EMV migration won't save retail
In the wake of multiple data breaches, retailers are casting about looking for answers, solutions and a place to lay blame. But so far, there seem to be more questions than answers. Namely, will EMV save retailers?
Target's (NYSE:TGT) Doug Steinhafel may have been a sacrificial lamb, a gesture to shoppers and investors that the retailer takes the massive data breach that compromised more than 70 million customers' accounts and personal information very, very seriously. Forget that there were plenty of other reasons for Steinhafel's departure, including lagging online sales and a pretty disastrous market entry into Canada that has been widely recognized as an early failure.
But there's the part where a vendor gained access to the system, allowing it to be compromised. Even worse were the multiple alarms that were ignored that could have halted the breach. And finally, the long abandoned EMV implementation that has since been fast tracked.
But is EMV the answer? Not entirely.
"The U.S. is the final G-20 country to make the transition to EMV chip cards," said Julie Conroy, retail banking research director, Aite Group. "While the transition will effectively address the rapidly increasing rates of counterfeit fraud, fraudsters will focus their efforts more intensely online, as they have in all other countries that have made the switch to EMV. Merchants and issuers alike need to adjust their online defenses to combat the fraud while at the same time preserving the customer experience."
Some contend that fraud will actually increase during the shift to EMV cards.
"Card providers and online merchants need to be aware of the likely increase in online fraud associated with the adoption of EMV chip cards," said Andreas Baumhof, chief technology officer, ThreatMetrix. "Retailers are up against a hard deadline to make the switch to EMV payments systems, but they need to be prepared for the influx of online fraud that will go hand in hand with the transition to EMV. We have seen this in every single country that introduced EMV – and it will happen here as well."
To help minimize risk during this time, Baumhof recommends using frictionless context-based authentication to establish trust for each account login based on a fully-anonymized user identity, device usage, geolocation, customer behavior and other factors without compromising the user's identity or workforce efficiency.
Additionally, real-time trust analytics could offer instant analysis of device, location and behavioral context for every authentication attempt. Using a consistent set of identity authentication policies comparing against global benchmarks derived from peers in their industry, the size and scale of the enterprise, geographic location and more, real-time trust analytics offer unprecedented identity authentication policies.
But is the retail industry doing much more than moving pieces around the chessboard? Blogger Brian Krebs, who uncovered the Target breach in December 2013, points out that most are simply poaching ideas and cybersecurity experts from other retailers rather than looking for new talent and insight. Target's new CIO, Bob DeRodes, hails from Home Depot (NYSE:HD).
EMV won't do much to protect retailers without point to point encryption (P2PE), writes Krebs in The Guardian. "But there has been far too little discussion in the retail industry about adopting this additional security protection – mostly because it's much more costly to justify the expense in the short run," he said.
Meanwhile, EMV migration presses on. U.S. merchants must adopt EMV payments systems by October 2015. After that, any retailers or banks still using magnetic strip cards will be liable for fraud losses.
-See this op-ed in The Guardian
Steinhafel's departure leaves Target looking for redemption
Target: Timeline of a data breach
Target's data breach is a story with long legs
Target breach: Heating vendor confirmed as hackers' entry point
Target to install chip and PIN card readers, says that only 25 registers were to blame for massive breach