New payment technologies might make card-present theft more difficult for criminals, but a secure payment transaction at point of sale does not diminish the risk of cyber fraud and data theft for the enterprise.
Many merchants have adopted the EMV chip technology for point of sale purchases, but now criminals are taking advantage of the ease with which they can commit digital fraud. The increase in cybercrime means that thieves are accessing the environment, committing card not present (CNP) fraud and stealing data.
The European Central Bank released its fourth report on card fraud in July 2015. The report concluded, “CNP fraud went up by 21%, accounting for 66% of all fraud losses on cards.” While data on total CNP transaction is only partially available, the report said there has been a significant growth in cybercrime.
“As further growth in CNP transactions can be expected, as well as a potential migration of fraud to this environment owing to higher security measures in the card-present environment, there is a strong case for the swift adoption of more effective security measures to protect this type of transaction,” the report said.
While storefront retailers adjust to learning the new EMV chip systems, which allow for more secure transactions at point of sale, “Most security professionals and IT practitioners — even those who work for merchants — are less conversant with the payment ecosystem and how data flows,” said a Securosis report released in September 2015.
“Further, it is not appropriate to focus purely on chips in cards because security comes into play many other places in the payment ecosystem,” the report noted. Data is still vulnerable because criminals continue to find entry points into the environment through point of sale systems and other weak links.
EMV and other new payment technologies at point of sale make it more difficult for criminals to commit credit card fraud by copying a magnetic strip. Instead, criminals are targeting digital commerce and online data. “EMV is often misunderstood in terms of what it does, which creates security vulnerabilities,” said George Rice, senior director of payments, HPE Security.
“Data being stolen is not limited to payment data. All data sets need to be protected. All of this are data that criminals can monetize in one way or another. If they are able to infiltrate the security, they can extract data into their own possession,” Rice said.
With these new payment technologies comes a misunderstanding of the information they secure. “What EMV doesn’t do is protect the data in its transit point up to the bank. Data is not protected as transmitted. EMV is not doing anything to prevent the theft of card data in transit to the bank,” Rice said.
Sign up for MIS Asia eNewsletters.