We spend a lot of time talking about what to do to prevent a breach of networks or computer systems.  This discussion has been, and continues to be, very valuable.  It is discussions like this that have allowed the payments industry to develop solutions like ProtectPay, ProPay’s secure payment solution.  ProtectPay, for instance, allows merchants to accept payment card transactions without storing, processing, or transmitting payment card data.  The benefit of such a system is tremendous.  Not only does it allow companies to significantly reduce the costs and resources necessary to achieve PCI DSS compliance, but it also reduces the risk associated with a breach.  If a merchant using a properly configured tokenization solution is breached, there is no data there to be stolen.  The merchant has only value-less tokens, not valuable cardholder data.  Unfortunately, tokenization isn’t yet universally employed.  That means that there are quite a few merchants operating today that still have cardholder data in their systems.  And while the conversation about preventing a data compromise is important, an important question still remains: What happens after the breach?

Experian and the Ponemon Institute teamed to answer that question.  The results can be found in “The Aftermath of a Data Breach.” (Registration is required to download the study.)  Of the companies studied, 45% indicated that the company lost bank or credit card information, and 60% of respondents indicated that the data that was stolen was unencrypted.  Additionally, the study found that 34% of breaches studies were the result of a “negligent insider.” This seems to support the notion of using a tokenization solution.    It should be noted that 19% of responding companies suggested that “outsourcing data” was the cause of their breach.  Most tokenization solutions do require the outsourcing of data, so how can these two findings be reconciled?  There are two important concepts that readers should keep in mind.  The first are the statistics and the second is due diligence.

The statistics are interesting.  The findings tell us that 60% of respondents lost unencrypted data.  That likely means that at least some of the outsourced providers that were cited as a cause of the breach were not securely storing the data.  Another interesting finding is that a full 50% of breaches were caused by insiders (negligent insiders 34% and malicious insiders 16%).  The other concept that one should keep in mind when reading the study is the concept of due diligence.  Outsourcing data is a big decision for any company.  It is advisable to do a significant amount of research into the potential vendor.  For example in the payments industry, companies that store, process or transmit cardholder data on behalf of a merchant is called a service provider or a data storage entity.  Regardless of the terminology, the company must be compliant with the PCI DSS and be registered with the card brands.  Ensuring that potential partners meet these requirements can substantially mitigate potential risk on behalf of the merchant.

The study is a very interesting read and has important lessons for those companies that store sensitive data.  Perhaps the most important lesson is this: If you don’t need the data, don’t store it!

Dr. Heather Mark, PhD; Sr. Vice President Market Strategy

Over the past year, the payments industry has been abuzz with news of Visa’s plan to encourage adoption of EMV technology.  While many in the payments industry have a clear understanding of what EMV is and how it might impact our business, for small merchants the term just adds on to the growing list of acronyms with which they must now be familiar.  PCI DSS, PA DSS, QSA, SAQ, and now EMV.   But what is EMV and what do small merchants need to know about it?

EMV itself is a standard begun by Europay, MasterCard International and Visa International. (Its current members are American Express, MasterCard, Visa, and JCB.)  The three companies joined together to form EMVco, whose purpose is “to manage, maintain and enhance the EMV™ Integrated Circuit Card Specifications for Payment Systems.”  In other words, the company was formed to promote the use of “smart cards.”  A “smart card” is essentially a payment card with an embedded micro-processor, or chip.  Because the chip can hold much more information than a magnetic stripe can, EMV enabled cards support multiple methods of authentication.  This ostensibly makes the process more secure for both the merchant and the consumer.   Since the chip can support dynamic and static authentication as well as online and offline authentication, the theory is that using EMV means that the risk of compromised card data being used fraudulently is significantly lower than with magnetic stripe data.  In other words, even if the data is compromised, it is less likely that it can be used to perpetrate fraudulent transactions.  As a result of its capabilities with respect to fraud prevention, Visa is strongly encouraging the US payments industry to move towards EMV.  So, what does this transition mean for merchants?

1) The requirement to comply with PCI DSS will remain - Visa’s program states that if a merchant can verify that at least 75% of its transactions are EMV, then the requirement to validate compliance with the PCI DSS can be waived.  It should be noted, though, that it is only the requirement to validate compliance that is being waived, not the obligation to comply itself.  Another important caveat to this validation waiver is that only Visa has so far extended this offer.  Merchants will still have to validate compliance as required with the other card brands.

2) EMV  does not replace data security – The use of EMV cards does not inherently provide protections against the unauthorized access or disclosure of the data itself.  Data thieves would still be able to compromise the data.  However, the utility of the data is significantly lessened as a result of the layering of authentication mechanisms employed by EMV cards.

3) Acquirers/ Processors have to transition by 2013 – As of April 1, 2013 acquirers and processors must be able to support EMV transactions.

4) Liability Shift means Acquirers likely to encourage adoption – Visa has announced plans to implement an liability shift for fraudulent purchases.  Currently, if a counterfiet purchase is made, it is largely left to the issuing bank (the bank that issued the card) to absorb.  Under the new rules, which would take effect on October1, 2015 counterfeit purchases that occur at a merchant location that has not adopted the EMV technology may become the liability of the acquiring bank.

As the deadlines come closer, the card brands will release more detail that will help guide merchants on the path to EMV.  Moving to EMV will be a challenge for an industry as fragmented as the US card processing ecosystem.  Although there will be the inevitable growing pains, though, the technology will serve to benefit all of the stakeholders – from merchant to the consumer.

Dr. Heather Mark, PhD; Sr. Vice President, Market Strategy

Many people today that consider themselves to be internet savvy might believe that they are too clever to fall for an online scam.  They know that they should not respond to pleas for help from Nigerian princes that need to move furniture for their long-deceased, well-meaning philanthropist great uncle.  They know that any job posting that requires respondents to send their bank routing information is likely not legitimate.  They know that a bank will never send an email asking their account holders to “verify their passwords” by clicking on a link.  But do they know that they shouldn’t click on that link that promises a sneak peak of the iPhone 5?

According to a recent survey by the Ponemon Institute (in collaboration with PC Tools), the answer is “no.”  The temptation is just too much, even for seemingly savvy internet users.  “Almost half (47%) of US respondents identified an online survey with a prize as either a scam or an attempt to get you to buy something later. However, when presented with the test scenarios, more than half (55%) of US respondents indicated they would be likely to provide their personal information to redeem a prize after completing an online survey,” said Richard Clooke, Online Security Expert, PC Tools.

A recent article on CNet emphasizes point made by the survey. Last spring, a number of Facebook users were scammed by a link that offered a look at the new iPhone 5.   According to Elinor Mills, the author of the article, “People who normally ignore all the other scams involving purported free software or naked celebrity photos clicked that fake news link and even completed a captcha on a second site, which reposted the scam to their own Facebook stream. That probably says more about how fanatical people are about Apple products than anything else. But it did raise the question–what does it take to lure someone to click on something that seems fishy?” It would certainly appear that the old cliche “everyone has their price” is analogous to this situation. If scammers can target the right prey with the right bait, people seem to disregard their concerns about fraud.  Target techies and Jobs-o-philes with a promised look at a future Apple product and they’ll likely click away.

The moral of the story – “think before you click.”  Many people associate internet scams with malware and Trojans, but sometimes scammers are looking for more specific information about users so that they can launch more targeted and sophisticated attacks later on.   For example, in the scam listed above,  scammers could perhaps garner email addresses.  Those addresses could then be used in phishing attacks later on to get more sensitive data from individuals.  It’s important to remember not to let your guard down when it comes to cyberscams.

Dr. Heather Mark, Ph.D.

SVP of Market Strategy