MasterCard says recent high-profile credit card breaches are more reasons for U.S. merchants to migrate to EMV asap.
Since MasterCard (MA) announced its “Roadmap to Enable Next Generation of Electronic Payments” in January 2012, the credit card company says there has been an industry-wide shift toward EMV from magnetic stripe cards. EMV stands for Europay, MasterCard and Visa, the developers of this technology that runs on a smart-chip, instead of a stripe.
“We really see this upgrade to EMV as being important to the payment system for the U.S. and we firmly believe now is the time for the migration,” says Carolyn Balfany, group head, U.S. Product Delivery for MasterCard Worldwide.
Visa, MasterCard, American Express and Discover have all announced that merchants and banks that do not support EMV (aka chip-and-pin) transactions by October 2015 will be held liable for fraud that occurs as a result.
Balfany says MasterCard has experts on staff that can assist merchants and issuers making the switch. The company recently rolled out streamlined certifications and processes to test EMV-readiness.
A Multi-Layered Approach to Security
According to cyber security experts, the magnetic stripes are more vulnerable to hack attacks, as the customer data is not encrypted. The experts say chip-and-pin cards are safer because they are more dynamic: when the card is swiped, it creates a two-way dialogue between the card and the terminal. And within each transaction there’s data available unique to that instance.
While the EMV technology makes cards more difficult to counterfeit, some still argue it is not enough, especially in card-not-present situations (for example, online shopping).
Paul Vallee, founder and executive chairman of Pythian, applauds the migration to chip-and-pin, saying “it’s something that’s missing almost exclusively in the U.S.” But, it’s “far from” the only protective measure merchants and clients should take, he says.
He points out that for the recent breach at Target (TGT), hackers got access to the network through a third-party vendor. For protection from these types of breaches, Vallee suggests clients have a multi-factor identification process in place. In addition to providing an ID and a password for authentication, any third-party person must also agree to be monitored during their interactions with the network.
The ability to supervise third-party persons “hardens your perimeter,” Vallee says. “It’s an important dynamic, not just knowing it’s the right person but also knowing what they did.”
How Smaller Merchants Can Up Protection
For smaller merchants, making any point-of-sale adjustments presents a huge cost burden. To help, Valllee suggests you reach out to an expert for personalized advice.
Bob Russo, general manager for Payment Card Industry (PCI) SSC, says it is increasingly difficult for smaller merchants to recover from loss of consumer confidence over data insecurity. He says small businesses are the biggest targets for hackers, and says the problem lies in a lack of security education.
While Russo says there is increased awareness among smaller merchants (“unfortunately when there’s a big breach it shines a spotlight on security”), there is still more emphasis placed on what to do after-the-fact, not so much on preemptive measures.
A January 2014 Verizon PCI Compliance Report shows 82% of small businesses are compliant with PCI Security standards, compared to 32% in 2011. Russo hopes this number keeps increasing, but would refer merchants to PCI’s list of tips to improve security.
Some of these include: changing passwords regularly (per PCI, “password” is still the most common password used today), designating a separate computer for processing online financial transactions, educating employees about updated security standards, using firewalls, monitoring for intrusions and having clear processes for handling sensitive payment card data.
“Today if you’re not planning for security, it’s enough to put you out of business,” Russo says.
Follow Natalia Angulo on Twitter @natisangulorico.