Fighting Card Fraud: Going Beyond EMVPCI Director Describes Other Essential Prevention Steps
The U.S.'s ongoing move to EMV chip and signature alone will not eliminate fraud, because certain data elements could still be exposed in the breach of EMV card transactions, says Jeremy King, international director of the PCI Security Standards Council.
That's why tokenization, compliance with the PCI Data Security Standard and other security measures are so essential, he says in an interview with Information Security Media Group.
"In an EMV transaction, there are certain data elements that are still sent in clear text," King says. "What hackers wouldn't be able to do is create cloned cards. Criminals would have to use those cards in a card-not-present environment. This is why ... tokenization and point-to-point encryption would be so important."
Card-not-present fraud is a growing international concern, King says. "Globally, where EMV chips have been rolled out, we have seen a drop in face-to-face [card-present] fraud ... but the chip is not beneficial for the card-not-present space. In those situations, it is imperative that merchants adopt the PCI Data Security Standard to protect all cardholder data through the backend systems."
EMV: PIN versus Signature
King also says those debating whether to use PINs or signatures for EMV payment card user authentication need to recognize the strengths and weaknesses of both options.
"There are problems with both," he says. "I read in the press that the PIN is so much more secure, but, in reality, the security is actually on the card," not in the authentication of the user, he contends.
In this interview, King also discusses:
- Why EMV cannot be viewed as a solution to card fraud;
- How a stronger focus on employee education can reduce network intrusions and payments fraud; and
- How some data elements contained on a chip could be compromised by hackers.
King leads the PCI Security Standards Council's efforts to increase global adoption and awareness of PCI security standards. His responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the payment system integrity group at MasterCard Worldwide.