MAG Insights

Announcements from the MAG & Featured Articles

MAG Member Corner



A Retailer’s Perspective on Proposed Payment System Security Enhancements

By The Home Depot Payments Team

In light of the recent data breaches at fellow merchants, there is a heightened focus on security and fraud in the payment industry and beyond.  Even government entities are inquiring, investigating, and likely considering further regulation.  Unintentional, ill-informed decisions by any of the stakeholders could lead to significant work and investment with little impact on fraud.  For that reason, it is essential to understand the benefits, limitations and consequences of any approach relative to the critical objectives.

It is important to first be clear regarding the fundamental objectives required to significantly advance data security and reduce fraud:

  • OBJECTIVE #1: Protect data obtained from the consumer during a transaction (i.e., card #, PIN, etc.)
  • OBJECTIVE #2: Establish payment industry card acceptance processes that hinder or further prevent the use of fraudulent payment data, in order to reduce fraud costs

As you know, many, including the payment networks, are advancing EMV (think chip cards only as we’ll address the decision on signature/PIN separately) as “the solution,” but EMV alone is a headline and only partially helps achieve OBJECTIVE #2.  A chip is simply an alternative way for a card to carry/transmit card data.  The most significant value added by a chip card relates to the potential sophistication in dynamic codes that accompany current static payment data, versus the mag-stripe technology used today, which is all static data - - essentially the same technology cassette tapes used several decades ago.  This sophistication delivered via the chip (in the form of an algorithm-generated dynamic code known only by the original card and the issuer) helps protect against the creation of counterfeit cards - - which is only one type of fraud - - and is the best first step the industry can take while still operating off plastic.

As background, the core reasons the banks and networks originally supported EMV prior to the recent data breaches include the following:

  1. Shift fraud liabilities to merchants
  2. Capture international volume (as chip is the primary standard in other developed countries which often prevents the spend capture of US travelers)
  • A Federal Reserve report from January 2012 titled “Chip-and-PIN: Success and Challenges in Reducing Fraud” acknowledged this motivation of early adopters - - “the reason for the technology migration by these financial institutions has less to do with risk and more about global acceptance of the cards.”
  1. Create difficulties for merchants obtaining additional debit routing options (as provided for by Durbin)
  2. Drive adoption of chips and readers to pave the way for their mobile solutions leveraging the same technologies

To be clear, EMV does nothing to protect sensitive data once received from the consumer (OBJECTIVE #1), and therefore would not have prevented the recent data breaches.   Since static payment data (in addition to the dynamic code) will continue to be transmitted in an EMV transaction, the sensitive information can still be compromised and potentially utilized in a non-EMV card acceptance environment (e.g., card-not-present/online, mag-stripe only merchant, mag-stripe fallback) unless protected via other measures.

EMV also has gaps in achieving OBJECTIVE #2 as a chip card alone does nothing to protect card-not-present (CNP) transactions, given that a chip cannot be read currently for online transactions.  For this reason, upon implementation of chip cards, merchants can expect fraud to shift to CNP channels.  Implementations in the UK, France, Canada and Australia have all proven this to be the case.  In fact, the same Federal Reserve report referenced above stated that “as evidenced in every country where data was available, CNP fraud increased as face-to-face fraud fell, initially resulting in little to no impact in overall card fraud.”   Even more concerning, in three of the four countries mentioned, the increase in CNP fraud actually caused an INCREASE in total fraud in the short-term immediately following the EMV rollout.  Note that when the fraud shifts to CNP transactions, it becomes the responsibility of the merchant so the banks and networks accomplish shifting a portion of the counterfeit liability in this scenario.

Further, the current network-proposed EMV plan calls for cards with BOTH a chip and a mag-stripe, where the mag-stripe will serve as a “fallback” processing option.  Under this approach, EMV adds less value as fraudsters will still be able to create a counterfeit card simply by writing stolen data to a mag-stripe just as they do today.  The networks and banks likely support a “fallback” model because they fear the loss of transaction volume should customers not remember their PIN.  This approach suggests that they are more interested in the interchange revenue than they are in preventing fraud.

As it relates to the two core objectives, let’s first look at how to address Objective #2 (preventing fraud).  The use of PINs in conjunction with EMV is critical to further secure card-present transactions.  Federal Reserve studies indicate the incidence of fraud on signature cards is up to seven times that of fraud on PIN cards.  PINs significantly hinder the use of stolen cards for obvious reasons, in addition to the inherent values chip cards provide in preventing counterfeit card fraud.  The Federal Reserve has stated that “a move away from mag stripe cards to chip cards would have a positive impact on counterfeit card fraud in the United States.  Maintaining signature as a cardholder verification method for EMV chip cards might not have a similar positive impact on lost or stolen card fraud as experienced in chip-and-PIN countries.”  Unfortunately, the networks/banks have differing views on whether to use PIN or signature as the cardholder verification method for face-to-face transactions.  Visa’s official position is chip + signature (likely due to their prioritization of maintaining transaction volume and interchange income over security) while MasterCard has expressed support of chip + PIN.  Fortunately, the banks and networks own actions are evidence of their acknowledgement of the value of PIN.  Banks mandate the use of PINs at ATMs and Visa’s own claims (in their submission to the Australian Competition and Consumer Commission) clearly acknowledge the value of using PINs in preventing fraud despite their corporate position: “One of the most effective ways of combatting fraud (particularly Lost/Stolen and NRI fraud) is to make the use of PIN for customer verification compulsory”.  Successfully defending the use of signature will likely be a tough objective for the networks and banks.

One important concept often lost in the PIN discussion is the fact that PINs need to be enabled for use in all channels (including online).  Given their proven effectiveness in preventing fraud, enabling PIN use in card-not-present channels is likely one of the most effective means of decreasing total fraud, rather than squeezing the balloon and reducing it in one channel just to see it pop up in another.  Retailers need to push hard for this.

As it relates to Objective #1 (data security), there are multiple approaches but the most prevalent is encryption, which is a method of protecting the actual cardholder data that involves converting the data into a format that is unidentifiable unless one has the proper key to decrypt.  Encryption at an acceptable standard (e.g., 128-bit or more) has been proven effective in protecting sensitive data; however, encryption by all parties (from point of acceptance to issuer receipt) would be necessary to fully protect consumer information.  The current system entices fraudsters to seek sensitive payment data and merchants are obviously a target.  We would highly encourage you to work with your IT and security teams to ensure your current levels of security adequately protect against an attempted breach and/or establish a plan to enhance the layers of protection.

Tokenization, which is a method of using one-time substitutable data in place of static cardholder data, is another option to ensure the protection of customer data.  In concept, tokens can help protect sensitive data as they are only valid for a single transaction, and even if stolen, the token would be of no value.  However, to be effective it is critical that the token be obtained at or before the point of acceptance.  This potential exists for merchant-generated tokens at POS, but third parties (e.g., network or issuer) attempting to “sell” tokenization for its conceptual benefits, yet employing a model that grants a token after requiring the merchant to pass sensitive data, are simply charging a fee for a “solution” that perpetuates existing security risks.  Visa and MasterCard have both indicated they are developing a tokenization solution; however, they have refused to release any details and this secrecy may suggest the solution’s primary objective is not data security.  Tokenization needs to be approached with extreme caution as it may impact a retailer’s ability to household transactions and it could come at a cost from the banks and networks (while they pocket the fraud savings). 

There is, however, a valid use case for tokenization.  Mobile payments offer the opportunity to maintain sensitive data in the background and increase the utility of tokens.  The ability for a mobile device to connect directly with the issuer to obtain a token BEFORE transacting means that no one other than the customer and issuer would even be granted access to the sensitive data.  The banks/networks understand the potential benefits of mobile transactions and are advancing contactless EMV to simplify the transition from EMV chip cards to phones, which would help preserve the existing model even in a mobile world.

CONCLUSIONS

As you can see, several solutions have been touted to improve security, but no single solution is perfect or eliminates all risk, it takes a combination of several.  The following is a summary of the necessary actions retailers should support in the effort to increase security and reduce fraud:

1)      Identification, in conjunction with EMV (chip), must be via PIN and NOT signature

2)      PINs must be enabled to work at all points of acceptance (i.e., chip/PIN at POS as well as card number/PIN online) to ensure heightened security both in-store and online, and effectively reduce fraud rather than simply transferring from one channel to another

3)      Mag-stripe should be completely eliminated as a fallback option due to its fraud vulnerabilities

4)      The proposed network fraud liability shift to merchants is unacceptable unless items 1-3 above are implemented

5)      All parties (merchants, acquirers, networks and issuers) must fully encrypt payment data, from the PIN pad and to the issuer

  • Tokenization, like encryption, has the potential to protect customer data, but has inherent flaws if not utilized appropriately

6)          All networks must immediately converge on one EMV debit technology standard so that debit cards can be processed under a secure EMV environment and preserve merchant routing options granted by Durbin

Finally, although banks will almost certainly seek reimbursement from merchants for costs associated with a breach and/or an increase in future interchange related to implementation of increased security measures, it’s important to note that they have always been compensated for these costs (regardless of an event or not) with every transaction.  Given knowledge of interchange rates, rough issuer economics and bank disclosed costs as a result of a breach, one can deduce that merchants have historically funded (through excess interchange) the cost of a breach approximately once every 3-4 months.  If merchants invest in solutions that reduce bank fraud liabilities, merchants should see a reduction in interchange rates.

Fortunately, key players across industry verticals are now demonstrating a willingness to collectively discuss solutions.  For example, RILA is partnering with the Financial Services Roundtable (FSR) and the National Cyber-Forensics and Training Alliance (NCFTA) to explore security improvement options.  It is these types of proactive steps that are required to arrive at effective solutions that will be acceptable to all and we commend all who have been active in that regard.  In their January 2012 report, the Federal Reserve stated that “for a chip-and-PIN migration in the United States to have a successful impact on reducing total card fraud, the entire payment card industry needs to be coordinated with regards to product issuance and acceptance as well as solutions for mitigating CNP fraud.”   For those that have not been active, we strongly encourage you to get in the game and ensure our merchant voice is heard.  We cannot sit idle and expect others to solve this for us.