While breaches occur frequently within multiple industries, the buzz from recent events is getting attention at the highest levels. From customer inquiries, to press, to congressional hearings, the focus of the conversation has tended to fall into a few key themes ranging from the logical aspects of the network to the physical security layers of card personalization.
All of the recent breaches seem to have followed the same pattern as previous breaches – hackers are using specialized malware that targets weak points in the payment process—like point of sale terminals—where payment card data is unencrypted and can be captured. This type of sophisticated malware can sit undetected for long periods of time capturing cardholder information leading to significant fraudulent activity.
So, the big question is what can be done to stop this? How do banks and merchants continue to service customers, while balancing security and convenience? We have outlined some steps below to help banks streamline efficiencies and better prepare for breaches:
No matter how the breach happened, one thing is for sure – banks will have to reissue cards. In the days following significant breaches, consumers who think they may have been affected are typically calling in to their banks to request emergency card replacements (ECRs) creating a tremendous back log of reissues.
Getting replacement cards into customer’s hands quickly proves to be challenging despite central issuance operations running at their maximum capacity to try to accommodate the surge of reissue requests. One way to off-set the central issuance back log and give consumers more flexibility is to complement central issuance operations with instant issuance of permanent credit or debit cards in branch locations.
With instant issuance, customers can receive a fully personalized permanent replacement card within minutes and immediately use it to make purchases. With a mixed model of central and instant issuance, customers have the ability to choose what works best for them – they can take action into their own hands and get their card right away at a local branch or they can wait 5-7 days for their new card to arrive in the mail. Not only does this provide a better customer experience, it can also help save money because instant issuance eliminates costs associated with small batch production, postage and rush or overnight delivery fees.
It’s now a given that the U.S. payment industry has no other option but to migrate to EMV payment cards – which will ultimately help reduce card present fraud rates. Given the upcoming U.S. transition to smart card based, EMV infrastructure and cards, the payment related nature of the breach, and the fact that the U.S. is the last of the G20 countries to adopt the technology; a significant amount of discussion has focused on what impact EMV adoption would have had on these breaches.
Could EMV cards have helped stop the massive data breaches? The payment ecosystem is complex and there is no silver bullet for combating fraud. However, EMV cards could have played a very important role in reducing the value of the data obtained in the breach because it is much more difficult to successfully use counterfeit cards for card present EMV transactions. Additionally, EMV offers additional implementation options to increase security which could have reduced the data stored by the retailer, specifically tokenization, end-to-end encryption, and some fundamental security best practices.
For banks, one must not forget the importance of the underlying security architecture that must be in place to protect every transaction, every connection and to ultimately protect every end user and device’s identity when consumers or bank employees are accessing the network. It is critical that this security be completely hidden to the end user. Making the security architecture as seamless as possible while never compromising the integrity of cardholder data – from all users’ perspectives – is the ultimate goal.
For retailers, the Payment Card Industry Security Standards Council, which oversees the PCI security standard, issued an urgent bulletin in late August urging retailers to review security controls and take additional protective measures, such as end-to-end encryption, to protect against the malware.
Although layered security is important, many of the information security mechanisms recommended in best practices can still be compromised or at least mitigated by lack of strong identity on the network. A stronger baseline requirement for authenticating POS administrators is two-factor authentication. Only by verifying every identity that accesses the hub network can retailers truly consider their POS systems secure.
Regardless of a point of sale or online purchase, if merchants and or issuers detect a suspected fraudulent purchase, they should consider an out of band alert to be sent to the cardholder’s mobile device for notification and approval of the purchase.
In today’s market, it is more important than ever for card issuers and merchants to reduce the risk of fraud and theft by safeguarding cardholder data, production data and access to systems, without slowing the process or sabotaging budgets. Taking all of these things into consideration – and looking at the holistic view of logical and physical security of card programs – will ultimately help mitigate the risk of fraudulent activity to help ensure consumers are protected now and in the future.