Addressing EMV’s Data Security Vulnerabilities
So here we are. October 1, 2015. The EMV mandate deadline has arrived. Many have hoped that this would be the end of the payment security issues. Not quite.
I’m hoping that at this point, you know EMV is a global standard for embedded microprocessors in physical payment cards and using them to authenticate their validity in the payment initiation process. Outside the US, EMV has proven to significantly lessen card-present payment fraud and is expected to yield similar results here in the states. But for all its effectiveness with validating physical payment cards, EMV leaves at least two major security vulnerabilities for payment-accepting businesses.
Two Major Security Vulnerabilities
First, EMV provides no protection for the transmission of sensitive payment information to the acquiring bank. After the EMV card validation process, the cardholder data must be delivered safely to the payment processor. By default, EMV does not provide ANY protections of data in transit to the processor. Criminals use POS malware, memory scrapers and other covert technologies to capture all of the payments data they need from unsuspecting retailers, despite the use of EMV. When such data breaches occur, retailers pay a hefty toll in the form of lost revenue, fines and penalties, executive job loss and even board-level lawsuits.
Second, EMV does nothing to stop the use of stolen card information in online and mobile transactions. Criminals know they can monetize their card data heists by using the information in card-not-present purchase environments. And for the time being, criminals can use stolen cardholder data to create and use bogus mag-stripe cards until EMV has been ubiquitously deployed across the US market. The Merchant Advisory Group estimates that only 20 percent of 13.9 million POS devices at U.S. merchant locations will be EMV capable by October or shortly thereafter.
EMV Plus Data Security
It is essential that retailers complement their EMV implementations with data security technologies that protect cardholder data in transit from a purchase point to the acquiring bank. Leading security experts and industry security standards strongly encourage the use of point-to-point encryption (P2PE) and tokenization to provide these protections. A report on NetworkWorld.com details the vulnerability, “In the first 9 months of 2014, 904 million records were compromised in 1,922 confirmed incidents” which included “20 incidents that compromised more than 1 million records each.”
P2PE removes all sensitive data from the payments authorization message. Encryption completely de-values the sensitive card data and can be format-preserved so as not to disrupt the payment authorization process. Once in a trusted data environment, businesses can use tokenization to safely store the card values for future use, in a PCI-compliant way. Using these solutions together, businesses create a layered data security strategy that protects against the consequences of a data breach.
Best of all, P2PE and tokenization have never been easier to implement than now. Modern approaches such as format-preserving encryption, in-browser eCommerce encryption, and table-based tokenization avoid operational disruptions and systems re-engineering. These solutions are operationally invisible and fully compatible with EMV.
About George Rice:
For the past 20 years, George Rice has helped businesses use technology to enhance their acceptance of electronic payments. He has assisted many of the largest US retailers in implementing solutions that improve the speed, convenience and security of payment transactions. In his current role as HP Security’s Senior Director of Payments, George works with both merchant acquirers and large retailers to implement technology that protects the sensitive data entrusted to them by consumers, including payment and personal data. Additionally, he manages relationships with the foremost payments solution providers, as well as the PCI council, the ETA and other industry organizations.
Find out more about our solutions for retail merchants.