July 31 – With the EMV liability shift around the corner, technology experts are concerned that EMV may not be enough to thwart today’s sophisticated hackers. Indeed, Ruston Miles, Chief of Product Innovation at Bluefin Payment Systems, notes that five years after EMV was deployed in the U.K., the region continues to experience increases in Card Not Present (CNP) fraud, ranging as high as 79 percent over pre-EMV levels.
“EMV cards were built with a very specific function which they do very well,” says Miles. “Chip technology disallows counterfeiters from creating new or duplicate cards because the chip cannot be duplicated. However, even with EMV, bad guys in the U.K. can still access the 16-digit card number, and are able to do a lot of online purchasing.”
By October 2015, U.S. banks and merchants are required to be fully compliant with EMV mandates for credit card security. Those who do not comply but choose to accept transactions made with EMV-compliant cards assume liability for any and all transactions that are found to be fraudulent.
CNP purchases, made via mobile devices or online, represent the largest loss for retailers, equaling roughly 10 percent of all online purchases. According to Miles, EMV technology leaves data unprotected at three key points for CNP:
- Point of Entry: When the credit card (and data) enter a payment terminal
- Point of Processing: When card data is transmitted through a processor
- Point of Storage: When data is stored for reuse
“The big vulnerability is that the data for the full 16-digit card number is visible. Systems are still being breached because the bad guys can see everything,” says Miles. “The only way to fix this is Point to Point Encryption.”
“Using three different advanced technologies, Point to Point Encryption (P2PE) scrambles card data throughout the transaction journey. This makes data unreadable to hackers when it is in motion (points of entry and processing) and when it is at rest (point of storage).” According to Miles, Bluefin was the first to implement P2PE in the U.S. “We saw the writing on the wall in the U.K.,” he says, “and advocate a layered, or holistic, approach to card security.”
This approach includes EMV, P2PE and Tokenism, which is the use of Tokens as placeholders for storing card data when a merchant needs to hold data for future use. Miles points out that EMV is an important layer of protection when the dollar value of a purchase is high, but less critical for small purchases.
To set standards for credit card security, Visa, Master Card, American Express, Discover Card and others joined forces in 2007 to create the Payments Card Industry (PCI) Security Standards Council (SSC) or PCI-SSC. In addition to other standards, the organization requires “chain of custody” reporting by merchants. This means merchants must accurately monitor the location of their full inventory of card readers—a difficult task. In response, Bluefin built a system that manages the life cycle of a payment device, becoming the first company in the U.S. to become PCI Validated for P2PE, and the first and only company in the world with a PCI Validated P2PE for mobile supporting iPhone & iPad. “Over the past decade, the lines between retail stores and online have blurred,” he says. “Now, almost every transaction travels over the internet, via internet protocols, making P2PE essential and P2PE for mobile more critical.”
Miles will be a featured speaker at the 15th Annual CL@B Conference, an event featuring the top players and innovations in technology and finance, taking place in Miami, Sept. 2-5. Presented each year by the Latin American Federation of Banks (FELABAN) and organized in Miami by Florida International Bankers Association (FIBA), CL@B is a global forum for exploring the impact of technology and innovation in driving earnings growth and meeting the challenges faced by today’s financial institutions.
For more details about CL@B, or to register to attend, log onto http://www.felabanclab.com or contact Belkis Lopez, Conference Director at email@example.com or Leonidas Pretelt, Conference Manager; lpretelt@f iba.net; Phone : 1-305-579-0086 in Miami, Florida.