data is immediately encrypted at the point of entry by a secure hardware terminal, and is not decrypted until received by the bank or other upstream service provider. This protects against malware attacks that seek to “sniff” or capture sensitive data. And, because only the P2PE service provider has the decryption keys (and thus the ability to access the sensitive data), human vulnerabilities within the merchant environment cannot be exploited to compromise the data. Even targeted attackers tend to move on when faced with P2PE, as the effort required to decrypt account data using brute-force methods is far too time consuming and costly to be profitable to the hacker.
Card-not-present channels like mobile and e-commerce also offer unique and innovative ways to reduce exposure risk to merchants. Check with your gateway provider or processor on the availability of mobile software development kits (SDKs) that may be more secure, or offer mobile data tokenization. Similarly, e-commerce merchants can implement new payment widgets or customizable payment page tools that preserve or even enhance user experience, offload the capture of card data and eliminate transmission of sensitive data through the merchant environment. There are many alternatives available, and your options will generally depend on your provider. Remember to also check with your QSA or acquirer to determine how these tools impact your PCI compliance assessment.
All of these methods amount to getting rid of or devaluing card data in the merchant environment. And while no single approach is a panacea, each is a quantum leap forward in security and risk mitigation.
Remember, credit card fraud takes on many forms, and not all are conducted by cyber criminals hacking into databases. There must be other measures taken to secure the transaction process to prevent this data from falling into the wrong hands. EMV was adopted to prove the presence of the card during card-present transactions, a process that has not been developed for online or mobile transactions.
Well-informed card-not-present merchants are aware of these trends and now acknowledge that attempted fraud from EMV chip-card data will most certainly increase. And industry-proven anti-fraud measures such as 3D Secure, security code verification, and address verification are great ways to react to fraud attempts. But just as EMV implementation is not a cure-all for security in card payments, the CNP community cannot be merely reactive to fraud—it must be proactive in order to break the compromise/countermeasure cycle. That can only be actualized by an all-encompassing security approach.
As with any good business decision, information should drive action. Security concerns are ever-changing and it is necessary that decision-makers re-evaluate their need for clear-text card data within their environment, and know their technology and security partners.
After all, security – as a whole – is no check-in-the-box exercise, just as the latest security advances (see EMV) are no wholesale solution to risk.
Sam Pfanstiel has two decades of information technology management, e-commerce and mobile payments, and security experience. As the Director of Solution Architecture at Coalfire, he is responsible for translating requirements created by IT risk and compliance mandates into business-centric cyber solutions strategies. Pfanstiel is a member of the PCI Best Practices for Safe E-Commerce working group and is working toward completing his Ph.D. dissertation on PCI compliance costs.