Mitigating the Risk of Retail Breaches: What to Know About EMV Security
By Randy Vanderhoof, EMV Migration Forum
After large-scale payment data breaches at Target, Sally Beauty, Michaels, Niemen Marcus and the recently confirmed breach at Home Depot, it seems that no retailer is safe from skilled hackers. The incidents also bring to light such questions as “why are payment system breaches happening more frequently?” and “how can they be stopped?”
We will examine the answers to these questions, but first let’s look at what we know about the Home Depot breach so far. According to statements from Home Depot, customers who shopped at any of its 2,000+ U.S. stores as far back as April were exposed. And from the reports, the cause of the breach is the same or similar to the malware from Russian and Ukrainian hackers that broke into other retailer systems. What we do not know yet is how many customer accounts were compromised, but if the breach affected all Home Depot stores, it could be even larger than the one Target experienced.
Why are overseas hackers so interested in U.S. payment card data? The answer lies in the magnetic stripe cards we have been carrying in our wallets for decades. Magnetic stripe payment card data in retailer systems is extremely valuable to hackers, and criminals will pay high prices for it because it’s easy to use to create functioning counterfeit payment cards. As Brian Krebs reported at the end of last year, the black market price for just one of the several million card accounts stolen in the Target breach was between $26.60 and $44.80.
Because the U.S. is one of the last major economies to rely on magnetic stripe cards, it has become a big target for fraud. The U.S. loses $5 billion a year to card fraud, accounting for about half of global card fraud despite only generating about a quarter of the total volume of purchases and cash .
Combating counterfeit card fraud and devaluing the payment data in our retailer systems so it is less attractive to hackers are two of the main reasons why the U.S. is now joining more than 80 other countries and moving to EMV chip cards.
Chip cards, based on the EMV specifications, contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.
There are three major chip card transaction security features that work to prevent fraudulent transactions:
Microprocessor chip: Each chip card contains a secure microprocessor chip that stores payment card data placed there by the issuer during the personalization process and can perform cryptographic processing during a payment transaction. This payment data is stored securely in the card’s chip and is protected with advanced chip hardware and software security. The microprocessor chip is used instead of the magnetic stripe during each EMV payment transaction. This helps to prevent card skimming and card cloning, the most common ways magnetic stripe cards are compromised and used for fraudulent activity.
Authentication: In a chip card transaction, the card is authenticated as being genuine by the terminal, and the chip’s processor generates a dynamic data element that is authenticated online or offline, according to issuer-determined risk parameters.
One-time use cryptogram: Even if fraudsters are able to steal account data from chip transactions, this chip replaces the static security code with a one-time use cryptogram and does not include other data needed for counterfeit magnetic stripe transactions. This means that the data cannot be used to create a fraudulent transaction in an EMV chip or magnetic stripe environment.
What this means for retailers: If you start accepting chip card payments, the data in your system will become a lot less valuable to hackers. We’ve seen in other countries that hackers will pass over chip card data and instead go after the more valuable magnetic stripe data. Unfortunately, this also means that retailers that lag in accepting chip cards could actually become more of a target.
As you think about your plans to implementing chip technology, also consider the liability shift dates set by the major payment brands. Though the transition to chip card technology is not a mandate, the payment brands will shift the responsibility for any fraud resulting from a payment transaction to the party using the least secure technology after October 2015 (or October 2017 for fuel-dispensing merchants). This may be either the issuer of the card or the merchant accepting the payment card. If neither or both parties have implemented chip technology, the liability stays the same as it is today. Each payment brand has intricacies to their rules, but if a retailer upgrades to a POS terminal that accepts chip cards with PINs, they are generally protected from fraud liability, even if a non-chip card is used.
Also, think about how you will complement your chip implementation with a layered security approach. Chip technology is a key piece in a layered approach to securing our payments infrastructure, but not the only piece. Layering security with complementary technologies like tokenization and encryption and complying with PCI DSS requirements are necessary to build up our defenses and fight other types of fraud, like card-not-present (CNP) fraud.
The United States. is about two years into its migration to chip card technology. The EMV Migration Forum expects to see 120 million chip cards and 4.5 million chip-capable terminals in the market by the end of the year . However, “chip-capable” means that many of these terminals are not yet fully enabled to accept chip card payments. I urge these retailers to move quickly to fully enable them or they will still be vulnerable to attacks. For retailers that have not yet started planning to implement chip technology in their stores, they should talk to their vendors and partners about their options and get started as soon as possible.
Randy Vanderhoof is the director of the EMV Migration Forum, which has been working to make the U.S. migration to chip technology efficient and effective. For more resources on the U.S. migration, visit emv-connection.com/merchants.