Survival tips for retailers that miss EMV deadline

Many retailers are going to miss the EMV fraud liability shift deadline in October. While this is not the end of the world, retailers need to continue to work at transitioning to EMV while making sure other security bases are covered.

"A business can survive without transitioning to EMV," Andrew Avanessian, VP at security firm Avecto told FierceRetailIT. "Even after the Oct. 1 deadline, magnetic stripes will continue to exist within new EMV cards for some time before they are completely phased out."

Because of this, not all retailers will be quick to upgrade point-of-sale terminals as it can be very costly. For example, normal card-only terminals can cost anywhere from $100 to $500, while more integrated POS terminals with capabilities like inventory management and customer statistics management may run into the thousands of dollars, he said.

"This doesn't mean that retailers should put off the EMV transition. Despite the costs, they should start the migration as soon as possible. Consumers will very quickly start to prefer shopping with retailers who have adopted EMV payment systems over those that don't, especially as breaches at big name retailers like Target and Home Depot have made the general public more security conscious," Avanessian said.

     Full Avecto cybersecurity infographic here.

Even with all the activity in new payment methods, like mobile apps such as Apple Pay, "EMV—and credit cards in general—will play a part in payments for a long time to come. There are millions of people who are not tech savvy enough to use modern payments methods and will continue to rely heavily on their cards."

Merchants that have not transitioned to EMV will not necessarily be victimized by more data breaches than those who have, although their exposure to potential fraud is greater. "EMV has been hyped up to be an all-powerful protective solution, but retailers must understand that it is not a silver bullet to security. While it will certainly be effective in preventing counterfeit fraud, it cannot stop retailers from being breached through other means," Avanessian said.

Retailers gather and store all kinds of information, including personal names and addresses, shopping history and card information. "Even with EMV, this data is still available to fraudsters, who could then use them in damaging phishing campaigns. In that regard, those who have transitioned to EMV are not any safer than those who haven't."

Those that don't transition to EMV will open themselves to card-present fraud, or card counterfeiting, but there are best practices they can follow to reduce the potential for card-not-present, or online, fraud. "This is just as important as card-present fraud, if not more. In fact, the roll out of EMV will likely increase online fraud, as attackers pivot their strategies in response. We saw this happen in Europe when EMV was rolled out several years ago," Avanessian said. For instance, in France, card-present payment fraud dropped by 35 percent between 2004 and 2009 after the implementation of EMV, but card-not-present fraud losses increased more than 360 percent in that same time span.

"EMV is just one piece of the puzzle. There is greater liability potential when it comes to online fraud, so I think that this is where retailers should be focusing their best practices," Avanessian said. These practices should include:

Controlling admin rightsAdmin rights in a server environment should be limited to the point where admins are given only the privileges they need to respond to urgent break-fix scenarios. Doing so can reduce the potential for attack significantly.

Application whitelistingApplication whitelisting adds more control to a server environment, including remote servers, by applying simple rules to manage trusted applications.

SandboxingSandboxing isolates Web-borne threats, such as emails or websites carrying malware, into a separate secure container.

Equipping the point of sale for EMV will likely get cheaper, better and easier to roll out over time for retailers who wait. "But I would not wait until it's too late, as a breach or two could cost thousands more than the implementation of EMV," Avanessian said.

For more:
-See this Payment Week article

Related stories
Banks worried that retailers won't be ready for EMV
EMV is $35B 'money pit' for retailers
The importance of pushing back the EMV fraud liability shift deadline
Visa won't budge on fraud liability shift deadline
EMV update: 75% of retailers to miss October deadline