While some payments networks and banking institutions are hopeful advanced chip technology that complies with EMV - the Europay, MasterCard, Visa standard - will eventually be adopted in the U.S., Anton Chuvakin, an analyst with the consultancy Gartner, says it could be too late.
Chuvakin says more advanced payments options trump EMV card transactions, and he questions whether the investment in EMV makes sense.
"I don't see EMV making an impact in 2014, 2015 or 2016," Chuvakin says during this interview with Information Security Media Group [transcript below]. "There are so many other interesting developments, [like] mobile technology and alternative payments schemes. To me, I just don't see EMV sticking."
Chuvakin says expenses associated with hardware upgrades needed to accommodate a shift to chip cards have been a big hindrance for merchants.
"It's hard to imagine that merchants would drop their terminals and magically adopt the terminals to support EMV," he says. "Because of hardware changes needed; because of all the RFID and wireless technology; because of mobile devices and other experiments that companies like PayPal are running; I'm not sure I see the place for EMV in the U.S. anymore."
Chuvakin says it's more likely the U.S. payments infrastructure will simply leap to some yet unforeseen payments scheme within the near future. "At this point, there are so many interesting competing options with minimum market shares, it's hard to imagine what it would be," he says. "But given those options, it's hard to believe that EMV would be one of them."
During this interview, Chuvakin also discusses why:
- Many of the fraud and security risks the industry faces in 2014 are the same as they were 20 years ago;
- The impact mobile technology will have on payments in the U.S.;
- Vendor management is not a priority for most organizations.
Before Chuvakin joined Gartner, his job responsibilities at other organizations included security product management, research, competitive analysis, PCI-DSS compliance, and SIEM development and implementation. He is the author of two books, "Security Warrior" and "PCI Compliance," and was a contributor to other industry resources, including "Know Your Enemy II" and "Information Security Management Handbook." He has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI-DSS and security management. Chuvakin also has taught classes and presented at security conferences across the world. He has worked on emerging security standards and served on advisory boards of several security start-up companies.
Top Fraud Trends in 2013
TRACY KITTEN: What would you say have been the top three fraud and security risk trends that have defined 2013?
ANTON CHUVAKIN: I wanted to make a slightly contrarian point here. A lot of things have changed, indeed; but a lot of things have stayed the same. I keep joking that not a single security problem has ever been solved, and, in this case, this applies to our questions of financial fraud and risks. The point is that many of the risks that we dealt with in 2012, 2011, 2010, 2004, 1999, and possibly 1989, are still there. I wanted to talk about the new things, but I also wanted to remind the listeners that some of the old stuff - password management, dealing with attackers being able to guess passwords and steal services or money - is still there. Many attacks and exploitation types originated in the '90s, or a long, long time ago in IT industry years.
But some of the new things, like increasing distributed-denial-of-service attacks, increased sophistication of malware and the proliferation of malware for information theft and financial fraud, are striking, too. Even when it comes to traditional malware, many organizations just aren't prepared. Password-guessing attacks that originated in the 1980s - if not earlier - are still discouraging to many organizations, if you believe industry reports. And, finally, configuring and deploying payment terminals in a way that allows physical tampering goes back to before there were even cash registers, and those issues are not solved even now.
KITTEN: Can you speak some about cloud security? How should a banking institution manage cloud providers to ensure security?
CHUVAKIN: If you believe the media, cloud adoption is happening at a huge pace. There's some truth to that for sure, but at the same time, the use of cloud to regulate sensitive information isn't as common as many people think. At many banks and financial institutions, they don't even consider using a public cloud infrastructure for sensitive data. Some organizations would use the cloud for less important and less sensitive things, but not for regulated data. As a result, we do see a certain bit of complacency among organizations, whether financial or not, because they use public cloud infrastructure for mostly unimportant stuff. Less risk does necessitate less control, and possibly less effort to secure the data, because the data they put there just isn't that important. For the most important and regulated data, they put the efforts in not having it in the cloud, rather than having it in the cloud securely. With this being said, people do face challenges protecting infrastructures in the cloud when they do put sensitive data in, but there's less of that going on than some people think.
KITTEN: If banking institutions aren't really using the cloud for sensitive data, should they be concerned about more regulatory scrutiny where due diligence of cloud vendors is concerned?
CHUVAKIN: I would say yes, because most people agree that the long-term trend is an increased use of public clouds. Admittedly, if there would be no disasters, this slow trickle of adoption would likely become more of a waterfall, where more people start trusting cloud providers. Whenever trust comes in, regulators often aren't far behind. We have FedRAMP and PCI-DSS [and now] all this attention on the cloud provider relationships. We do expect more regulated scrutiny as the process happens. But the thing is, don't expect it to happen tomorrow. It might happen in one or two years, whenever there's much broader adoption of cloud infrastructure for sensitive and regulated data.
Mobile Banking, Payment Risks
KITTEN: What about emerging mobile banking and payment risks? What should banking institutions be focused on there?
CHUVAKIN: That's the area where a lot of things are happening very fast, much faster than in the cloud. At this point, the discussion of payment card data in the cloud is in many cases a cocktail conversation topic. At the same time, the question of payment data on a mobile device is very much a daily reality for lots of organizations. This is where exciting developments are ongoing. We do face multiple risks. We do deal with the fact that much of the payments are accepted through what's ultimately a consumer platform: iPhone or Android. The result is that there's a question of how do you make a consumer device the payment terminal. Obviously, vendors produce dedicated hardware, wireless payment terminals and all the other exciting technologies, but we do see merchants adopting consumer devices for accepting payments. To me, that's a thing that's very hard to do in a secure manner and there are many attempts; I don't think we have time to judge how good their attempts are. But at the same time, this is an area that changes very quickly, and we do expect it will continue to do so until it settles on a certain secure-enough minimum. At this point, it's pretty much all over the board.
Mobile Banking Regulation
KITTEN: What about more regulatory scrutiny where mobile banking and payments are concerned?
CHUVAKIN: At this point, it's not very clear to me how to regulate it because the platforms and hardware change so frequently. ... It's hard for me to even imagine what the right regulatory regime would be here. I can say they can expect more regulation, especially if there are major breaches involving mobile devices. At this point, many of the breaches of cardholder data and other financial data do not involve mobile devices. The Verizon breach team keeps looking for that evidence, and it's just not there. At the same time, as the adoption of those devices for payment acceptance goes up, I'm pretty sure there will be many ways discovered by the criminals on how to steal data from those devices in a manner that's cost-effective for the criminals. I would say regulation is to be expected, but the exact way it would look and the exact timing is just not clear because it's hard to regulate something that changes literally on a monthly basis.
Impact of EMV
KITTEN: How do you see EMV impacting mobile payments, if at all, in 2014?
CHUVAKIN: ... Here in the U.S., I don't see EMV making an impact in 2014, 2015 or 2016. Ask me this question later. The point is there are so many other interesting developments; we just discussed mobile technology and we talked about all sorts of alternative payment schemes. To me, I just don't see EMV sticking in the U.S. Because of hardware changes needed, because of all the RFID and wireless technology, because of mobile devices and many other experiments that companies like PayPal and others are running, I'm not sure I see the place for EMV in the U.S. anymore. It's hard to imagine that merchants would drop their terminals and magically adopt the terminals to support EMV. I just find it really unlikely. Even with the regulatory burden - we have a PCI burden of relief - I do hear through the grapevine that the merchants just aren't jumping to toss their terminals and to get ones that support EMV.
KITTEN: If it's not EMV, what would it be? Do you think we would leapfrog to some kind of mobile technology?
CHUVAKIN: It would jump somewhere. But at this point, there are so many interesting competing options with minimum market shares, it's hard to imagine what it would be. But given those options, it's hard to believe that EMV would be one of them.
PCI and Mobile
KITTEN: The just-released PCI update does not address mobile, but how much of an impact does this really have on banking institutions, merchants, processors and others that are involved with mobile payments?
CHUVAKIN: I don't know, because PCI does mention mobile in a supplementary guidance document released in late 2012. There's a whole document of 20 to 30 pages that talks about the mobile devices and payment acceptance, and there's plenty of attention the council is paying to the mobile technology. There's a PCI mobile payment acceptance security guideline for developers, and there's also another supplementary guidance document on mobile. To me, if the council is paying attention to mobile and there's guidance, I kind of respect their decision not to stick it in the PCI-DSS document itself, because plenty of guidance now talks about things like data protection that isn't specific to any one technology. If you're doing mobile, there's still a need to encrypt data. You still cannot store certain types of data. Many other controls and approaches discussed in PCI apply perfectly to mobile.
Now, mobile-specific issues are separated in supplementary guidance documents which are not the documents that change PCI, but they update and refine PCI. To me, that's actually quite good. Those documents, by the way, as far as supplementary guidance is concerned, are not that bad and are actually pretty good and useful. I've seen developers use them when planning their mobile extensions. To me, I wouldn't even talk about PCI's lack of mention of mobile because, as I mention, [guidance] does exist and these documents are, in fact, being used by merchants and by payment processors when they design and build their apps. But with this being said, the rapid evolution of the mobile space would still affect the result and you might do something that looks really well by 2013 standards and in 2014 it would be seen as an unmitigated security disaster. ...
Mobile Risks in 2014
KITTEN: As we look to 2014, how would you say some of those mobile risks will evolve or change, or is it hard to predict?
CHUVAKIN: It's very hard to predict because we're talking about the security of something that rapidly evolves. Mobile platforms change very often. Has anyone predicted how iOS 7 would change security? I have an Android phone in my hand. I'm expecting the new version to hit and I don't know what some of the changes are, what some of the security advantages are and what possible security problems that OS would have. These updates happen rapidly. They also supersede updates. They also add to the updates by the phone makers, carriers and many other players in the whole mobile ecosystem. I would probably predict only on a very high level that risks will continue. As mobile technology adoption grows, there will be more breaches and more specific incidents. The thing is, if it's easier for an attacker to steal data from the server or from your PC, they will do exactly that. But if, at some point, PC security controls go up and the companies pay more attention to protecting their servers, maybe at this point, mobile would become a worthwhile bet for the attackers and you would see more breaches.
At this point, the main prediction that I can be certain of is more uncertainty. We shouldn't underestimate the old risks because they really have not gone away. When you think about deciding to invest in a secure mobile application development, you might well neglect the fact that your website has insecure passwords and attackers can guess them. I would want the audience to not only thing about the new risks, but also to be really cognizant of the fact that very few old risks have gone away.