Retail Payments Risk Forum
Font Size: A A A

Portals and Rails

« Chip-and-PIN, or Chip-and-Choice? | Main | Phone Fraud: Now It's Personal! »

February 18, 2014

The Mythical End State of Security

As a proponent of secure payments, I am happy to see the EMV (chip card technology) discussion take center stage with national media outlets and on the Hill after the recent revelation of data breaches involving payment card data at merchants. Having written and spoken extensively on the benefits (as well as the shortcomings) of migrating to the EMV standard here in the United States, I am a strong believer in EMV's ability to reduce counterfeit card-present fraud. But I do feel that a bigger story is getting lost in these EMV discussions—that of payment card data security.

Security approaches are not static, but must be constantly improving and evolving, thanks in large part to a rapidly changing technology environment and evolving tactics of criminals. A solution that is implemented today will more than likely become obsolete or in need of additional investment to remain viable in the future. There is no "end state" when it comes to security. A wait-and-see approach for this hypothetical end state is flawed.

Consider my home security system to which I recently added video monitoring capabilities. This addition to my system made my upgrade to glass-breaking sensors several years ago seem like a bad investment. But had I waited for the camera technology, perhaps I would have suffered the same fate of several of my neighbors who ended up with bad guys breaking windows to gain entrance into an empty house. And though I feel better protected now than I was several years ago, I realize that it is inevitable that another upgrade with additional costs will be necessary in due time to best protect my property and family.

EMV is a solution ready to have a positive and immediate impact on reducing the value of stolen card data. And because of that, I am an advocate for its adoption in the United States according to the adoption plans set by the card networks. However, EMV alone does not provide complete protection of card data, and stolen card data retains value to fraudsters even in an EMV world. Magnetic stripes will not disappear overnight with a migration to EMV. (The UK began their migration in earnest seven years ago and mag stripes are still commonly found on their cards.) And stolen card data can easily be used in the card-not-present environment.

The payment industry must strive to secure payments data so that data stolen from breaches cannot be exploited for monetary value by criminals. Until the industry does that, it is reasonable to believe that data breaches and the subsequent effort to monetize the information will continue. EMV is a step in the right direction, but it is not the final and only step. EMV will be costly to implement. It will not and cannot be the final investment spent on securing card payments.

Douglas A. KingBy Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

February 18, 2014 in chip-and-pin, EMV, innovation | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01a73d7ac64d970d

Listed below are links to blogs that reference The Mythical End State of Security:

Comments

The largest drawback to EMV is the cost; I recently read that it would cost over eight billion dollars to change the current U.S. payment infrastructure to an EMV system. In your example, the camera system was a home security option that wasn’t feasible several years ago because of price and technology issues. Could it be possible that something like PayPal’s new payment method is a more logical step to address card security for the time being? PayPal’s payment code system is able to work with retailers existing barcode scanners and pin pads and provides more security to POS transactions than a mag-strip. This would allow for increased card security, at a reasonable cost, while the industry decides what the next best option is.

Posted by: Karen Gordon | March 17, 2014 at 12:42 PM

Douglas,

Like you, I'm glad to see that the key participants and contributors to the US payment system are recognizing the need for improvement in card data security and considering how EMV might help. I also support your contention that EMV is neither a comprehensive nor final solution. Why isn't the Fed taking a proactive role to research solutions that would eliminate the capture and transfer of card data and thus remove the risks from the points of sale altogether? There are already some interesting products in the marketplace that enable this approach and it seems a better investment for the short and long term.

Posted by: Gary Yamamura | February 18, 2014 at 10:10 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in