Card Fraud Relief Awaits EMV Arrival
A recent report on how retailers meet payment data protection obligations suggested credit unions would not see relief from card fraud risk until most consumers begin using EMV-equipped cards.
Verizon Enterprise Solutions, a branch of the Verizon communications firm, authored the 2015 PCI Compliance Report that looked at how major firms in the United States and overseas, the majority of them retailers, have been implementing the Payment Card Industry Data Security Standard.
Known widely by its acronym PCI DSS, or just PCI, the data security protocol set management and security standards for 12 areas that experts consider critical to securing card payment data from hackers.
Areas covered included maintaining firewalls, securing configurations, protecting stored data, protecting data in transit, maintaining anti-virus software, maintaining secure systems, restricting access, authenticating access, controlling physical access, logging and monitoring, testing security systems and maintaining security policies.
PCI's developers never promised the now decade-old standard would completely protect payment systems from hacking, and many experts have acknowledged that it is difficult to implement over time and under changing conditions. Verizon's report confirmed that difficulty, documenting that very few organizations have remained in compliance with the standard's requirements over time.
For example, Verizon researchers found that 80% of all firms they studied failed their interim PCI DSS compliance assessments and, once compliant, firms struggled to maintain compliance.
“Today's cybersecurity landscape is constantly changing,” Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions, said. “Compliance at a point in time isn't sufficient to protect data. Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities within an organization's greater security strategy.”
Verizon reported that only 29% of organizations that validated their payment systems remained compliant with PCI DSS within one year after their validation.
“The three key areas where organizations fall out of compliance are: Regularly testing security systems, maintaining secure systems and protecting stored data,” Simonetti added. “Of all the data breaches studied, Verizon's findings clearly show that not a single company was fully PCI DSS-compliant at the time of the breach.”
However, while overall PCI compliance still struggled, Verizon reported that firms had more success with individual components of the standard.
Verizon said rules in 11 of the 12 areas that make up PCI DSS had seen increased numbers of firms remain compliant, even if a very small minority of firms managed to remain compliant with all of them. That meant that at any given time, 60% of firms would have been found compliant with rules in any one of the 12 areas, Verizon said.
“Data protection is not just about using encryption, firewalls and antivirus,” Verizon wrote in the report. “(I)t's about ongoing scoping, configuration maintenance, identity management, logging, monitoring, scanning and testing. Security is something you do, not something you have. The low results of Testing Security Systems show that many organizations still don't recognize this.”
The report signaled credit unions will have to maintain measures designed to enhance card data security, such as text verification and transaction verification, and continue to live with more risk of having to close accounts and re-issue cards until at least October 2015, when the majority of retailers are supposed to have begun accepting cards equipped with EMV chips.
Another report from Cardhub.com appeared to offer some good news on the fraud front.
According to the March 18 report, 23 of the 55 major retailers that Cardhub surveyed in February and early March said they would have EMV-equipped POS terminals in place by October 2015. After October, liability for a given data security breach will fall on the retailer or card issuer whose cards or terminals cannot transact EMV.
The 23 retailers included BJ's, Walmart, McDonalds, Nordstrom, Subway, Lowes and Home Depot, among others.
However, of those that responded, only four (Walmart, Nordstrom, Kroger and BJ's) said that their EMV terminals would support EMV transactions validated by both PINs and signatures. 14 of the 19 remaining reported their terminals would only support EMV transactions using PINs and five of the 19 declined to answer the question.
Nordstrom was the only retailer that said its EMV-equipped POS terminals would only support transactions validated with signatures.
This suggested that credit unions with less than $10 billion in assets may face substantially less risk from counterfeit card fraud after October 15, but they are also likely to receive less debit interchange income from their more protected cards.
According to the Federal Reserve, credit unions with less than $10 billion in assets, which are thus not subject to the Durbin Amendment's interchange cap, made $0.50 for every debit transaction validated with a signature in 2013, the last year for which there is data, and $0.28 cents per transaction for those validated with a PIN.
By comparison, the five credit unions with more than $10 billion in assets, which are thus under the cap, made only about $0.23 per debit transaction, regardless of which method of validation was used, according to the Fed.