The first U.S. holiday season with chip and PIN technology in place is freshly behind us. Now, we must wait to gauge the impact on credit card transaction security, and on retail purchasing in general.
The technology, also known as EMV for Europay Mastercard Visa, uses embedded chips in cards that encrypt account information and personal identification numbers. It has been in place in much of the world for some time, and is designed to bolster the security of credit card transactions by making it difficult for intruders to access accounts.
In 2012, MasterCard and Visa agreed that, by October 1, 2015, every retailer in the U.S. would need new terminals to accept chip and PIN cards, much like the ones abroad. Retailers in the U.S. are deploying the technology to replace magnetic stripe systems.
As with many other security solutions, the adoption of new technology raises questions about convenience for users. In a public policy post in November 2015, the National Retail Federation (NFR) points out that “it does take a few seconds longer to process transactions with the new EMV cards than traditional cards. That’s because the cards U.S. banks are issuing are chip-and-signature rather than the more secure chip and PIN cards used in most of the rest of the world.”
In other countries, NFR says, “you insert your card, punch in the PIN while the transaction is processing, and are free to go as soon as it says approved. Here, consumers have to wait while the transaction processes and can only sign at the end.”
And even as U.S. retailers and consumers get used to the technology, new research brings into question the effectiveness of the mandate to move to EMV in stopping the latest security threats.
The Third Annual Data Breach Industry Forecast by Experian predicts that the “EMV chip and PIN liability shift will not stop payment breaches.”
Referencing an earlier study by Experian and the Ponemon Institute, the report notes that just over half of executives in the payments sector think chip and PIN will decrease the risk of a breach. Some 64% think it is more challenging to secure payment card information than other personal identifiable information.
These types of attacks might continue for a number of reasons, the Experian report says. One is that many retailers have yet to fully adopt chip and PIN technology, which might leave them still vulnerable to the same malware attacks. It cites a survey from the Hartford Financial Services Group reporting that 86% of small businesses had not yet invested in equipment to accept chip and PIN cards, despite the liability shift deadline.
Besides small businesses, distributed payment systems such as those at gas stations and independent ATM networks will likely take a significant amount of time to adopt the technology. In both cases, “it’s possible we could see the cost of breaches to these types of organizations increase in the coming year,” the Experian report says.
Any imperfect implementation of the EMV technology could also introduce vulnerabilities that attackers might exploit. “Any time a major technology is adopted, it’s possible that companies will make implementation errors that could leave them vulnerable to new types of attacks,” the report says.
Given the value of payment data, attackers might also exploit other methods to steal payment information that do not involve point-of-sale systems. “Similar to what’s happened in the European Union—where EMV has been adopted for some time—attacks may shift to focus on online transactions where cards don’t need to be present,” the report says.
What’s the takeaway from this?
Despite the shift to chip and PIN, payment-related data breaches will still make headlines in 2016, Experian predicts. “Merchants may be vulnerable to attack during the transition from magstripe to EMV payment terminals, and newer technologies like mobile wallets will continue to be a target for hackers,” the report says.
It’s vital for both retailers and consumers to understand that new payment technologies are not a cure-all for payment breaches, the study notes. And it’s possible that e-commerce retail sites will bring the next wave of attacks.
Chip and PIN (or chip and signature) is a move in the right direction for payments security. But retailers and consumers still need to be diligent in protection transaction data.