Commentary: Don’t buy into the hype—EMV is not a security “catch-all”

By Joe Majka, Verifone



President Obama’s BuySecure Initiative sets the U.S. Government on track to adopt chip and PIN payment security, parallels - and seeks to encourage - a commercial industry shift toward EMV card technology.



That’s a welcome and commendable action. Unfortunately, general media coverage surrounding EMV, as well as this recent executive action, too often positions EMV as a security “catch all.” EMV is a great way to combat counterfeit cards at the point of sale (POS), but it does nothing to prevent the types of breaches seen in recent news headlines.



In 2013, payment card fraud in the U.S. increased by 29% to $7.1 billion, according to the Business Intelligence research service, which found that the U.S. accounts for 51% of the total worldwide card fraud. The U.S. is the last G20 country to migrate from mag-stripe payment cards and it’s widely believed that as other countries have adopted EMV, card fraud has migrated to take advantage of that U.S. lag.



A Multi-Layered Approach to Security

To effectively safeguard their brands and customers against data breaches, merchants must implement EMV as part of a multi-layered security strategy that incorporates end-to-end encryption and tokenization.\



While EMV limits the exposure of merchant payment transactions to fraud and misuse, it does not protect cardholder information that under EMV is still transmitted in the clear during the transaction. EMV should be viewed as part of an overall security portfolio for protecting all aspects of card transactions.



Many payment processors and retailers are moving to adopt sophisticated encryption and tokenization to secure cardholder information, from insertion of the card, to the processing host, and back to the POS device. The most secure payment transaction possible today is one that combines three technologies: EMV, data encryption and tokenization.



Data-level encryption, applied as close to the point of entry or capture as possible, almost completely eliminates access points where unencrypted card data could be intercepted. End-to-end or point-to-point encryption ensures that data is protected from the point of capture until reaching the party that holds the decryption key, typically the merchant’s processor. If at any point along the way, the encrypted data is stolen, the data will be useless to criminals in its encrypted form.



Tokenization provides another barrier to cyber thieves. It replaces cardholder account numbers with a valueless substitute -- a digital token. Tokenization reduces security risks in the event of data breaches because it eliminates sensitive cardholder data from the agency’s environment after transactions have been authorized. If the token numbers are stolen, they are meaningless to thieves because, outside of the correlation database, they are simply collections of random numbers. But, they allow the processor or agency to conduct necessary back-end processes ranging from chargebacks to analytics.



Cyber attacks on retailer networks are increasingly common, and the huge volume of cardholder data that has been compromised is increasingly damaging to the impacted merchant brands. It’s no longer viable to sit back and hope that cyber criminals go after somebody else; rather, the assumption should be that your organization is being targeted and you need to secure cardholder data and protect your brand.



Historically, payment data is transmitted through a retailer's POS system, which has become a sitting target for cyber attacks. Merchants need to insulate the POS, but understandably are not eager to add complexity to their infrastructure. There are solutions currently on the market however; such as Verifone’s recently announced secure commerce architecture, which are designed to ensure that payment data goes directly from the terminal to the processor, without ever passing through the POS system.



By removing or “decoupling” sensitive data from the retailer’s integrated POS system, sensitive card data is never stored or accessible in one place for hackers. And, with the EMV liability shift looming, this type of secure commerce architecture removes the POS from the scope of EMV certification, greatly reducing complexity and alleviating the merchant’s compliance burden.



The Bottom Line

The government’s chip and PIN migration is a welcome effort that will encourage and propel the private sector more quickly to EMV migration. I urge merchants not to be lulled by popular perceptions that EMV is the magical elixir to ward off cyber crime, but rather embrace it as one of several layers of a well-architected payment security strategy that also includes end-to-end encryption and tokenization.



By Joe Majka, chief security officer for Verifone