4 minutes
Four things U.S. CUs can do as the country readies for widespread EMV adoption
The past few months have brought some data breaches with whopping implications for the financial services industry. Target’s exposure was perhaps the most significant, given the number of consumers impacted and—by extension—the volume of payment cards that were potentially compromised. The effects of these breaches will surely ripple through the industry for a long time to come.
Discussions about how to reduce the potential for such massive breaches are extending across many sectors and are even happening at the legislative level, with a number of lawmakers expressing a desire to mandate tighter security for payment cards. One technology receiving particular attention is the chip-and-PIN card, or “EMV” (Europay, MasterCard, Visa), which has significant security advantages and relative ease-of-use for consumers.
Unfortunately, chip and PIN is an expensive prospect. Both Visa and MasterCard have released timelines for the changeover in late 2015. That’s when liability for fraud will fall on the party with the lesser technology (chip-and-PIN vs. the lower-security swipe-and-sign). However, there are still likely to be many transactions occurring through outdated platforms.
Until more secure technologies are ubiquitous, CUs should consider implementing these four steps to minimize the risk of a breach.
1. Teach merchants the value of asking for proof of identification for all in-person transactions.
Stolen payment card data doesn’t just sit in a hacker’s database for months. Cyber criminals move quickly to sell the stolen credit card numbers before a consumer cancels the card. Large exposures, such as the Target breach in recent history, also mean fraudulent cards will span many different issuers and card brands. To counter the growing prospect of counterfeit or cloned cards being presented at the retail counter, credit unions can encourage retailers to consider instituting store-wide policies that ask for proof of identification.
It’s important to note this is not a fail-safe practice. While stores can ask buyers to provide identification, merchant agreements typically prevent them from declining a transaction solely because the cardholder refused to show ID.
2. Teach online merchants the value of asking for the three- or four-digit security code during online transactions.
Since these security codes are not stored on credit cards’ magnetic strip, cyber criminals don’t have this information when creating fraudulent credit cards or shopping online. One strategy is for merchants to require that a card’s security code be entered during transactions where the card is not being presented directly (online, over the phone, etc.).
3. Continue to improve and increase your CU’s fraud detection and prevention services that monitor customers’ credit card purchases to detect and stop fraudulent purchases.
It isn’t always the merchant that discovers a data breach. In fact, a recent large-scale payment card exposure in the hospitality sector was caught by a network of astute banking institutions. Fraudulent charges on one account or even from one merchant don’t necessarily indicate a wider breach, but CUs can still implement a very effective line of defense using tools that probably already exist in one form or another.
The internal fraud monitoring services most CUs have in place to detect and prevent fraudulent transactions may be some of the most effective ways to stop fraud in its tracks. Careful monitoring of customers’ credit card transactions at the point of sale can be done by teams experienced in detecting and investigating not only fraudulent purchase histories, but also in rooting out the early warning signs of data breaches.
4. In the future, promote rules stating that all merchants must use point-of-sale systems that encrypt all credit card transactions from end to end, which prevents unauthorized disclosure of credit card information.
Technology continues to advance, but merchants aren’t necessarily using the latest tools to full advantage. Credit unions might do well to promote the idea that more secure POS systems get used, such as those that support full encryption from end to end. This means that the moment the credit card is scanned at the point of sale the data is encrypted from the point of sale all the way to the acquiring bank that processes the transaction. This prevents cyber criminals from using malware to steal your credit card data.
Many of the less sophisticated systems widely used today include several points within the process where it may be possible to gain unauthorized access to payment card and other transaction data. Systems that surround those potential gaps with encryption technology may greatly reduce the occurrence of breaches and fraudulent activity.
Mark McCurley is senior information security advisor at IDT911 Consulting, Scottsdale, Ariz.
Photocredit: Dollarphotoclub.com/Hamik
