Small Retailers Should Review Payment Security Controls as Fraudsters Shift Focus Post-EMV
For small and midsized retailers, the upgrade to EMV-enabled terminals represented a significant and, in many cases, reluctant investment. Because credit card companies like Mastercard and Visa had been covering fraudulent purchases, many small businesses didn’t have visibility into the cost of fraud. Only when threatened with the liability for these losses did they upgrade. This solved payment fraud for small businesses, right?
Not so fast.
EMV chip technology was a major step forward, but the professionalized fraud that's pervasive today is like a water balloon — squeeze one end and the fraudsters go rushing somewhere else. Point-of-sale fraud may now be less of a threat to the broader retail industry, but attacks haven't gone away.
The irony of the EMV chip transition is that it shifted the attention of fraudsters away from large companies like Target and The Home Depot, which no longer had a trove of easily accessed credit card numbers from in-store transactions, and toward smaller retailers with fewer controls around the credit card numbers from online and phone transactions.
Fraudsters went looking for easier targets, and smaller retailers fit that description. According to a 2019 study by TSYS, a global payments provider, only 43 percent of retailers surveyed have implemented an end-to-end encryption (E2EE) system and feel it's working well for them. That leaves nearly 60 percent of retailers potentially exposed to fraud.
Today’s omnichannel environment is also making data security more difficult. In addition to in-store and online, businesses are accepting payments at farmer’s markets, festivals and food trucks, to name a few settings. EMV technology may have reduced the attack surface in one area, but the drive toward a seamless, ubiquitous omnichannel experience is moving the marketplace in the opposite direction.
It’s understandable that small retailers don’t want to be in the business of fraud prevention — it’s not their area of expertise. However, they need to know the right questions to assess the gaps in their current systems or evaluate the effectiveness of a new one before they buy it. They should ask these questions to begin assessing their fraud prevention capabilities:
- How am I handling phone payments? This is often the Achilles heel of retailer payment systems. By upgrading to EMV technology, small businesses avoid the financial liability for card present (CP) fraud, but it still doesn’t absolve them of responsibility for protecting customers’ payment information for card-not-present (CNP) transactions. Encrypted keypads for employees accepting phone payments is one way to help reduce the risk inherent in these transactions.
- Is my payment partner storing card information, or am I? A reputable payment partner will help small retailers to avoid seeing or storing customers’ card information. Using tokenization, payment companies — which are better equipped to protect this information — can reduce this risk. There’s no reason retailers need this kind of visibility into the transaction.
- Are my mag stripe transactions encrypted? Sometimes accepting a mag stripe card is unavoidable, such as when an EMV card reader is down. This card information should be encrypted. E2EE uses encryption keys to prevent third parties from accessing data while it's transferred from one device to another. As soon as the data enters the payment system device, it's encrypted and remains that way until it’s decrypted by the end user. E2EE protects sensitive data by making the data unreadable to those without a secret decryption key.
- How am I ensuring the safety of transactions in an omnichannel environment? Retailers are under pressure to provide a seamless customer experience across multiple environments, from in-store to online and in the community. A restaurant, for example, might accept payment over the phone, online, at the table, at a food truck, or under a tent at a festival. Fraudsters gravitate towards the weak link in a company’s payments environment, so each element needs to be secure and incorporate E2EE technology.
According to TSYS’ study, 45 percent of retailers rank payment security and PCI compliance as a top POS priority this year. This finding suggests retailers are taking payment security seriously. The adoption of EMV technology in 2015 was a step in the right direction, but it’s time for small retailers to take ownership of their customers’ data and find partners that can help them implement best-in-class solutions.
Marc Castrechini is vice president of product management at Global Payments, a provider of cutting-edge payments and software solutions.