February 18, 2014
The Mythical End State of Security
As a proponent of secure payments, I am happy to see the EMV (chip card technology) discussion take center stage with national media outlets and on the Hill after the recent revelation of data breaches involving payment card data at merchants. Having written and spoken extensively on the benefits (as well as the shortcomings) of migrating to the EMV standard here in the United States, I am a strong believer in EMV's ability to reduce counterfeit card-present fraud. But I do feel that a bigger story is getting lost in these EMV discussions—that of payment card data security.
Security approaches are not static, but must be constantly improving and evolving, thanks in large part to a rapidly changing technology environment and evolving tactics of criminals. A solution that is implemented today will more than likely become obsolete or in need of additional investment to remain viable in the future. There is no "end state" when it comes to security. A wait-and-see approach for this hypothetical end state is flawed.
Consider my home security system to which I recently added video monitoring capabilities. This addition to my system made my upgrade to glass-breaking sensors several years ago seem like a bad investment. But had I waited for the camera technology, perhaps I would have suffered the same fate of several of my neighbors who ended up with bad guys breaking windows to gain entrance into an empty house. And though I feel better protected now than I was several years ago, I realize that it is inevitable that another upgrade with additional costs will be necessary in due time to best protect my property and family.
EMV is a solution ready to have a positive and immediate impact on reducing the value of stolen card data. And because of that, I am an advocate for its adoption in the United States according to the adoption plans set by the card networks. However, EMV alone does not provide complete protection of card data, and stolen card data retains value to fraudsters even in an EMV world. Magnetic stripes will not disappear overnight with a migration to EMV. (The UK began their migration in earnest seven years ago and mag stripes are still commonly found on their cards.) And stolen card data can easily be used in the card-not-present environment.
The payment industry must strive to secure payments data so that data stolen from breaches cannot be exploited for monetary value by criminals. Until the industry does that, it is reasonable to believe that data breaches and the subsequent effort to monetize the information will continue. EMV is a step in the right direction, but it is not the final and only step. EMV will be costly to implement. It will not and cannot be the final investment spent on securing card payments.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference The Mythical End State of Security: