The U.K. is rapidly becoming a target for payment crime, with malware on the rise and the country poised for fraud spikes as crooks abandon EMV-protected terminals to target the more vulnerable e-commerce channel.
To serve this market need, First Data is bringing its TransArmor tokenization package, which launched in the U.S. in 2010, to the U.K. in the first half of the year with other European markets to follow.
First Data is entering a market where many payments providers and merchants aren't compliant with the Payments Card Industry data security requirements. According to a recent Verizon report, only 31.3% of organizations in Europe were compliant with at least 80% of the PCI data security controls. This lagged behind North America, where 56.2% of organizations were PCI compliant and was greatly eclipsed by Asia-Pacific regions, where 75% were compliant.
"The malware threat component has grown three times from 2012 to 2013," said Paul Kleinschnitz, senior vice president and general manager of cybersecurity solutions at First Data, who expects even greater spikes in malware between 2013 and 2014.
The TransArmor solution encrypts at the point the card payment is executed, and tokenizes credentials for online transactions. The package, which First Data targets to small and medium-sized businesses also includes a liability waiver, which covers merchants that have been hit by a data breach up to a certain amount.
Web-related payments crime has existed for years, but is now accelerating and becoming more sophisticated. In 2007, T.J.Maxx suffered a breach when fraudsters found Wi-Fi vulnerabilities and stole payments credentials, although they had to be in the general vicinity. Then a couple years later the industry was overcome with skimming attacks, in which fraudsters put devices into ATMs and in conjunction with tiny cameras capture card credentials and PIN numbers.
Merchants must now combat even more elusive digital threats from software that traverses networks to find vulnerabilities, said Kleinschnitz. These fraudsters manage the malware as they sit remotely, sometimes in states where they're protected, he said.
Credit card numbers on the black market can be sold for between $50 and $100 a piece, Kleinschnitz said. So for a "small" breach of 50,000 cards, fraudsters stand to make at the low end $2.5 million.
Buoyed by this opportunity, crooks are committing larger breaches. Target's data breach during the 2013 holiday season compromised at least 40 million cards. While this is huge compared to recent breaches at Chick-Fil-A (9,000 cards at risk) and Staples (1.16 million cards affected), the more recent Home Depot breach eclipsed Target with 56 million payment cards and 53 million email addresses taken by fraudsters.
"The criminal underground and ecosystem to monetize that data is unbelievable; cybercrime has become the most profitable criminal activity, surpassing the illegal drug trade," Kleinschnitz said.
The U.K. also stands to suffer because some fraud will migrate after the U.S. completes its EMV migration, forcing crooks to leave counterfeiting behind for web crime. Approximately 46% of global acquiring fraud is incurred in the U.S., according to data from SAFE, a fraud statistics database and QMR.
"Once EMV is rolled out to the masses [in the U.S.] we'll see that spread out," Kleinschnitz said.
The U.S. EMV migration will close down the easy and obvious route for criminals leaving them to look out for fresh security weaknesses to exploit, said Zil Bareisis, a senior analyst for Celent. "Looking beyond EMV, the U.K. and Europe appear to be behind the U.S. in security readiness," he said.
Since a breach is likely to happen, the best way for merchants to cut their losses on those attacks is to make sure data is not valuable outside the system, said Kleinschnitz. "Encryption and tokenization...are proven solutions that would have stopped every one of those breaches you can name off the top of your head," he said.