Following some high-profile data breaches in 2014, U.S. payment card network participants began heavily endorsing Europay, MasterCard and Visa (EMV) chip cards as an important way to prevent damage from payment card breaches. However, criminals have taken advantage of poor implementations of EMV chip payment applications, committing extensive fraud that defeats EMV controls for everyone in the payment card ecosystem.
In her research note “Avoid Pitfalls with Payment Card Security Technologies and PCI,” Avivah Litan, vice president and distinguished analyst at Gartner, points out some of the hidden problems with payment card security technologies and the payment card industry (PCI). By year-end 2015, at least 5 percent of card issuers will suffer fraud on EMV cards due to improper implentations, up from a handful today.
In today’s blog post, Ms. Litan shared some of the findings from her report. Ms. Litan said:
EMV chip cards, already adopted in the rest of the world, have proven to dramatically reduce counterfeit card fraud because they are significantly harder to clone than magnetic stripe (magstripe) cards, which are still used throughout the U.S. Nevertheless, the adoption of EMV is relatively slow and as a result, payment card network participants must prepare for at least five more years of support for EMV chip as well as magstripe protocols on a single payment card.
Card data breaches have pushed U.S. banks, card networks, mega-retailers and other payment card acceptors into more aggressively adopting two further key security technologies in addition to EMV cards - tokenization and point-to-point encryption (P2PE).
Although these three security technologies have been around for years, interest in them soared after the breaches, and many enterprises have developed much more aggressive implementation timetables than they would have otherwise. However, in the march to rollout these enhanced security systems some vulnerabilities and conflicts have surfaced. This calls out the need for all players in the payment ecosystem to work together on open security standards, streamlined certification processes and shared education on best implementation practices.
EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenization systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations. Merchants who use their own tokenization system, and also accept Apple Pay or other EMV token payments, will end up with multiple tokens for one card number, defeating a major reason why many merchants adopted tokenization in the first place.
As far as point-to-point encryption (P2PE) is concerned, P2PE can usually be turned on within 3 months if the solution uses remote key injection and management. Physically injecting keys into each card reader in a “safe room” under its own “lock and key” obviously takes much longer. Once deployed, P2PE can help protect all card transactions against data breaches. Retailers we regularly speak with say they will turn on EMV acceptance “later”. They rightfully view EMV as mainly helping the card brands and issuers, although when EMV becomes ubiquitous it will help everyone.
More detailed analysis is available in the Gartner report "Avoid Pitfalls With Payment Card Security Technologies and PCI." The report is available on Gartner's website at http://www.gartner.com/document/2960533.
Payment card security will be discussed further at the Gartner Security & Risk Management Summits taking place June 8-11 in National Harbor, Maryland, July 13-15 in Tokyo, August 10-11 in Sao Paulo, August 24-25 in Sydney and September 14-15 in London.