Merchants face a confusing onslaught of terminal updates, encryption, tokenization and EMV, placing organizations like the Payment Card Industry Security Standards Council (PCI SSC) in the role of trying to make sense of the changes.
The PCI council, one of the organizations tasked with guiding how merchants, payment companies and technology providers protect account data, has taken on a second job of trying to explain the importance of each technology merchants are presented with. It's a daunting task given merchants' longstanding resistance to new technologies that they see as benefiting financial institutions more than their own stores.
"How do we communicate and how do we talk to merchants?" said Stephen Orfei, general manager at the PCI council, who has held this role for about a year, taking over for the retired Bob Russo. "We need to get away from 'infosec talk' and jargon and give them actionable intelligence, to tell them 'here is what you need to do.'"
The council has been in this spot before, trying to convince and educate merchants on the dangers of ignoring fraud trends. Knowledge of EMV-chip card technology, and how it fits into a broad security strategy, is still scarce among smaller businesses, leading some payment technology makers to get creative in their marketing of EMV.
"The message that I want to get out there is that it's not hopeless," Orfei said. "We have an endgame and a strategy to 'devalue' data so that it's useless in the hands of criminals."
The PCI council is working with representatives of merchant categories such as restaurants, card issuers and law enforcement agencies to improve communication skills, recognizing that the convergence of mobile payments, e-commerce and security requires a totally new understanding of how payment terminals are installed and updated.
The PCI council this summer is also simplifying its guidance for point-to-point encryption, and is also updating other standards to further explain data protection and responsibilities among merchants and third parties.
Unlike countries such as the U.K. and Australia, where the government participated in the awareness effort surrounding EMV-chip adoption, U.S.-based companies are on their own, said Julie Conroy, a research director at Aite Group.
Aite found that about 33% of small to medium sized merchants were unaware of EMV in the fourth quarter of 2014, a large number given the late date, but still a big improvement over 75% in 2013, she said.
"We should see that number gradually reduce as ISOs ramp up their sales effort over the next few months, but there will certainly be merchants that lag," Conroy said.
The PCI council is encouraging merchant acquirers to reach out to explain EMV, tokenization and point-to-point encryption as a combined security play, Orfei said. Tokenization and point-to-point encryption, which focus on protecting data for digital transactions, are considered complementary to EMV, since fraud will likely migrate away from the point of sale to digital channels after EMV is widely implemented in the U.S.
"We're saying there is a business case to bundle these three technologies together in a cost-effective manner," Orfei said.
Another technology called 3D Secure, which enables extra authentication for e-commerce transactions, remains an option to guard against the shift in fraud, Conroy said.
"3D Secure adds additional layers of security to the transaction, and merchants that use the protocol benefit from a liability shift back to the issuer," Conroy said. "The initial versions of 3D Secure had a bunch of issues, but the newest incarnation provides a much better user experience, so we're seeing many merchants beginning to adopt this solution."
The need for a simple, understandable and comprehensive approach to both EMV and e-commerce fraud protection is acute among small businesses with limited finances, Orfei said. "These folks work hard day in and day out and don't have the resources to work on these matters."
The different liability shift deadlines the card networks set for most companies and for gas stations October 2015 and October 2017, respectively also heightens fraud risk, Conroy said.
"There is certainly a risk in the staggered deadlines. Fraudsters will increasingly focus their attacks on the weakest link in the chain, which will be anything still relying on mag stripe," Conroy said, adding there's a huge amount of cost and complexity associated with pump upgrades. "Issuers will need to more carefully scrutinize transactions at the pump until 2017."
Fraud will move in tandem with the terminal updates that accompany the EMV migration, posing a threat to businesses that are behind the curve, said Al Pascual, director of fraud and security for Javelin Strategy & Research.
"Education of businesses and consumers on the value of EMV are critical for encouraging a relatively quick transition from 'swiping' to 'dipping,'" Pascual said.
While the staggered nature of the target dates contributes to fraud spikes, the different dates are necessary to enable the more complex migration for gas stations, Orfei said.
"At a gas station there are multiple pumps and the amount of work necessary to pull all of those payment device readers out and put EMV readers in is extensive," he said.