Digital Transactions Authoritative, insightful and timely information for payments professionals
The transition to an EMV-based payment card system in the United States could spur a long and sophisticated series of criminal attacks designed to separate consumers and banks from their funds. That’s one possible consequence, says Michael Bruemmer, vice president at Experian Information Solutions Inc.’s Data Breach Resolution group.
“Cyber thieves have planned for the date in the United States,” Bruemmer tells Digital Transactions News. “They’ve had four years’ notice.” In 2011, Visa Inc. was the first of the four U.S. card brands to announce a chip card conversion plan.
Many U.S. payments executives doubt EMV will decrease their risk of suffering a data breach. In the “Data Security in the Evolving Payments Ecosystem” report released in May by the Ponemon Institute LLC, only 53% of them said EMV would do so—meaning 47% don’t think it’s effective, Bruemmer says.
What fraudsters do now, and the potential outcome of their criminal acts, depends a lot on preparations merchants have in place, Bruemmer says. “Of all the breaches we’ve serviced, 80% of the root causes were due to employee negligence,” he says. Though published reports may cite state-sponsored intrusions and criminals, “the real root is an employee not doing his or her job, or doing something stupid,” he says.
That may be exactly what the criminals are counting on, especially during the transition from magnetic-stripe cards to chip cards. “There have been some well-publicized cases where administrators clicked on a spear-phishing link, or they turned a nonproduction server into a production one when they shouldn’t have, or didn’t turn on a firewall,” Bruemmer says. With spear phishing, criminals are able to get some information about targeted victims ahead of time, making it harder for the victims to discern an e-mail is fraudulent.
Compounding the situation is that some merchants, such as restaurants and retail, have high employee turnover, Bruemmer says. “Cybersecurity has to start in the board room, with the chief executive, but it has to go all the way to the frontline members of the team,” he says.
Payment providers have a role in helping their merchants secure the transaction network, he says. “Most importantly, everybody in the system, from the consumer to the card company, has a responsibility,” Bruemmer says.
From the payments side, the push should be on quickly converting merchants to EMV acceptance, but also to make them aware their systems should be as secure as the card brands, he suggests. Much as a hospital—because it’s dealing with sensitive health and personal information—requires vendors to use the same level of security protocols as it does, the payments infrastructure should, too, Bruemmer says. “Anyone in that chain has to have that same level as the main entity in the hospital. Same thing has to apply in the payments ecosystem,” he says.
