Digital Transactions Authoritative, insightful and timely information for payments professionals
Sports and entertainment venue operator The Madison Square Garden Co. (MSG) on Tuesday disclosed a nearly year-long breach of payment card information involving customers who bought concessions at five of its venerable properties. And a new study from Federal Reserve researchers makes six recommendations for improving mobile-payments security, one of which is a proposal to eliminate the backup magnetic stripes on the new EMV chip cards.
New York City-based MSG did not disclose the number of credit and debit card holders affected by the breach, but it could be in the tens if not hundreds of thousands. The affected venues are Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, and the Beacon Theater, all in New York City, and the Chicago Theater in downtown Chicago. Card numbers, cardholder names, expiration dates, and verification codes may have been captured from the cards’ magnetic stripes as they were swiped at point-of-sale terminals for food and beverage purchases.
MSG said in a statement that it began an investigation and hired computer-security firms after card issuers identified “a transaction pattern indicating a potential data-security concern.” The investigation in late October found signs of “external unauthorized access,” the statement says.
The probe discovered the installation on MSG’s payment-processing system “of a program that looked for payment card data as that data was being routed through the system for authorization,” the statement says. The compromise started Nov. 9, 2015, and continued until Oct. 24.
Not all cards used at concession sites during the breach period were affected, MSG said. Nor did the breach affect cards used on MSG Web sites, at the venues’ box offices, or on the Ticketmaster ticket-sales site.
MSG did not disclose the amount of fraud on the compromised cards. The company said the breach has been stopped, and that it is has notified law-enforcement authorities and is working with the security firms to strengthen its security.
MSG owns the NBA’s New York Knicks, the NHL’s New York Rangers, and some other sports teams, and operates other venues besides the ones affected by the data breach.
Meanwhile, a report issued this month by the Federal Reserve banks of Boston and Atlanta analyzes areas where mobile commerce is subject to fraud and other threats, especially now that the U.S. is well along in converting magnetic-stripe credit and debit cards to EMV chip cards. The conversion has made counterfeit fraud at the point of sale much harder to commit, spurring fraudsters to devote more attention to card-not-present (CNP) channels, including mobile payments.
The report draws on findings from the Mobile Payments Industry Workgroup, a group of industry executives and researchers from the two Fed banks, and identifies “gaps and issues” with CNP security approaches. It concludes with six recommendations, including development of a strategy to eliminate the backup mag stripes on EMV chip cards in three to five years.
Nearly all U.S. chip credit and debit cards come with a magnetic stripe so a card can be used at POS terminals that still don’t accept chips. The card networks haven’t issued any mandates for issuers to banish the mag stripes.
“Inclusion of the mag stripe on cards is a major vulnerability because when swiped instead of dipped [into an EMV terminal], the card is susceptible to counterfeit card fraud,” the report says.
The researchers go on to note that a few merchants that offer private-label payment cards, including Target Corp., plan to eliminate backup mag stripes.
“In the current CNP environment, many smaller e-commerce merchants may have weak authentication controls that provide fraudsters with the opportunity to make fraudulent purchases with stolen counterfeit card numbers,” the report says. “There is also the risk that a counterfeit card number will be provisioned to a mobile wallet and used to make fraudulent purchases. Overall, reducing potential vulnerabilities in other payment channels benefits the mobile channel as well, as they are all connected and used by consumers.”
The other recommendations include considering mobile commerce as a separate channel from the more established e-commerce channel; using multilayered and multifactor security controls; encouraging industry collaboration on information sharing and customer education; sharing m-commerce best practices with small and micro merchants, and collaborating on standards and best practices to mitigate CNP fraud.
