Improving Data Breach Security, from the Customer’s Wallet on Up: In Wake of Massive Breaches, It May be Time to Consider Enhancing Customer Security with Chip-Embedded Payment Cards

In early September, Home Depot announced that it had suffered a severe security incident, which resulted in a massive data breach that exposed the payment card information of Home Depot customers across the United States and Canada. The home improvement retailer later confirmed that the breach was the result of malware designed by hackers to evade the company’s security measures, and which subsequently compromised the integrity of its sales register systems. Once compromised, hackers were able to “scrape” customer payment information from the registers’ memory and transmit customer payment card data overseas. All told, the breach exposed the payment card information of 56 million customers, making it one of the largest known retail data breaches to date. Home Depot’s announcement and the resulting disclosure of the number of customers affected adds the home improvement giant the ever-expanding list of major retailers that have found themselves victimized by cyber criminals. As this blog noted earlier this summer, credit card and debit card fraud caused $11.27 billion in losses in 2012. Secured PoS devices are critically important for stemming the tide of payment card fraud, as they are the point where customer payment card information is commonly gathered. Accordingly, businesses that use PoS devices in their operations should take appropriate steps to create the most secure environment possible, and obtain cyber insurance to further manage risk of a data breach. Yet retailers are looking at additional measures to protect themselves and their customers from cyber-thieves, and are starting with what’s in their customers’ wallets. Better customer security through better payment card systems: embracing “EMV” In order to curtail both data breaches and incidents of payment card fraud, major U.S. retailers are starting to issue store-branded credit and payment cards embedded with smart chip technology in order to increase the security of customer payment card information. Most recently, Walmart announced on August 25 that it had started to send its Walmart MasterCard customers EMV (also known as “chip-and-PIN”) enabled credit cards, following a similar move by its sister company Sam’s Club in late June. According to the retail titan, all Walmart and Sam’s Club locations will have active EMV-capable terminals by the end of the year. Walmart, Sam’s Club, and their retail MasterCard aren’t alone in their embrace of EMV technology: in the U.S., the major payment card companies have declared an October 2015 deadline for merchants to convert to EMV-capable payment systems, and have established roadmaps for shifting to EMV-based payment networks. The federal government is also welcoming EMV as a way to guard against future breaches and fraud. As this blog noted earlier, President Obama issued an Executive Order on October 17 requiring executive departments and agencies to transition to chip-and-PIN enabled payment terminals and cards by 2015, and charging the Office of Management and Budget with developing plans to replace agency-issued payment cards with one that have enhanced security features. Moreover, President Obama declared that his administration would work with industry leaders to accelerate chip-and-PIN adoption by the private sector in advance of their October 2015 deadline. What are EMV-chipped cards? Short for “Europay/MasterCard/Visa,” the payment card companies that first developed and championed the technology, EMV is the standard smart chip-based system that allows retailers to process transactions with greater security than is possible with traditional magnetic-stripped payment cards. EMV-chipped payment cards have embedded microprocessors that store cardholder data and allow for PoS devices to verify a card’s authenticity via dynamic authentication methods. Cardholders are in turn verified through methods such as chip-and-PIN, where the cardholder is required to enter a PIN in order to complete the transaction at PIN-capable terminals.[1] In essence, the card’s chip is the authentication component, while the user’s input of his or her PIN authenticates and verifies the cardholder. Such measures reduce payment card fraud by making EMV cards and cardholder data more secure and harder to copy than traditional magnetic-stripped cards. Payment cards that store cardholder data on magnetic stripes are more vulnerable to hacking efforts like data skimming, where thieves can read and copy the static cardholder data embedded in magnetic stripe in order to make counterfeit clones. According to payment card industry members abroad, EMV-enabled cards have had a measureable effect in reducing payment card fraud. The UK Cards Association’s 2010 Decade of Cards Report notes that the implementation of chip-and-PIN cards in 2003 had a major effect in reversing the ever-increasing number of card fraud incidents in the UK; between 2006 and 2010, counterfeit card fraud losses in the UK decreased by 63%, a decline attributable to the heightened security that EMV cards offer. EMV technology, while less prevalent in the U.S., is nothing new: Europe has embraced the technology since the 1990s, and much of the rest of the world has followed suit. By the end of 2012 there were 1.62 billion EMV-chipped cards in the world, with much of the world’s card terminals outside of the U.S. EMV-enabled (in Europe 95% of all terminals were EMV-enabled; for Canada, Latin America and the Caribbean: 79%; for Africa and the Middle East: 77%; for the Asia Pacific region: 51%). If EMV is more secure, why has the U.S. lagged behind? Despite the security and verification benefits of EMV technology, card issuers, retailers and other businesses in the U.S. have been slow to embrace EMV due to the high cost of replacing customer cards, ATMs and payment terminals with EMV-capable equipment. Indeed, with an estimated 15 million magnetic stripe PoS devices, 360,000 ATMs, 610 million credit cards and 520 million debit cards in the U.S., a nation-wide upgrade to EMV-capable cards and devices is going to be no small expense. Despite these costs, U.S. businesses and card issuers are starting to accept that converting to EMV-chipped cards and enabled devices is necessary to guard against the wider problems of payment card fraud. The efforts by Walmart and Sam’s Club to make all of their stores and branded payment cards fully EMV-capable by year’s-end is a major step in getting the U.S. closer to fully adopting EMV payment fraud protections. And as noted above, the major U.S. payment card companies have established roadmaps for how they will move to EMV-capable payment systems in the coming years. But perhaps most importantly is the payment card industry’s October 2015 deadline for merchants to upgrade to EMV-based payment systems, as merchants who fail to install EMV payment devices by the deadline will assume all liability for counterfeit fraud they suffer, a potentially costly penalty for non-compliance. After October 2015, will EMV make payment card data breaches a thing of the past? As the October 2015 conversion deadline looms ever nearer, U.S. retailers large and small will need to follow the example of Walmart and Sam’s Club and take necessary steps to convert to EMV-capable payment systems in order to avoid future liability. While no security or payment system can ever be completely secure, it has been widely reported that EMV represents one of the best ways retailers and merchants can prevent malicious attacks and protect payment card information. If EMV becomes widely accepted, large-scale payment card data breaches may become less of a concern at the check-out line.