EMV Standard Combats Payment Card Fraud
As recent events demonstrate, the magnetic stripe-based payment cards used by the vast majority of U.S. retailers, banks, payment processors and card issuers are vulnerable to fraud. The Europay, MasterCard, Visa (EMV) standard used by the rest of the developed world stores sensitive customer data on an encrypted chip, rather than on a magnetic stripe, making payment card fraud much more difficult. Erik Vlugt, VP product marketing for electronic payment solutions vendor VeriFone Inc., recently shared insight on the advantages EMV can offer U.S. retailers and their customers and what needs to happen to make widespread EMV adoption in the United States a reality.
What advantages does the EMV standard offer?
At the top level, there are two advantages that EMV offers. It makes card fraud, in terms of stealing data from a customer’s card and making your own duplicate card, impossible. And also global interoperability. The U.S. is the last developed country not on the EMV platform. Adopting EMV in the U.S. would allow people from other EMV-compli-ant countries to use chip cards in the U.S., and vice versa. Going to Europe and using a magnetic stripe card can cause issues.
How do EMV-compliant cards authenticate a customer?
The EMV standard covers three forms of authentication — personal identification number (PIN), signature and no cardholder verification method (CVM) at all. You might have no CVM for a low-ticket item where you just tap your card on a reader, such as at a fast food restaurant. On the equipment side, Verifone enables EMV-compliant capture for all three types of verification. Card issuers will issue EMV cards with a preference. You will likely see Visa promote chip and signature and MasterCard promote chip and PIN. PIN authentication is more secure than signature authentication, but also more complex. There is an argument about whether PIN authentication is worth the extra complexity; existing POS equipment already supports signature authentication.
What effort would be involved in widespread EMV adoption in the United States?
Large retailers and national chains would have a reasonable effort. They would need to upgrade and support acceptance equipment on the hardware side. On the software side, retailers must upgrade downstream POS software and switch software, and the processor must certify their new system and test end-to-end data capture to the payment network before allowing them to operate. There is a lot of incremental effort. Smaller retailers typically use a third party to certify their payment networks, so it’s less of an effort for them.
What impediments exist to adoption of EMV in the United States?
The cost of upgrade, as well as the large U.S. market with a wide variety of acceptance types — POS terminals, ATMs, kiosks, etc. — are impediments. However, three years ago Visa put in a liability shift (that goes into effect October 2015) as an incentive. The U.S. is the only developed country where you can easily commit card fraud.
What is VeriFone doing in terms of EMV-compliant technology and assisting retailers in switching from magnetic stripe technology?
We are providing lots of education; we are a very consultative company. This includes webinars and one-on-one meetings. We also help our clients upgrade their magnetic stripe card acceptance systems beyond EMV compliance. A common misconception is that once you start using EMV-compliant technology, card data is secure. In actuality, the data is secure on the card but once the card is inserted into the reader, the customer’s card number travels in the company’s network in unencrypted form. VeriFone seals the customer’s data in encrypted form as it travels through the network and doesn’t decrypt it until it gets to the processor.
Bringing it all Back Home
The days of independent silos, of when the Web, phone, catalog and store could be operated separately each with its own unique customer experiences and fulfillment processes, are behind us. Today’s “always connected” consumers demand a seamless experience from the retailers they shop, regardless of channel. And that seamless experience requires extensive alignment of systems on the back end as well as the front end.
Weehawken, N.J.-based Hanover Direct is a multichannel, multibrand retailer, which operates catalog, phone and e-commerce channels, along with five physical stores, under several banners: Company Store, Company Kids, Scandia Home and Undergear. Currently, Hanover is in the process of revamping back-end systems and processes to allow its customers as seamless an experience as possible, regardless of how they choose to engage with the retailer.
“When you think of separate sales channels, you fight on growing each point of interaction separately,” explained Jeffrey Rosenholtz, CIO of Hanover Direct. “When you look at the company as a whole, you grow each point of interaction holistically. You get one view of the customer and all the channels work in tandem.”
With this philosophy in mind, Hanover Direct realized that its previously existing homegrown back-end infrastructure, supported by a 17-year-old enterprise mainframe as well as a variety of disparate on-premise legacy software solutions, was not suitable for providing a modern, seamless customer experience. As a result, in August 2012, after a six-to-seven-month implementation, Hanover Direct launched NetSuite OneWorld to support customer-facing activities on a common Demandware front end that served as a platform for catalog, call center and e-commerce channels.
Real-time Order Management
According to Rosenholtz, one big advantage the NetSuite implementation offers is the replacement of a daily batch-processing order management cycle to a real-time cycle, which leads to enhanced promotional effectiveness. “We can put a promotion on the Web and see how it’s doing,” Rosenholtz said. “We can track source codes. If the promotion isn’t doing well, we can tweak it in real time and see if the changes are working.”
Masters of Store
Rosenholtz said Hanover Direct plans to implement a POS system from NetSuite in its stores so that the store becomes part of the larger seamless customer experience.
“Once stores are online, our goal is to be able to shift inventory from store to store to meet demand,” Rosenholtz added. “We want one combined experience so that when you swipe a credit card in the store, we can make a targeted offer based on what you’ve bought online.”
In addition to improving customer service, promotions and order management, the NetSuite implementation has allowed Hanover Direct to streamline its IT operation. By shifting enterprise operations to the cloud-based NetSuite platform, the retailer has been able to reduce IT resources, as well as scale back hardware from 46 to 25 servers and eliminating the cost of maintaining and operating the facility.
“We need to serve the modern customer who shops by tablet, smartphone and Web,” Rosenholtz said. “We couldn’t do that with 1990s technology, but we can do that now.”
Protecting Customers’ Data
While debate goes on about the use of technology to reduce the potential for credit card fraud, there are basic operational steps that retailers can take now to protect customer data and minimize risk. And the starting point should be to draw up a statement of standard operating procedures (SOP) for everyone in the organization.
“Make sure you have a clear written policy about how to handle credit cards,” said Mark Burnette, a partner with LBMC Security & Risk Services, a Nashville-based consulting firm. “And make sure your employees have been educated on the policy. Bring up the topic regularly in your staff meetings.” A company’s SOP must address the critical need of keeping sensitive customer numbers under wraps.
“Where the merchant is most vulnerable is in the accidental mishandling of card information,” said Burnette. “Suppose, for example, an employee takes an order over the phone, jots down the card number on a piece of paper, and then later drops the paper into the trash instead of a shredder. That violates the PCI and is bad business practice.”
Another good rule is to keep the credit card in the hands of the customer as long as possible.
“Employees should quickly process the card and return it,” Burnette said. “This will keep the card from being accidentally grabbed (or from having its number written down) by someone else.”
The right hardware can be as important as the right procedures. Has the company been using the same POS equipment for many years? It may be time to replace it.
“Some retailers still have legacy equipment that they don’t even realize is capturing cardholder information that can be compromised,” explained Paul Rianda, an attorney in Irvine, Calif. “In contrast, if merchants use newer equipment, and use it correctly, there should be no way to lose cardholder information.”
Computer systems face special challenges.
“You need to establish rules about passwords and about access to the computer system,” Burnette said. “Each employee should have a unique security code, which they are forbidden to share with other employees or even with managers. The passwords should allow access only to those sections of the database required to do an individual’s job.”
It is recommended to use only hardware and software that have been approved by the PCI Security Standards Council (approved vendor lists are available at pcisecuritystandards.org). A company should make sure it uses a fire-wall, and that its wireless router is password-protected and uses encryption. And change the default hardware passwords to complex ones.
“Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant,” he added.
Many of the protective steps suggested in this article derive from a broader maxim near and dear to the hearts of security people everywhere: Retain only the information you need.
“Follow the rule that says ‘if you do not need customer information you should not keep it,’” said Burnette.
Education is the first step to safety. Many smaller merchants are not aware of the duty to protect customer data, nor of the continually morphing rules. Ignorance of the law, as always, is no excuse. Taking the basic steps in this article will reduce your risk considerably.
Added Burnette: “Make sure you have a written policy in place, train your employees properly, and make sure your computer system is PCI compliant.”
Phil Perry is a New York-based business writer.