Applying lessons learned from EMV-mature markets

By: Jeremy King, International Director PCI SSC

There is good news coming for U.S. retailers in the fight against counterfeit payment card fraud.

EMV chip technology is heading to U.S. markets. While this technology implemented in European and Canadian markets drastically reduces face-to-face fraud, it's important to note that is not a cure-all.

Chip card technology prevents criminals from creating counterfeit cards, but it will not prevent criminals from hacking into your system and using the subsequent stolen card data for online purchases. In the U.K., for example, card-not-present fraud rose to an all-time high of £331M, ($500M) in 2014, (according to figures released by The U.K. Cards Association), and card-not-present fraud has more than doubled in Australia and Canada.

The big question I often get is: "Would EMV chip technology have prevented the recent high profile breaches?". The answer is, technically, no.  Because oftentimes in these large retail breaches, the criminals "scrape" the card data as it is transmitted through the POS device. This would still be possible even in an EMV environment. However with EMV technology, the criminals would not be able to create counterfeit credit cards. What they will still be able to do is use the data in online, over the phone or mail-order transactions.

This is the critical reason retailers need to be vigilant in applying controls as specified in PCI Standards to protect cardholder data in all payment channels and across all steps in the transaction process.

Consider the following top-level payment card security practices:

  • Stay Current with Software. Work with your website administrator to make sure your website uses the most up-to-date software patches. This is especially relevant with the recent release of PCI DSS V3.1.
  • Establish Security Training. Have a clear security training plan that is applied to all staff annually.
  • Implement Strong Passwords. Have a clear password program and ensure that default passwords are never used and strong passwords are implemented.
  • Recognize Card Holder Environment. If you don't know where cardholder data is in your environment, how can you know where to protect it? Also, if you don't need it, don't store it.
  • Devalue Cardholder Data. Work with your payment vendors to implement tools such as point-to-point encryption and tokenization, which will devalue the data in your card holder environment.  
  • Make Security a Daily Priority. That deadbolt on your door will only protect your business if you lock it every day. Security controls will only protect your business if you make it a priority 365 days a year.

So will EMV chip cards stop fraud in the United States? Unfortunately not.  As merchants strengthen security at the point-of-sale with EMV, fraudsters will shift their efforts to more vulnerable payment channels, such as telephone, mail and online. Just as Europe and other mature EMV markets have found, the only way to tackle fraud is to embrace EMV and PCI Security Standards. Together they provide the best defense against card fraud.