January 13, 2014
Into the Breach: Protecting the Integrity of the Payment System
The breach of Target's point-of-sale system that compromised up to 40 million cardholders during the 2013 holiday shopping period has prompted us to step back and examine this attack—and wonder about its aftereffects. We've certainly seen the expected media attention for a crime of this magnitude, and the filing of class-action lawsuits wasn't far behind despite the lack of any verifiable fraud—as yet. We also have to wonder about its effect on consumers' confidence in the U.S. payment system.
For consumers to have confidence in the payment system, it is critical that they feel their financial information is protected during a payment transaction. And when that information has to be stored, they need to know that it is stored safely and securely. The research shows—and many consumers are well aware—that the creation of synthetic or stolen identities depends primarily on information obtained from data breaches.
All kinds of consumer advice followed the data breach. Many consumer advocates advised cardholders who had used their debit card at Target during the time their POS system was compromised to go to their financial institutions and request a card reissuance to prevent possible fraud. Others focused not on how consumers might recover from the Target breach but on how to prevent problems in the future—that is, they suggested that consumers use credit cards rather than debit cards because with credit cards, unauthorized transactions will not affect the payment of legitimate transactions. Some advocates suggested that people authenticate their debit cards at POS terminals with their signatures rather than their PINs, despite the fact that the level of PIN-based debit card fraud is almost one-third the level of signature-based debit card fraud.
Financial institutions also had varying responses. Some reissued cards when customers requested new cards, while others took a wait-and-see attitude. Still others lowered transaction limits on their customers' debit cards to minimize fraud exposure.
Of course, the Target incident has heated up the magnetic-stripe-versus-EMV conversation. As we've posted many times, the magnetic stripe was never intended to be a secure medium; the sophisticated and highly automated authorization systems were intended to carry the load of fraud detection capabilities. Some in the U.S. payment industry are calling for an acceleration of the migration to chip cards, currently scheduled for October 2015. They argue that EMV/chip cards will virtually eliminate the ability to create counterfeit cards. Some are even requesting that the government or the card networks mandate the technology, which many other countries did in their transitions to EMV. However, the reality is, we will have to keep our magnetic-stripe cards a minimum of five to 10 years, until the vast majority of merchant locations are equipped with EMV-capable terminals. And we should keep in mind that EMV is not a solution by itself—it cannot address card-not-present fraud.
As the authorities complete the forensics of the recent data breach, the industry will develop and implement additional security controls and measures. This added security will then prompt the criminals to look for other weak points. And look they will. So has this major incident shaken consumers' confidence? It is too early to know. What is clear is that the payments industry must come together to develop a cohesive strategy, and they should do so before consumer confidence in the payments system is further compromised.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Into the Breach: Protecting the Integrity of the Payment System: