EMV Cards Won't Stop a Target-Like Data Breach, But These Tips Will
Retail data breaches like those recently experienced by Target and Neiman Marcus are top of mind these days. As the impact of these attacks unfolds, everyone wants to know how to protect customer data and, ultimately, how to prevent attacks from occurring in the first place. EMV technology has been touted as a solution, but contrary to popular belief, EMV alone will not prevent data breaches. In this article I examine why and offer some alternative approaches to protecting customers’ credit card information against data breaches.
EMV stands for Europay, MasterCard and Visa, the companies that initially conceived of the idea to leverage "chip and PIN" technology in credit cards. On a traditional credit or debit card, customer identifiable information (e.g., account number, customer's name) is stored on a magnetic strip. On an EMV card, this information is stored in a smart chip. During a transaction, the card is scanned and the customer enters his/her unique personal identification number (PIN).
That's where the differences end between a card-present transaction using a traditional credit card vs. an EMV card. Regardless of which one the customer uses, the account information is passed to a terminal where, if unprotected, the data can be read and stolen by a cybercriminal.
The Target breach was successful because customer identifiable information wasn't encrypted at the terminal. The data was in clear text (i.e., readable form), enabling data thieves to use (or sell) the information. In a scenario like this, EMV cards won't prevent a data breach.
All is not lost, however. Retailers can help prevent data breaches by doing the following:
- Implement a comprehensive, multilayer defense. Defense-in-depth is a proven best practice that aims to stop attacks by layering different controls and protective mechanisms. The idea is that if an attack gets past one "layer" it will be caught by another.
- Monitor vigilantly. Actively monitoring for phishing attacks and other malicious activity can minimize attacks and enable organizations to fight an attack at every phase, whether it's in the planning stage or even once data is stolen.
- Implement multifactor authentication. The use of multiple authentication factors (e.g., second password, security image, challenge questions, etc.) can create a digital fingerprint for the customer, making it more difficult for attackers to pose as legitimate users.
- Implement safe browsing. Online transactions can be protected by scanning the computer that's attempting to connect to the retailer's website. If the machine is infected with malware or a poisoned hosts file, the user can be advised not to carry out the transaction.
- Encrypt data at the terminal. Encryption renders data unreadable, so even if data is intercepted, the recipient has no way to decipher it. The customer identifiable information is essentially useless.
U.S. merchants will be required to adopt the EMV system by October 2015. It will certainly help reduce certain types of credit card fraud, but using EMV alone won't prevent breaches like that experienced by Target. A comprehensive strategy that includes defense-in-depth and continuous monitoring can help retailers protect customer data now and in the future, regardless of the type of cards customers are using.
Daniel Ingevaldson is CTO for Easy Solutions, a provider of fraud protection solutions against electronic fraud across all devices, channels and clouds.