In the annals of retailer breaches, history has been made. The number of security incidents detected by retail and consumer goods companies climbed to an all-time high in 2014, increasing 19% over the year before, according to The Global State of Information Security® Survey 2015. Nowhere were these assaults more apparent than in the US, where a string of high-profile retailer compromises resulted in the theft of hundreds of millions of credit and debit cards. For several companies, the cost to investigate breaches, provide credit-monitoring services to customers, and pay for legal and professional services exceeded $50 million each.
If there is an upside to these compromises, it is that they are spurring retailers to more quickly move from magnetic-stripe payment card technology to EMV “chip and PIN” systems, a more secure microprocessor-based standard. EMV, short for Europay, MasterCard, and Visa, the organizations that created the specification, is the global standard in payment card technology.
The EMV standard entails more than the card format: It also ensures interoperability between EMV cards and EMV-compliant card-payment terminals. The cards contain an embedded microprocessor that protects customer data by creating and encrypting a unique code for each transaction. As a result, EMV cards are much less vulnerable to compromise compared with their magnetic-stripe predecessors.
That’s why major payment card networks have mandated that US merchants deploy EMV-based systems by October 15, 2015. (Gas station owners will have until October 1, 2017 to migrate to EMV.)
The cost of chip-based cards
The cost to upgrade the payments infrastructure may be significant, particularly for merchants. Many retailers will need to invest in upgrades to their payment terminals estimated at an average of $500 per terminal. Beyond the point of sale, merchants and others in the payment industry may need to upgrade back-office software and authorization systems. Even the cards themselves will add expenses to issuing banks: The cost to produce EMV cards can top $2 each, while magnetic-stripe cards can be manufactured for as little as 8 cents apiece.
Adoption of EMV will also demand financial investment and cooperation among other entities in the payment ecosystem, including card networks, banks, and payment processors. Individual companies may need to update business processes, tighten security controls, expand employee training and awareness, and enhance internal and external communications.
These initiatives will be costly, but the price of inaction could be higher. EMV will undoubtedly diminish card-present fraud and better protect customer data, which can boost consumer confidence and trust. There is another incentive: After October 2015, retailers and issuers that have not implemented EMV will become liable for fraudulent payment card transactions in which an EMV card was presented for purchases.
The challenge for security professionals and the payments industry will be to stay one step ahead of cybercrooks. Doing so will demand that retailers “think like a criminal.” Cyber adversaries actively monitor and test payment systems for vulnerabilities, and retailers should do the same by assigning teams to poke holes in their systems and conduct scenarios to identify areas of weakness.
Accelerated deployment of EMV will require buy-in from top executives and the Board for both funding and a renewed commitment to payment card security. Yet considering the increases in security incidents, there’s no time like the present. Taking action now to update payment card systems could be a company’s front line of defense.
Interested in reading more on this subject?
Download our white paper: Securing the card payments infrastructure: Where are we headed?
The Global State of Information Security® is a registered trademark of International Data Group, Inc.