Did EMV leave merchants vulnerable to more data breaches?
The U.S. EMV migration was meant to devalue the card accounts so frequently exposed in merchant data breaches, but those breaches continue relentlessly, costing retailers millions and undermining consumer trust in payment card security.
Last year there were 1,579 U.S. merchant data breaches, with 1.8 billion records exposed and the average cost of a data breach estimated at around $3.62 million. This year we've seen high-profile breaches at Orbitz, Panera Bread Co., Hudson's Bay Co. stores Saks Fifth Ave. and Lord and Taylor and dozens more.
A direct correlation between the chip migration and rampant merchant data breaches is hard to prove. But experts say retailers' prioritization of EMV compliance contributed to other payment card security gaps, leading to the current high level of merchant data breaches.
“Payment card data should be protected with encryption and tokenization, but many merchants were slow to establish these, between the cost and coping with other priorities like EMV,” said Wally Mlynarski, chief product officer at Elavon, which processes merchant transactions.
The migration to EMV still isn't complete, despite an October 2015 liability shift set by the card brands. About 70% of U.S. merchants are now chip-enabled and counterfeit card fraud was down 75% this month from December 2015, according to Visa.
Online card fraud has increased during the same period, but when considering the overall increase in e-commerce transaction volume, the rise is not directly attributable to EMV, Visa has said.
Complicating a merchant's data-security tasks is the fact that attacks can come from any direction and it's not just payment card data crooks want. Hackers are also tempted by the personally identifiable information merchants often keep within their systems for purposes ranging from delivery to customer service.
One area where merchants are gaining traction in protecting against attacks on payment card data is the adoption of point-to-point encryption (P2PE) systems validated by the Payment Card Industry security standards council, according to Mlynarski. The PCI-validated framework shields payment card data through the entire transaction flow, beginning when a card is inserted in a payment terminal.
“It’s early days, but we’re seeing more merchants move past EMV to P2PE adoption,” he said.
Millions of merchants still face gaps in their payment card data security processes exposing them to breaches, and it’s not hard to predict which types of retailers may be in the next wave of data breaches, Mlynarski said.
For example, regional and midsize companies, restaurant and hotel chains, and stores using an omnichannel sales strategy, are particularly at risk to hackers looking to intercept unencrypted payment card data to sell on the dark web and leverage for fraud, according to Mlynarski.
“Even merchants that have already encrypted card data in core systems may not have gotten to every property or franchise yet, and that’s where the biggest risks are now,” he said.
Retailers that used card account numbers to track customers for loyalty or other marketing programs also are inviting danger; those should immediately be replaced by other widely available approaches using more secure methods to identify customers, Mlynarski added.
One reason P2PE adoption has been slow is that until recently many processors’ P2PE solutions weren’t optimized for merchants’ rapidly evolving payment environments.
Elavon upgraded its P2PE solution in April, creating Safe-T Link with P2PE Protect that combines with EMV, tokenization and encryption to shield sensitive card payment data until it’s delivered to the secure decryption environment.
Bluefin Payment Systems, a core provider of P2PE services through processors and partners including Elavon, said it's seeing a strong uptick of merchants deploying its services after long delays.
“In almost every major merchant data breach case, there was either no encryption or it wasn’t P2PE validated by PCI,” said Ruston Miles, Bluefin’s executive vice president and chief strategy officer.
Bluefin this month announced a partnership with Paya, enabling the Reston, Va.-based payments platform provider to offer its business customers Bluefin’s P2PE services.
“Whereas our baseline solutions already provide solid protection to our merchants, our partnership with Bluefin provides us with the opportunity of offering a fully PCI-assessed and listed solution,” said Peter Helderman, Paya’s director of product management, payment acceptance and security.