Peeling Back Data Security

Conexxus event highlights EVM roadblocks and how of data security layers deliver consumer protection.

May 09, 2016

TUCSON – EMV can be a frustrating endeavor for retailers, often viewed as a moving target with many challenges that seem to have more questions than answers. And with the October 2017 liability shift looming, industry leaders convened last week at the Conexxus Annual Conference to discuss how retailers are addressing EMV roadblocks.

Linda Toth, director of standards at Conexxus, touched on the association’s participation with the EMV Migration Forum (EMF), an independent, cross-industry body that is addressing the issues and requirements necessary for EMV technology in the United States. Kara Gunderson, POS manager at CITGO, echoed that retailers participating in the EMF are educating other EMF stakeholders (card brands, acquirers, POS vendors, etc.) on the complexities of EMV adoption with the convenience and fuel retailing space, such as specifications and the certification process.   

Terry Mahoney, partner at W. Capra Consulting Group and EMF member, commented that there is an assumption retailers are dragging their feet to implement EMV in their stores. “This is not true,” he said, noting that because of transaction flow challenges, the EMF is still ironing out how EMV transactions should occur.  Furthermore, in the United States, there are thousands of acquirers/processors, whereas in countries where EMV adoption is ubiquitous, such as the United Kingdom, there is just one. Furthermore, the card companies gave the United States just four years to comply with EMV, whereas Canada had more than 12 years (for a country of 35 million people).

Since the October 2015 EMV liability shift, many retailers are now seeing an outrageous increase in chargebacks, mostly erroneous. Mike Lindberg, payment solutions manager at CHS Inc., commented that some smaller retailers have reported a $10,000 to $15,000 increase in chargebacks per week, while larger retailers are experiencing $1 million in chargebacks per week. “I can’t imagine what will happen at the pump come October 2017,” he warned. The No. 1 chargeback reason code since October 2015 is “merchandise not received,” he said, which in theory makes no sense for the big box retailers. Some retailers are even seeing multiple chargebacks on the same credit card, and indicating that there is very little interest from card issuers or acquirers to help solve this costly problem.

Both Lindberg and Gunderson said their companies have ramped up their chargeback processes since so many are questionable, noting that retailers can also implement other processes, like transaction risk scoring and zip code entry,  that allow them to combat this type of fraud.

Kathleen Carroll, vice president of government affairs at HID Global Inc., talked about consumer protections against data breaches, and how the most effective data security measures contain multiple layers. HID is an identity solutions firm with more than 2 billion RFID products sold, including the U.S. Green Card, which has never been successfully counterfeited in 18 years.

Hackers aren’t in the business of stealing identities for the thrill of it, noted Carroll. According to Verizon’s 2016 Data Breach Investigations Report, 89% of breaches had a financial or espionage motive, and 63% of confirmed breaches involved leveraging weak, default or stolen passwords.

While it seems like data breaches are here to stay, the big message that follows is that breaches can be managed, contained and cured. For a breach to occur, several basic conditions must exist:

  1. Someone provides information or data that is valuable, and the definition of valuable can change or be fairly innocuous.
  2. This information is stored in an accessible database and is usable/readable—if the data is encrypted it is much less valuable.
  3. Someone needs to be capable and motivated of stealing this information or data and has the ability to monetize it.

If any of these conditions can be eliminated, a breach cannot occur or the breach will have no consequences. So what can be done to remove one or more of these conditions from the equation?

  1. Stop asking customers for personal information and find other ways to establish identity. “Do you really need to let someone buy gas at the pump and also have their personal information?” asked Carroll, noting that a hacker only needs one of three pieces of information to steal an identity: date of birth, phone number or a name. “A driver’s license has all of this,” she said.
  2. Don’t leave the door unlocked! Encrypt the data instead of leaving it in storage.

Touching on EMV, Carroll said that it’s a following what the security industry has known: the best security is layered security. Hackers will always find ways around a security measure if layers don’t exist. Even though chip and PIN creates layers, she said it’s still problematic because it’s not a new technology, and technology changes rapidly. By the time the investment is made to bring chip and PIN to the United States, it could be compromised. “Four billion is a lot of money to create a system that will be compromised,” she suggested in reference to the estimated costs associated with EMV adoption in the convenience retail industry. 

“Thieves are getting more sophisticated in creating value from seemingly trivial personal data, as well as extracting that data; they are dark digital ‘marketers’ using the same techniques used in cyberspace to know more about customers, only for the purpose of stealing,” said Gray Taylor, executive director of Conexxus. “Data security, which includes protecting payment cards, is a ‘science project’ every business and organization has to conduct to combat the dark side of data, and Conexxus will be there to help our members, as we have since 2009.”