Why EMV isn’t going to solve all your problems

As you may already know, the deadline to adopt EMV enabled POS terminals and card readers is October 1st, 2015. Companies that have been victims of credit card fraud and those that have heard about the size and magnitude of some of the latest data breaches on businesses of all sizes finally feel like they can take a breath and relax knowing that EMV is going to take a lot of those security risks away; forever!
It’s unfortunate to be the last developed country in the western hemisphere to adopt such an advanced tool to prevent fraud. Businesses and consumers have lost billions of dollars every year due to credit card fraud that for the most part could have been prevented with the right tools in place. In 2012, the U.S. accounted for 47% of global credit card fraud while only being responsible for 23% of total global credit use.
Global-credit-card-use

The new chip-enabled credit cards will replace all the magnetic stripe cards in circulation within the next 2 years and EMV enabled terminals will make it safe and easy to encrypt transaction data dynamically for each purchase.

EMV1EMV2

How will the EMV migration affect you and your customers?

Your customers may not need to do anything beside getting familiar with the new cards and using them at point of sales or ATM machines. Card issuers, however, have already incurred huge costs to replace old cards with new chip cards. Merchants need to invest in new technologies/equipment to be able to accept such cards, this can include POS terminals, Apps, and other forms of accepting payments from customers.

What is liability shift and how it could impact you?

Being the last country in the western hemisphere that adopts the technology, U.S. has tied the migration to some deadlines and is going to impose penalties to expedite the process. Companies that make investment in EMV adoption are not financially liable in the event of fraud(more information on EMV & liability shift). The year 2017 is going to be the very last phase of the EMV migration and the liability of fraud and its associated costs will be shifted to the part of the chain that has failed to secure card transactions with EMV technology.

How EMV is going to benefit you and your customers?

The EMV technology is going to greatly impact the security of transactions, reducing your risk and protecting your reputation. It will also reduce the risk of stolen card data usage by fraudsters and will strengthen a few weak links in the payment cycle. EMV adoption will also expedite the adoption of mobile payment in a variety of card-present transactions. Smart cards can be used everywhere cards are accepted and there’s not going to be any problem with global inter-operability.

Is EMV going to solve all our payment security issues?

To answer this question it’s important to know that our payment ecosystem is weak in multiple links and new ways of accepting payments only introduces new links to this chain. It’s also important to take a close look at EMV technology and its history throughout the world to evaluate the impact of the smart cards on the payment industry.

EMV in Europe

France: The country was the very first among the developed nations to use smart cards. The adoption reduced the number of card-present transaction fraud while the rate of card-not-present fraud only increased.
France

UK: United Kingdom was also among the first few countries that started using Chip-Pin cards. Currently, over 99% of all transactions are PIN verified. Similar to France, UK witnessed a significant decrease in card-present fraud rate while the rate of card-not-present fraud increased.

UK

Similar results in Australia and Canada:

australia

Canada

What do these findings tell us?

There’s no doubt that embracing the new technology is the only option to reduce the risk of attacks on card-present transactions. EMV has already shown to be an effective tool in reducing such risks and will help U.S. payment industry in the same fashion it improved the security of payment in other developed nations. globe

However, as data suggests, cyber-criminals are constantly looking for ways to find vulnerabilities and to hack systems. Fortunately for them (ironically) the number of card-not-present transaction is only going to rise due to rise in demand for more convenient payment options such as online shopping and business-to-business transactions. While consumers find it more convenient to use cards to shop online, businesses also find it easier to pay their invoices via credit cards and get rewarded for doing so.

Processing checks is both costly and risky so there’s no question as to why businesses are moving away from paper. Criminals still target checks more than other types of payments: some 85% of organizations that experienced attempted or actual payment fraud in 2011 were victims of check fraud. As for costs, according to SunGard research: a corporation with 5000 checks per month at a cost of $1.50 is spending $90,000 per year just to pay invoices by checks. By migrating 25% of those 5000 checks with an average check value of $1100 to an electronic payment form that has an average of $13.75 in rebates, a corporation can earn $206,256 year from the rebates-turning the finance department into a revenue generator. Additionally, by migrating 50% of those checks to ACH at $0.50 per transaction, a corporation can save approximately $30,000 per year.

Companies are slowly adopting payment cards as a method of payment to pay in order to save and to improve operation efficiency. However, these B2B transactions are considered card-not-present transactions that are not affected by EMV since there’s no face-to-face interaction and that the actual card is not processed through a payment terminal.
Most merchants in the B2B space have credit card numbers saved and stored on their servers to be able to expedite the billing process: to charge the buyer immediately after the purchase and to get paid fast. Now, these cards and the stored information impose a huge risk on organizations that have saved them as any malicious attack on the company’s network will result in loss of customers’ information and the business’s reputation. This is a “data-at-rest” risk problem that is now faced by many companies in the U.S.

What’s data-at-rest and how to protect it?

Credit card data is in the “motion/transit” state when it’s being sent to the acquiring banks to authorize and charge a payment.
The credit card data that is stored for future billing purposes is “data-at-rest”.credit card data tokenization
While data in transit has been encrypted and tokenized by a number of payment gateways and processing technologies, the data-at-rest has received very little attention until the recent rise in the card-not-present fraud cases. This technology not only increases the safety of data but also reduces companies’ PCI scope and thus introduces new ways to save on IT infrastructure and data security investment companies have to make in order to stay compliant.

Where to start?

As you noticed, EMV isn’t going to solve all your payment security concerns and if you are a business that accepts payments from other businesses in a Card-Not-Present format, you should be worried even more than before since history clearly shows that fraudsters are going to heavily focus on CNP transactions moving forward. Now, that we know that EMV is just one piece of the security puzzle we must learn about tools and technology such as tokenization to protect the sensitive credit card data from un-invited eyes.

The first step to protecting data, financial or non-financial, data is to invest in a secure network that is constantly monitored and maintained. Depending on the volume of data and the sensitivity of the information that is stored on your network you must conduct periodic scans and run tests to make sure that all the vulnerabilities are addressed before hackers get to detect them. Training your employees to equip them with the knowledge they need to handle customers’ data is also mandatory for businesses that deal with critical data. To safeguard your payment processing activities, however, you may not need to invest in anything. Most merchants simply do not know that choosing the right payment gateway can have a great impact on the safety of transactions and the overall costs of processing electronic payments.

Contact us to find out how our payment gateway can reduce your risk and improve your operation.

* Graphs and statistics from Entrust DataCard.