Aite Report Says There Is No Easy Cure for Threats to Card Security
Merchants are in the most vulnerable position in the card data security realm and malware, counterfeit card fraud and card-not-present fraud currently top the list of threats. Of even more concern, card security may never be fixed, as criminals will always seek new ways to commit fraud.
That's according to a new report released by research and advisory firm Aite Group. The report, "Card Data Security: In Search of a Technology Solution," which is based on survey responses from 29 individuals (most of whom head up risk management for North American issuing banks or payment processors), focused on what the respondents thought were today's biggest card security problems, the responsibilities of stakeholders and possible card security solutions.
What did surveyors find as the most viable remedies for card security issues? One promising solution, a shift from magnetic stripe cards to EMV architecture (the use of smart cards), may never come to fruition. The report stated that a decision to make the use of smart cards a standard practice is five to seven years away-or may never take place at all.
"With the deeply entrenched magnetic stripe infrastructure in the United States, and the cost and effort involved in transitioning stakeholders to chip and PIN infrastructure, this may be the case," Aite Group's Nick Holland said of the survey participants' predictions that standardized EMV architecture may never be a reality in the U.S.
However, out of the three biggest threats to card security-malware, counterfeit card fraud and CNP fraud-counterfeit card fraud is the only problem that an EMV architecture shift could solve. There are other promising solutions to all three problem areas, the report said.
End-to-end encryption of the card network, stricter policy enforcements and process improvements, neural network monitoring and magnetic stripe fingerprinting are all viewed to have a significant impact on card fraud prevention. Overall, it's the technological advances, such as data loss prevention technologies, that are expected to make the most positive changes in the card data security landscape, Holland said.
Aside from the three big threats, Boston-based Aite Group found that from a fraud or card security standpoint, social engineering attacks (phishing or spoofing) and external physical attacks pose the biggest risks. Deliberate internal attacks also rank high, but in the entire internal attacks realm, staff errors and lost or stolen card fraud are not considered major threats.
The security risks are certainly out there, but who's most at risk of being harmed? According to the firm report, 62% of survey respondents said the merchants, followed by acquirers, with 43% of the respondents naming this group as vulnerable or very vulnerable to security breaches. ISOs may have the least to worry about, with only 30% of respondents calling them vulnerable or very vulnerable to security breaches.
A major roadblock standing in the way of dramatically reducing card data security breaches is the high cost of many solutions. Aite Group found that some strategies have a high potential for success but may be too pricey to implement. EMV architecture led in this category; trailing closely behind was the use of advanced analytics and enterprise fraud management solutions.
"There is a high degree of confidence in enterprise fraud management solutions, but they are cost-prohibitive, take too long to deploy to have a meaningful impact in the next three years or both," Holland said.
The cost variable also poses the question of who would pay should the funds be available. According to the survey, the burden would most likely be on card issuers, followed by acquiring processors.
This is primarily because these are the groups that store, keep and pass along card data, Holland said. Least likely to foot the bill are merchants, consumers, ISOs and point-of-sale vendors.
Aite Group said it also found imperfections in the Payment Card Industry Data Security Standards. When asked how improvements could be made to the PCI DSS, survey respondents said payment processors should be included in the development of the standards and card networks should be more involved in the enforcement of PCI compliance. Respondents added that PCI audits must be performed more often than current requirements call for.
"The Payment Card Industry Data Security Standard has come under a lot of scrutiny lately," Holland said.
There's no quick fix for card data security breaches in the U.S., but through the survey, Aite Group determined several key recommendations it said could propel a move in the right direction.
First, changes to the PCI DSS are necessary, with greater involvement by payment processors and card networks and an increase in audit frequency. Second, card data security stakeholders-card networks, issuers, acquirers and ISOs-must work together to encourage the involvement of merchants in PCI development and compliance initiatives because in today's economic climate, merchants can't afford to fund security enhancements.
"In the current, cash-tight economic situation, it is unrealistic to expect smaller merchants to pay for upgrading security and be penalized for noncompliance," Holland said.
And finally, since a switch to EMV smart card technology is currently out of reach, the focus must shift to alternative technological solutions. Here, Aite Group suggests that a comprehensive, pan-network panel, composed of participants from all corners of the card industry, be formed to study the scope of card data security and determine the best technology solutions to keep threats of card data security breaches at bay. "Card networks need to step forward, driving the push to the next level of card security," Holland said.