Expect a Fraud Surge During EMV RolloutPCI's Bob Russo: 'Get Prepared, For Fraud Is Coming'
As EMV payment cards get widely introduced in the United States, credit card fraud will significantly rise in the short term, the PCI Council's Bob Russo said in his keynote address at the ISMG Fraud Summit New York on Oct. 21.
See Also: Rethinking Endpoint Security
During the slow rollout of EMV cards as a replacement for magnetic stripe cards in the United States, Russo says, hackers, seeing a window of opportunity shrinking, will increase their attacks on point-of-sale and other systems to exploit weaknesses in mag-stripe technology.
"These hackers [will] take advantage of, at least in the face-to-face environment, getting this credit card data," said Russo, who's retiring as the PCI Council general manager at years' end. "As we saw in other, mature EMV markets, typically the fraud is going to go up before EMV becomes embedded here in the United States. So, get prepared, for fraud is coming, and it's coming very, very strongly."
Impact of EMV
Payment cards that use the EMV standard, which are ubiquitous in many other nations, have encrypted computer chips that provide far better security than the magnetic stripes found on most credit and debit cards now in use in the United States.
Other nations that have made the shift to EMV eventually saw in-person fraud decline, while card-not-present fraud, such as for e-commerce, substantially grew. That's because chip cards don't play a role in boosting security for online purchases.
President Obama attempted to build momentum for the movement toward EMV cards last week when he signed an executive order directing government agencies to shift to the use of chip-and-PIN cards for use by staff as well as in consumer benefits programs, including Social Security (see Obama Seeks to Speed EMV Adoption).
But Russo sounded skeptical that much will change because of the initiative, at least in battling fraud (see: What's the President's Influence on EMV?). With a sarcastic tone in his voice, he said: "Did anyone see the executive order being signed? Fraud's finished. Come on, what do we have to talk about here?"
Russo said the most meaningful action that could come out of Washington would be to enact a national breach notification law, as called for by President Obama last week, that would replace 47 state statutes with varying requirements (see U.S. Breach Notification Law Unlikely in 2014). "Having one law would probably simplify things, so that, by itself, is a good thing," he says. "But that's not really looking at the [credit card fraud] problem. It's just giving you breach notification."
Companies that experienced major payment card breaches in recent months and claimed they were compliant with the PCI data security standards likely were not, in fact, compliant at the time of the breaches, Russo contended. "They may have been PCI compliant at one point in time, but PCI compliance is something that you have to do 24 hours a day, seven days a week," he said.