Stolen European payment card numbers and related data are popular imports in the U.S. black market, which is why European bankers, merchants and data-protection executives are looking forward to America’s EMV chip card liability shift that takes effect Thursday.
That’s the word from Jeremy King, international director of the Wakefield, Mass.-based PCI Security Standards Council. The Council, which administers the main Payment Card Industry data-security standard (PCI DSS) and its related sets of rules, on Tuesday began its annual North America Community Meeting in Vancouver, British Columbia, with about 1,200 people in attendance.
“I’m actually quite excited by this,” the United Kingdom-based King tells Digital Transactions News, referring to the liability shift. Speaking from Vancouver, he recalled the reaction at a recent information-security conference in Britain when the topic of the U.S. liability shift came up.
“There was a resounding cheer in the audience,” King says. “It’s because … if anyone steals card information, it typically ends up in the U.S.”
The U.S. is the last major industrial country to adopt the EMV standard. Under the liability shift, a merchant or card issuer that can’t support EMV payments at the point of sale will be responsible for any resulting counterfeit fraud. Related liability shifts affecting ATMs and fuel pumps are coming in 2016 and 2017, respectively.
As Europeans did beginning about a decade ago as chip cards took hold, Americans can look forward to a drastic decline in fraud originating from the point of sale. But, as others have warned, King says card-not-present fraud is likely to boom as fraudsters look for soft spots. “I think you will have a problem as bad as we have had in Europe,” he says. CNP fraud now accounts for 65% to 70% of all European card fraud, he says.
Even though EMV chips are very hard to counterfeit, they briefly transmit a card’s primary account number, expiration date and cardholder name in the clear, according to King. Fraudsters can capture that data and use it to make CNP transactions. Criminals also have ways to steal data from the back-up magnetic stripes on most EMV cards.
To provide stronger data protection, the PCI Council is working with payments firms to spur the development of point-to-point encryption and tokenization, according to King.
Meanwhile, the PCI Council on Tuesday released guidance for merchants on what to do when they have a data breach. Even though one of the PCI DSS’s requirements is to have a response plan, many merchants don’t assume a breach will happen to them and are confounded when they do have one, according to King.
“They don’t have a plan,” King says “You can certainly be caught in a maelstrom of activities.”
This maelstrom can include everything from expensive investigations and computer and network remediation to soured customer relations, unwelcome media attention, and network fines. Sometimes the CEO’s head rolls, as in the case of Target Corp. after its huge 2013 breach. The average breach results in costs of $3.8 million, according to research cited by the PCI Council.
The guidance discusses when to bring in a forensic investigator, whom to notify of the breach, how to preserve evidence, usage of the compromised payment system, and related matters.