The Fraud Blog with Tracy Kitten

Readers: Merchant Security Too Lax Retailers' Reluctance to Adopt EMV Gets Negative Reactions
Readers: Merchant Security Too Lax

I recently posted a blog about challenges merchants face when it comes to payments security.

See Also: 2016 State of Threat Intelligence Study

The blog, "EMV Migration: The Merchants Fight Back," included some opposing perspectives voiced during Information Security Media Group's Fraud Summit Los Angeles on Feb. 24. For example, representatives from two national retail associations said retailers were in no rush to implement EMV chip transactions, in spite of the impending October 2015 fraud liability shift date set by the card brands for fraud that results from mag-stripe transactions.

Failing to address major security deficiencies at most retail establishments is simply ignoring the obvious. 

David Matthews, general counsel for the National Restaurant Association, said that 46 percent of U.S. merchants had not even begun any preparations for EMV acceptance at their points of sale, mainly because most smaller merchants don't believe the cost of fraud outweighs the expense of EMV investments.

That blog generated a healthy debate. Here are some thoughts shared by our readers.

Banks Are More Secure?

One of our readers, using the handle "Fraud Monitor," writes: "I have been in this industry long enough to have generated grey hair. I continually talk with many industry insiders in my card security role. If anyone thinks for a moment that the merchant lobby is as concerned about security as the FI [financial institution] industry, they are simply and factually misinformed. ... The retail world is weighing the costs of security upgrades against the damage and cost a breach creates. ... Meanwhile, the FI industry [is] under tough and growing tougher State and Federal examinations, while retailers are 'kicking the tires on EMV.'"

Another reader, known as "Real Time Analysis," says: "Some of the posts make great comments about major systematic changes (mobile authentication and biometrics, and a combination thereof). Folks, be realistic. These technologies are at least 5-10 years off (at best) before mass adoption. ... Let's start with practical movement, like spending money to close security issues at retailers, get EMV terminals active in all merchants, AND YES, get biometric and online authentication built into every tablet and PC. ... Failing to address major security deficiencies at most retail establishments is simply ignoring the obvious."

But reader "Sean," who offers a merchant's perspective, contends that EMV is a short-sighted solution, because it won't reduce the growing trends we see in e-commerce fraud. He writes: "Until the equivalent of an over-the-counter EMV card reader is distributed to every Internet e-commerce user, so they can provide fully validated Card-Not-Present purchases via our website, the whole push to Chip'n Sig or eventual Chip'n PIN will only reduce fraud on our FEW walk-in customers. Big laugh."

And "Paul" says a critical issue is the fact that cards with mag-stripes are still being accepted because merchants have failed to upgrade their point-of-sale systems: "The real issue is not EMV, but the half-baked migration currently in the U.S., where merchants still have mag-stripe readers; so if a cardholder with a chip came to your store, he is forced to revert to mag-stripe. Where is the security in that?"

Authentication: An Ongoing Concern

"Mangelinovich," one our most active commenters, says the problem continues to be poor cardholder authentication: "Anytime a human enters all of the required credentials to an online account, that leaves the (front) door unlocked for a cybercriminal to easily gain access. So as everyone is rushing out to secure payments via EMV and improving internal systems security, you are all leaving your front door unlocked. Even the majority of Financial Institutions that claim they have Two-Factor Authentication security in place actually have two levels of Single-Factor Authentication in place, or they have Two-Factor for one user's client but Single-Factor for the same user to login from a different client. That front door needs to be locked."

And William Hugh Murray, another frequent commenter, adds: "Regular readers of this space know that I have a strong preference for a payment system that exploits the amazing capabilities of the mobile computer. A multi-connection device with key-entry, photo scanner, display, storage, and even biometric sensors, offers incredible opportunities for secure payments. ... This application of the mobile computer to payments does not await anything and adds almost no friction and little cost to the transaction. Could this be the 'magic bullet'?"

Moving Forward

One point not highlighted in the comments here is that retailers and bankers do agree on the need for more information sharing and collaboration. But it will take years to see tangible results from such efforts.

Meanwhile, by having healthy debates, we can all begin to move forward toward solutions. If you have an opinion about this payments topic, I encourage you to share it. Every perspective in this debate needs to be considered.



About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network