Payment breaches to continue despite US EMV liability shift
By Michael Bruemmer, vice president, Experian Data Breach Resolution
The infamous mega-breaches of 2014 and 2015 — Target, Home Depot, Neiman Marcus and Hilton to name a few — shone a light on both the vulnerability and value of payment data leading up to the official EMV liability shift date of Oct. 1, 2015. With a total of 5,063,044 financial, credit and banking records exposed just last year, the deadline served as further incentive for U.S. merchants to adopt the technology in an effort to increase card security and reduce counterfeit fraud.
Now, with the adoption of EMV technology in full swing, two questions remain top of mind for payment sector executives, retailers and customers alike — will the transition to chip and PIN make credit cards and transactions more secure from attacks? What impact will this change have on other payment methods?
While the shift will likely improve the overall security of transactions in the long-term, Experian believes that it is not a silver bullet against attacks and predicts that the payment industry will continue to face breaches despite the migration. Many executives agree, according to a recent Ponemon Institute study, only half of executives in the payment sector believe chip and PIN will decrease the risk of a breach. In fact, 64 percent believe that it is more challenging to secure payment card information than any other identifiable information.
This trend is driven by the fact that payment data remains one of the most valuable types of information to cyber criminals and they will continue to look for new ways to steal and use it for fraud. While EMV will make it more difficult for criminals to use the same point-of-sale malware that's been responsible for many of the recent high-profile payments breaches, attackers will look for new ways to steal this information. Likely, criminals will find vulnerabilities in mobile payments technologies or applications, as well as card-not-present transactions.
For example, the European Union adopted EMV years ago but instead of completely deterring payment breaches, the transition simply inspired hackers to focus on online transactions where cards don't need to be present.
Furthermore, many retailers and other merchants have yet to fully adopt chip and PIN technology. Small businesses and distributed payment systems like gas stations and independent ATM networks may take a while to adopt the system, leaving them vulnerable to the same malware attacks that continue to dominate headlines. January's security breach at numerous Wendy's locations proves that all businesses regardless of size are still at risk.
Instead of assuming and leading consumers to believe that EMV technology guarantees their information will be safe from cyber thieves, companies must be aware of the potential risks accompanying this technology, and continue to take steps to protect consumer data and mitigate the fallout of an incident.
The following are key practices and areas of consideration for companies that are preparing to manage a payments breach incident.