Category: Credit Card Security
April 20th, 2015 by Elma Jane
With each year comes a new set of security risks businesses need to be aware of. The threats that have seen the most growth over the last year include point-of sale (POS) malware, malware traffic within secure and encrypted HTTPS websites and attacks on computer systems designed to control remote equipment.
Everyone knows the threats are real and the consequences are dire, so we can no longer blame lack of awareness for the attacks that succeed. Hacks and attacks continue to occur, not because companies aren’t taking security measures, but because they aren’t taking the right ones.
The large number of highly publicized POS breaches last year has heighted the need to make sure that businesses that use these devices are properly protecting them.
Malware targeting point-of-sale systems is evolving drastically, and new trends like memory scraping and the use of encryption to avoid detection from firewalls are on the rise. To guard against the rising tide of breaches, retailers should implement more stringent training and firewall policies, as well as reexamine their data policies with partners and suppliers.
For many years, businesses thought using a secure HTTPS Web connection protected them from a security breach. That no longer appears to be the case. While the increased number of businesses moving to a more secure Web protocol is a positive trend, hackers have identified ways to exploit HTTPS as a means to hide malicious code. Since the malware transmitted over HTTPS is encrypted, traditional firewalls fail to detect it.
Just as encryption can protect sensitive financial or personal information on the Web, it unfortunately can also be used by hackers to protect malware. One way organizations mitigate this risk is through SSL-based Web-browser restrictions, with exceptions for commonly used business applications to avoid slowing company productivity.
Several identified trends and predictions for the coming year, including the following:
Android will remain a main target for hackers. More sophisticated techniques will be developed to hinder Android malware researchers and users by making the malware hard to identify and research.
As wearable technology becomes more prevalent, expect to see malware start to target these devices.
Digital currencies, including Bitcoin, will continue to be targeted.
More organizations will enforce security policies that include two-factor authentication, which will likely increase the number of attacks on these technologies.
Posted in Best Practices for Merchants, Credit Card Security, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale Tagged with: (POS) malware, Android, bitcoin, Digital currencies, point of sale, POS breaches, security breach, SSL-based Web-browser
April 13th, 2015 by Elma Jane
With only six months to go before the EMV chip-card liability shift takes effect, many U.S. merchants are not yet aware of the EMV migration.
When the Oct. 1 liability shift takes hold, merchants not accepting the new chip-card technology will become liable for any losses resulting from payment card fraud at the point of sale. Some merchants have stated that they would rather trust their existing security measures than pay for the upgrade to EMV, but others still need to educate themselves on the benefits and drawbacks of EMV – and it’s not even clear how many are out of the loop.
The challenge is that no one really knows about the level of EMV readiness because there is no single, common way to reach all of the merchants of all different levels and sizes at the same time.
Instead, various organizations are picking bits and pieces of the market they can reach and do everything they can to inform and help merchants to determine if they are moving toward chip-based technology or not.
EMV cards improve security at the point of sale by including technology that makes them resistant to counterfeiting. They can also be used with a PIN to address stolen card fraud. Though the card networks set an October deadline for conversion to EMV technology, it is not a mandate; companies will still be able to handle credit card transactions even if they do not have EMV technology in place.
And even the merchants that have the right technology installed may not be using it properly. During the EMV preparedness process, it has become apparent that installed EMV terminals had not been turned on or otherwise were not fully capable of accepting EMV transactions.
The confusion extends to the banks as well. Not all issuers will be ready for EMV, and some have outright stated that they do not think it will be possible to meet this year’s deadline.
In a move designed to get more small-business merchants on board with EMV, Visa Inc. introduced a 20-city small business chip education tour last month.
The real measurement of the implementation will be in transaction volumes, or actual chip-on-chip transactions.
Even though the liability shift is just six months away, still really early to make a determination on all of this.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Point of Sale, Visa MasterCard American Express Tagged with: card, chip card, EMV, emv cards, EMV terminals, EMV transactions, fraud, Merchant's, payment, point of sale, visa
February 27th, 2015 by Elma Jane
Here are the Frequently Asked Questions:
You’re probably finding yourself staring at your old credit card machine and worrying about the cost of buying a new machine. The transition doesn’t have to be an expensive one, but it pays to be educated as you consider this important upgrade.
Things you need to know in the form of a brief FAQ.
Where To Buy an EMV Credit Card Terminal?
All the same places you can buy or rent a non-EMV terminal, for the most part. The vast majority of the time supported EMV machines can be reprogrammed just like their non-EMV predecessors. While credit card terminal tampering has occurred in the past, it is not common and is even less easily achieved with new EMV terminals.Terminals have built-in anti-tampering features to prevent this. Your provider is free to either charge a reprograming fee, or simply refuse to reprogram outside machines. While they can reprogram, there’s no law saying that they have to.
Is It A Must to Have an EMV-Compliant Machine?
NO BUT THERE IS RISK. NFC (Near Field Communication) is the technology used by digital wallets for contactless payments. NFC EMV terminals can be considerably more expensive than standard EMV terminals. You can buy a separate NFC reader without replacing your existing EMV terminal.
Does an EMV Chip Card Reader Cost Much?
NOT VERY MUCH! These terminals are really not more expensive that the old terminals. You can find them as cheap, especially if it’s refurbished. There’s no reason to sign on to an expensive non-cancellable lease. If you’d rather rent than own, at least look for inexpensive rental options. If you want a wireless terminal or an NFC-capable terminal, the prices will be a little bit higher. But for baseline EMV-compatible chip card readers, it’s a pretty minor investment even for a very small business.
Does EMV Terminal Upgrade Really Needed?
Technically? No, but it would be like buying a new computer and not getting a virus protection program. Worse because you have financial data on. Your CUSTOMER! Practically? You should!
If you stick with your old non-chip credit card terminal, you will still be able to run transactions. All chip cards are also equipped with the same magnetic stripe used previously, so you can still swipe them. The difference is that if one of those chip cards that you swipe is used fraudulently, you will now be liable. The rationale behind this is that if you had upgraded your terminal, the fraud could have been prevented. Therefore you are held accountable. You might be tempted to think that your small businesses is unlikely to be a victim of such fraud because it hasn’t happened in the past. But consider that all of the big retailers will be upgrading to the EMV terminals, which is likely to drive fraudsters to more vulnerable outlets (ie, small businesses). So I don’t want to be a fear-mongerer but for the fairly small business expense of a terminal upgrade you get a lot of fraud protection. If it prevents just one instance of fraud in the years to come, it has likely paid for itself many times over.
For most merchants, it’s not that expensive or difficult to switch over to EMV equipment and the insurance that the switch will provide you with is well worth the effort. So start thinking about it, and don’t wait until the last minute. The last month before the liability shift occurs in the US, equipment providers will be backed up with orders, making the transition less smooth. So there’s no time like the present to start looking into chip card machines. It might even be a good time to think about switching providers.
Posted in Best Practices for Merchants, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa Tagged with: chip card readers, chip cards, contactless payments, credit card machine, credit card terminal, credit-card, Digital wallets, EMV, EMV compliant, EMV machines, EMV terminal, magnetic stripe, Merchant's, Near Field Communication, nfc, NFC reader, NFC-capable terminal, wireless terminal
January 21st, 2015 by Elma Jane
With a crucial deadline, the payments industry is starting to look at just what kind of fraud liability and how much fraud merchant acquirers will have to assume if their merchants aren’t ready to accept Europay-MasterCard-Visa (EMV) chip cards by October.
While issuers currently absorb losses under card-network rules, that burden will shift to acquirers this fall in cases where the fraud occurs at merchants unprepared for EMV.
As a result, acquirers will have to reckon with a whole new category of risk exposure.
In card-not-present transactions, acquirers have faced this, but in the overwhelming majority of cases they’ll be confronting it for the first time.
Surprisingly, for all the talk in the industry about the imminent arrival of EMV, it appears few acquiring executives have fully accounted for what the shift really means for them.
Some 24% of U.S. point-of-sale terminals are “EMV-capable,” while 9% of debit/prepaid cards issued, and 2% of credit cards have EMV chips so far. But while terminals may be technically capable, it isn’t known just how many of these merchants have the software and trained personnel to accept EMV.
Foreign issuers, especially, may be licking their chops at the prospect of offloading their consumer-fraud risk onto U.S. acquirers. For years and years, these non-U.S. issuers have invested in EMV, but the U.S. is still using the mag stripe. So non-U.S. issuers appear to be very aware of the liability shift.
To be sure, acquirers’ increased risk exposure may be relatively short-lived. Under the network rules, liability rests with the issuer in cases where both the merchant and the issuer are EMV-compliant. That could be nearly universally the case within a few years. By 2018, nearly all cards and terminals will be compliant.
But that still leaves open the question of how many of these terminals will really be running chip card transactions.
The issue isn’t so much about terminals as about software. Many mid-size merchants are using so-called integrated solutions that run payments as part of a larger business-management system. That means acquirers must work with a number of other parties to reconfigure software, and that presents a challenge when it comes to getting masses of merchants EMV-compliant.
The bigger problem is the integrated point-of-sale market.
While the liability shift may impact acquirers, not all them are convinced their exposure will rise all that much. Some argue the risk of loss from lost/stolen/counterfeit cards at the point of sale is low and not likely to rise, especially for small-ticket merchants.
Fraudsters, are much more inclined to practice their trade online, where the risk of being caught is lower, compared to face-to-face transactions.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: card network, card-not-present, chip cards, credit cards, debit/prepaid cards, EMV, EuroPay, fraud, integrated solutions, mag stripe, MasterCard, merchant acquirers, Merchant's, payments, payments industry, point of sale, terminals, transactions, visa
October 23rd, 2014 by Elma Jane
The U.S. government will replace roughly 9 million government-issued payment cards with EMV chip-and-PIN versions early next year in a push to increase awareness and use of the more secure cards. Between 5 and 6 million prepaid debit cards used for issuing government payments, including Social Security and veterans benefits, will be reissued in January 2015. Another 3 million cards issued to federal government employees will also be replaced with EMV versions through the General Services Administration’s SmartPay program.
All the cards will be set up for Chip and PIN security as a U.S. government standard under the upgrade program, rather than the Chip and Signature approach required by Visa and MasterCard for most U.S. retailers starting late next year. However, there was no indication that the new cards will actually have the less secure magnetic data stripe removed.
Finding the right answers with the latest technologies to stop these cyber thieves and taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards shows the importance of protecting financial transactions. While EMV is important, it’s not a total solution to the issue of data security.
POS devices at all federal agencies that accept retail payments will also be converted to accept EMV cards on a schedule set by the U.S. Treasury Dept. No timetable was given for the federal POS conversion.
The rollouts at four of the six largest U.S. retail chains will give a boost to EMV, which despite an October 2015 deadline has seen slow uptake among retailers. Under a mandate by Visa and MasterCard, retailers who experience credit or debit card fraud after next October but haven’t upgraded their POS equipment to accept EMV cards will be liable for the loss. If the bank that issued the card hasn’t upgraded it to EMV, the bank will take the loss.
But despite that October deadline, fewer than half of retailers’ POS terminals are expected to be able to accept EMV cards by the end of 2015, and barely half of U.S. payment cards will have been upgraded by then, according to the Payments Security Task Force, a banking industry group tracking EMV uptake.
The 9 million federally issued cards are a tiny fraction of the 1 billion credit and debit cards in use in the U.S., so the overall impact of accelerated EMV conversion is likely to be small. However, the Buy Secure initiative also explicitly includes a consumer-education component. Visa said it will spend $20 million in a public service campaign, and American Express said it will launch a $10 million program to help small merchants upgrade their POS terminals.
Small merchants are less likely to know about EMV than large retail chains, which have been making implementation plans for years.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: American Express, bank, Chip and PIN, chip and signature, credit cards, data security, debit card fraud, debit cards, EMV, emv cards, EMV conversion, financial transactions, magnetic data stripe, MasterCard, Merchant's, payment cards, Payments Security, POS conversion, POS devices, POS equipment, POS terminals, retail payments, visa
October 8th, 2014 by Elma Jane
When the PCI Security Standards Council (PCI SSC) launched PCI DSS v3.0 in January 2014, businesses were given one year to implement the updated global standard. Now that the deadline is fast approaching, interest is picking up in what v3.0 entails. On Jan. 1, 2015, version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) will reach year one of its three-year lifecycle.
Trustwave, a global data security firm, is on the frontlines of helping secure the networks of merchants and other businesses on the electronic payments value chain against data breaches. As an approved scanning vendor, Trustwave is used by businesses to achieve and validate PCI DSS compliance.
PCI DSS v3.0 is business as usual for the most part, except for a few changes from v2.0 that considers impactful for large swaths of merchants. The top three changes involve e-commerce businesses that redirect consumers to third-party payment providers. The expansion of penetration testing requirements and the data security responsibilities of third-party service providers.
Penetration testing
Penetration testing is the way in which merchants can assess the security of their networks by pretending to be hackers and probing networks for weaknesses. V3.0 of the PCI DSS mandates that merchants follow a formal methodology in conducting penetration tests, and that the methodology goes well beyond what merchants can accomplish using off-the-shelf penetration testing software solutions.
Merchants that are self assessing and using such software are going to be surprised by the rigorous new methodology they are now expected to follow.
Additionally, penetration testing requirements in v3.0 raises the compliance bar for small merchants who self assess. Those merchants could lower the scope of their compliance responsibilities by segmenting their networks, which essentially walls off data-sensitive areas of networks from the larger network. In this way merchants could reduce their compliance burdens and not have to undergo penetration testing.
Not so in v3.0. If you do something to try to reduce the scope of the PCI DSS to your systems, you now need to perform a penetration test to prove that those boundaries are in fact rigid.
Redirecting merchants
The new redirect mandate as affecting some, but not all, e-commerce merchants that redirect customers, typically when they are ready to pay for online purchases to a third party to collect payment details. If you are a customer and you are going to a website and you add something to your shopping cart, when it comes time to enter in your credit card, this redirect says I’m going to send you off to this third party.
The redirect can come in several forms. It can be a direct link from the e-commerce merchant’s website to another website, such as in a PayPal Inc. scenario, or it can be done more silently.
An example of the silent method is the use of an iframe, HTML code used to display one website within another website. Real Estate on the merchant’s website is used by the third-party in such a way that consumers don’t even know that the payment details they input are being collected and processed, not by the e-commerce site, but by the third party.
Another redirect strategy is accomplished via pop-up windows for the collection of payments in such environments as online or mobile games. In-game pop-up windows are typically used to get gamers to pay a little money to purchase an enhancement to their gaming avatars or advance to the next level of game activity.
For merchants that employ these types of redirect strategies, PCI DSS v3.0 makes compliance much more complicated. In v2.0, such merchants that opted to take Self Assessment Questionnaires (SAQs), in lieu of undergoing on-site data security assessments, had to fill out the shortest of the eight SAQs. But in v3.0, such redirect merchants have to take the second longest SAQ, which entails over 100 security controls.
The PCI SSC made this change because of the steady uptick in the number and severity of e-commerce breaches, with hackers zeroing in on exploiting weaknesses in redirect strategies to steal cardholder data. Also, redirecting merchants may be putting themselves into greater data breach jeopardy when they believe that third-party payment providers on the receiving end of redirects are reducing merchants’ compliance responsibilities, when that may not, in fact, be the case.
Service providers
Service provider is any entity that stores, processes or transmits payment card data. Examples include gateways, web hosting companies, back-up facilities and call centers. The update to the standard directs service providers to clearly articulate in writing which PCI requirements they are addressing and what areas of the PCI DSS is the responsibility of merchants.
A web hosting company may tell a merchant that the hosting company is PCI compliant. The merchant thought, they have nothing left to do. The reality is there is still always something a merchant needs to do, they just didn’t always recognize what that was.
In v3.0, service providers, specifically value-added resellers (VARs), also need to assign unique passwords, as well as employ two-factor authentication, to each of their merchants in order to remotely access the networks of those merchants. VARs often employ weak passwords or use one password to access multiple networks, which makes it easier for fraudsters to breach multiple systems.
The PCI SSC is trying to at least make it more difficult for the bad guys to break into one site and then move to the hub, so to speak, and then go to all the other different spokes with the same attack.
Overall, v3.0 is more granular by more accurately matching appropriate security controls to specific types of merchants, even though the approach may add complexity to merchants’ compliance obligations. On the whole a lot of these changes are very positive.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: (PCI SSC), call centers, cardholder data, consumers, credit-card, customers, data breaches, data security assessments, Data Security Standard, e-commerce breaches, e-commerce businesses, e-commerce merchant's website, electronic payments, global data security, global standard, Merchant's, merchant’s website, mobile, networks, payment, payment card data, Payment Card Industry, payment providers, PCI Security Standards Council, PCI-DSS, Penetration testing, Service providers, shopping cart, software solutions, web hosting, website
September 17th, 2014 by Elma Jane
Host Card Emulation (HCE) offers virtual payment card issuers the promise of removing dependencies on secure element issuers such as mobile network operators (MNOs). HCE allows issuers to run the payment application in the operating system (OS) environment of the smart phone, so the issuing bank does not depend on a secure element issuer. This means lower barriers to entry and potentially a boost to the NFC ecosystem in general. The issuer will have to deal with the absence of a hardware secure element, since the OS environment itself cannot offer equivalent security. The issuer must mitigate risk using software based techniques, to reduce the risk of an attack. Considering that the risk is based on probability of an attack times the impact of an attack, mitigation measures will generally be geared towards minimizing either one of those.
To reduce the probability of an attack, various software based methods are available. The most obvious one in this category is to move part of the hardware secure element’s functionality from the device to the cloud (thus creating a cloud based secure element). This effectively means that valuable assets are not stored in the easily accessible device, but in the cloud. Secondly, user and hardware verification methods can be implemented. The mobile application itself can be secured with software based technologies.
Should an attack occur, several approaches exist for mitigating the Impact of such an attack. On an application level, it is straightforward to impose transaction constraints (allowing low value and/or a limited number of transactions per timeframe, geographical limitations). But the most characteristic risk mitigation method associated with HCE is to devaluate the assets that are contained by the mobile app, that is to tokenize such assets. Tokenization is based on replacing valuable assets with something that has no value to an attacker, and for which the relation to the valuable asset is established only in the cloud. Since the token itself has no value to the attacker it may be stored in the mobile app. The principle of tokenization is leveraged in the cloud based payments specifications which are (or will soon be) issued by the different card schemes such as Visa and MasterCard.
HCE gives the issuer complete autonomy in defining and implementing the payment application and required risk mitigations (of course within the boundaries set by the schemes). However, the hardware based security approach allowed for a strict separation between the issuance of the mobile payment application on one hand and the transactions performed with that application on the other hand. For the technology and operations related to the issuance, a bank had the option of outsourcing it to a third party (a Trusted Service Manager). From the payment transaction processing perspective, there would be negligible impact and it would practically be business as usual for the bank.
This is quite different for HCE-based approaches. As a consequence of tokenization, the issuance and transaction domains become entangled. The platform involved in generating the tokens, which constitute payment credentials and are therefore related to the issuance domain, is also involved in the transaction authorization.
HCE is offering autonomy to the banks because it brings independence of secure element issuers. But this comes at a cost, namely the full insourcing of all related technologies and systems. Outsourcing becomes less of an option, largely due to the entanglement of the issuance and transaction validation processes, as a result of tokenization.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Near Field Communication, Visa MasterCard American Express Tagged with: (MNOs), (OS), assets, bank, card, card issuers, cloud, cloud based payments, cloud based secure element, cloud-based, hardware secure element, Host Card Emulation (HCE), issuing bank, MasterCard, mobile, mobile app, mobile application, mobile network operators, mobile payment, mobile payment application, nfc, operating system, payment application, payment transaction, payments, platform, risk, secure element, smart phone, software, software based technologies, token, tokenization, transaction, virtual payment, visa
September 15th, 2014 by Elma Jane
Visa has taken advantage of the hoopla surrounding Apple’s application of digital account tokens to replace card numbers for online and mobile purchasing by initiating the roll out of its Token Service to US clients.
Visa Tokens will be made available to issuing financial institutions globally, starting with US banks next month, and followed by a phased roll-out overseas beginning in 2015. The technology has been designed to support payments with mobile devices using all major mobile platforms.
More than 750 staff from across the Visa organisation globally were involved in the effort, working closely with initial launch partners – financial institutions, merchants and processors to ensure the ecosystem was ready. Today, Visa is making these services available and believe it will help transform connected devices and wearables into secure payment vehicles.
Visa Token Service replaces sensitive payment account information found on plastic cards with a digital account number or token. Because tokens do not carry a consumer’s payment account details, such as the 16-digit account number, they can be safely stored by online merchants or on mobile devices to for e-commerce and mobile payments.
The release of the service has been given added urgency by a spate of successful hacks on merchant card data stores, such as the recent plundering of card account data at Home Depot and Target.
MasterCard has its own equivalent Digital Enablement Service, which will be released outside of the US in 2015.
Posted in Best Practices for Merchants, Credit Card Security, e-commerce & m-commerce, Mobile Payments, Visa MasterCard American Express Tagged with: account details, card, card account data, card data, data, digital account, digital account number, e-commerce, financial institutions, MasterCard, merchant card data, Merchant's, mobile, Mobile Devices, Mobile Payments, mobile platforms, online merchants, payments, processors, Token Service, tokens, visa, Visa organisation, Visa Token Service, wearables
September 5th, 2014 by Elma Jane
Businesses are rapidly adopting a third-party operations model that can put payment data at risk. Today, the PCI Security Standards Council, an open global forum for the development of payment card security standards, published guidance to help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data. Developed by a PCI Special Interest Group (SIG) including merchants, banks and third-party service providers, the information supplement provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.
Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. The leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own. Per PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third- party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers. The Third-Party Security Assurance Information Supplement focuses on helping organizations and their business partners achieve this by implementing a robust third-party assurance program.
Produced with the expertise and real-world experience of more than 160 organizations involved in the Special Interest Group, the guidance includes practical recommendations on how to:
Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program.
The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.
PCI Special Interest Groups are PCI community-selected and developed initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard.One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: banks, Breach, card, card data, cardholder, consumer, data, data security, Merchant's, networks, payment, payment card security, payment data, payment information, PCI, PCI-DSS, provider's, Security, Security Assurance, security standards, security standards council, Service providers, services
September 4th, 2014 by Elma Jane
EMV, which stands for Europay, MasterCard and Visa, and is slated to be mandated across the United States starting in October 2015 and automated fuel dispensers have until October 2017 to comply. Unlike magnetic swipe cards, EMV chip cards encrypt data and authenticate communication between the card and card reader. Additionally, chip card user is prompted for a PIN for authentication.
Why are those dates important? Companies lose $5.33 billion to fraud today, with card issuers and merchants incurring 63 and 37 percent of these losses, respectively. Under the EMV mandate, merchants who do not process chip cards will bear the burden of the issuer loss. By accepting chip card transactions, merchants and issuers should see a reduction in fraud.
Overcoming Barriers to EMV Adoption
Given the significant barriers to EMV adoption, it may be tempting for merchants to meet minimum requirements for accepting EMV payments. However, medium to large retailers should also consider the bigger picture of customer security and peace of mind.
Some key critical success factors for a payment initiative of this size include:
Business Continuity Architecture: As with all payment systems, it is imperative to have the EMV system running at all times. The solution should preferably have Active-Active architecture across multiple data centers and have a low Recovery Point Objective (the point in time to which the systems and data must be recovered after an outage).
Cost Benefit Analysis: Take a top down approach and decide accordingly on the scope of the analysis. This will ensure that decisions on scope are made on basis of quantitative data and not just qualitative arguments.
Phased Approach: To overcome time or cost overage in a project of this scope and complexity, retailers should try using an iterative approach for development. The rollout can be divided into multiple releases of six to seven months, which will provide the opportunity to review, capture lessons learnt, and improve subsequent releases.
Proactive Monitoring Alerts: Considering the criticality of business function carried out by EMV, tokenization and payment gateway, a vigorous supervising environment must be defined to perform proactive and reactive monitoring. It should take into consideration the monitoring targets, tools, scope and methods. This will provide advance visibility to the failure points and better ensuring maximum system availability.
Resilience Testing: Typically in a software project, the testing is limited to the unit, integration, performance and user acceptance. However, due to the critical nature of the applications and systems involved, robust resiliency testing is vital. This will ensure that there are no single points of failure and the system remains available when running in error conditions.
Stakeholder Identification: This is a key step to ensure that you have varied perspectives from all departments and their support. It will keep your organization from being blindsided and reduce the risk of disagreements in later stages of the program. Key stakeholders should include Store Operations, Card Accounting, Loss Prevention, Contact Center and IT & Data Security.
Organizations should adopt a five step approach to implement a secure, robust and industry-leading payment solution:
Encryption – Point to point encryption will ensure card data is secure and encrypted from the point of capture to the processor. Usually, merchants use data encryption that is not point to point, rendering their organization vulnerable to data breaches. Software encryption is the most common form of encryption, as it is easily installed and quires little or no hardware upgrades; however, it is less secure, may expose encryption keys, and is prone to memory scanning attacks. Hardware encryption is considered more secure but requires more costly terminal upgrades. Hardware encryption is designed to self-destruct the keys if tampered, but is not well-defined as very limited headway has been made in this space.
Tokenization – Build a Card Data Environment (CDE) that will host a centralized card data storage solution. Only limited applications with firewall access and capability to mutually authenticate via certificates can access CDE and receive card data. The rest of the applications will have tokens which are random numbers. This architecture will ease the merchant’s burden with existing and emerging PCI Data Security Standards.
Payment Gateway – Perform a risk assessment on the current payment gateway and identify gaps in functionality, manageability, compliance, scalability, speed to market and best practices. Determine the alternatives to mitigate the risks. Some of the important aspects of a leading payment gateway solution are support for all forms of credit, debit, gift cards and check transactions. Its ability to work with any acquirer, in-built encryption abilities, support for settlement and reconciliation must also be kept into consideration.
Settlement, Funding and Reconciliation – A workflow-based system to handle chargebacks and the automation of chargeback processing will greatly reduce labor-intensive work and enhance the quality of data used for settlement and reconciliation. Upgrades to the existing receipt retrieval system may be needed.
Card fraud is on the rise in the U.S., and merchants are the primary target for stealing information. With the EMV deadline just over a year away, the responsible retailer must take steps to prepare now. Although EMV implementation might seem overwhelming to merchants, they should start their journey to secure payments rather than wait for a looming deadline. Solutions such as data encryption and tokenization should be used in combination with EMV to implement a robust payment solution to better protect merchants against fraud. By proactively adopting EMV payment solutions, merchants can stay ahead of the regulatory curve and better protect their customers from fraud.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: authentication, automation, card, card data, Card Data Environment, card fraud, card issuers, card transactions, CDE, chargeback, chargeback processing, check, check transactions, chip, chip cards, credit, customer, customer security, data, data breaches, data encryption, data security, debit, EMV, emv chip cards, EuroPay, fraud, gateway, Gift Cards, host, integration, magnetic swipe cards, MasterCard, Merchant's, payment, payment gateway, payment solution, payment systems, PCI, PCI Data Security Standards, PIN, processor, retailers, Security, software, swipe, terminal, tokenization, tools, visa