EMV Chip Cards Are Working – That’s Good and Bad

This post was originally published here by  Rich Campagna.

For many years, credit card companies and retailers ruled the news headlines as victims of breaches. Why? Hackers’ profit motives lead them to credit card numbers as the quickest path to monetization. Appropriate data in hand and a working counterfeit card could be cranked out in seconds and used to purchase a laptop or TV at the local Walmart – easy to fence in the local black market.

Sick of being the target, the payment card industry got smart about fraud detection, created a set of regulatory compliance requirements (PCI-DSS) and perhaps even more importantly, rolled out EMV “chip-and-pin” technologies, which are meant to reduce counterfeit card fraud by presenting a unique cryptographic code for each transaction – much more difficult to duplicate than the static information embedded in the magnetic stripe of older cards. The results have been astounding – according to Visa, “for merchants who have completed the chip upgrade, counterfeit fraud dollars have dropped 66%!” That’s great news, but bad news at the same time. 

The bad news comes in that hackers, still seeking profit motive, will continue to seek out the fastest and most lucrative path to monetization. Since credit card information has essentially become valueless, data that can be used to apply for new cards (or other monetary instruments or services) is now the target. This is why we saw a massive increase in healthcare related breaches over the past few years. As healthcare gets their act together, hackers will move on to the next most viable target, whatever industry that may be. 

Not only does this impact information security professionals in enterprises, but it also impacts consumers in a big way. For consumers, credit cards have always had limited liability, meaning outside of a few calls to the credit card company, fraudulent card use didn’t make much impact. Unfortunately, you can’t “cancel” your social security number, date of birth, and mother’s maiden name – those are permanent. And once someone gets their hands on that data, they own them permanently as well. 

So, kudos to credit card issuers and retailers for making tremedous progress. Hopefully peers in other industries will continue to follow suit. 

BTW, it’s entirely likely that your organization’s shift to cloud and mobile includes some of the aforementioned data to be protected. Might be time to check out a cloud access security broker (CASB). 


No posts to display