KEEPING PACE WITH EMV
The theme of constant security vigilance also applies to the EMV chip-based card payment standard. Retailers are not the only ones that have been scrambling to adapt to EMV since the October 2015 mandate.
“The chase is on,” said Brian Engle, executive director of the Retail Cyber Intelligence Sharing Center (R-CISC). “The introduction of EMV-compliant chip technology is driving fraudsters online.”
Combined with a steadily increasing volume of e-commerce, Engle said the introduction of EMV creates a large potential for increased card not present (CNP) online fraud. In addition to stealing consumer payment card data and reselling it for illicit use online, Engle said CNP fraudsters can also make money with “triangle attacks” that use stolen card information to purchase items online from legitimate businesses, then resell them at steep discount via online marketplaces that offer direct shipping. To combat the likely coming rise in CNP fraud, Engle advised online retailers to limit criminals’ ability to create or alter an account using bogus or stolen information.
“Identify legitimate customers when they create an account or modify an existing account,” said Engle. “Don’t just rely on a user name and password. Use second-level authentication like a text message. Don’t wait for the payment processor to notice a problem at scale.”
Engle also said fraudsters will try to take advantage of retailers while they are in the process of achieving EMV compliance.
“I expect to see an increase in POS attacks and malware as criminals attempt to squeeze everything out of the POS before EMV becomes more widespread,” said Engle. “Not everyone is online. Smaller, local chains that have lower risk thresholds and older POS technology are especially vulnerable.”