In light of additional retail breach news from Michaels Stores this weekend, Mark Bower, VP of Product Management at Voltage Security (www.voltage.com) issued the following commentary today regarding the EMV (Europay, MasterCard, Visa) payment standard:
“EMV focuses on mitigating the 1990’s risk of card cloning and credit card transaction replay in brick-and-mortar transactions by adding layers of authentication around transactions, the chip card, the reading terminal and the payment host at the acquirer. It’s an solid start to modernizing the 50 year old magnetic card but doesn’t go far enough to protect sensitive data from contemporary threats including malware in the POS. EMV makes creating a fake EMV card very costly and difficult for criminals, but unfortunately EMV in its present form doesn’t do anything to actually protect the very sensitive PAN data coming from the card to the POS and beyond. EMV was designed with an assumption that every place where credit card data would be read would be EMV-capable. Countries that adopted EMV quickly see shifts in high volume fraud from brick-and-mortar payment processes to e-commerce card-not-present transactions.
Unfortunately, with a lag in adoption and holes in the system like e-commerce, EMV itself leaves many exploitable gaps in the cardholder data flow as we have seen in breaches in EMV-enabled countries. There are very effective and proven solutions to this however. To protect from advanced threats, encryption of the cardholder data must take place in a modern secure reading devices so that the POS, checkout and upstream systems only see encrypted data – all the way to the host. The industry leaders in retail and payment processing have been doing this for several years now using breakthrough, data-centric protection methods which enable retailers and enterprises to remove cardholder data from the POS and other IT systems without the heavy costs of traditional retrofits. The result is resilience in the event of attack and inevitable breaches, and a massive simplification of their PCI Compliance process which is only going to get tougher with PCI DSS 3.0 and EMV adoption. Lastly, the liability shift for breaches to a merchant’s responsibility coming in 2015 as EMV is rolled out in the US means retailers really need to be thinking now about mitigating their breach risks with a combined EMV-Encryption-Tokenization approach to avoid the double whammy of high compliance costs and the financial burden of paying for a breach which could be in the millions.”