Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

EMV Payment Cards: Salvation or Failure?

EMV Does Not Address More Sophisticated Cyber-attacks That Target Backend Systems Which Contain Card Holder Data

EMV Does Not Address More Sophisticated Cyber-attacks That Target Backend Systems Which Contain Card Holder Data

October 2016 marked the one-year anniversary of the implementation of the Payment Card Industry (PCI) “EMV” mandate. However, a steady stream of data breaches impacting millions of shoppers and their credit card information including last year’s hack of Oracle’s MICROS Point-of-Sale Division, begs the question: “Is EMV really helping to reduce credit card fraud and minimize the risk of data exfiltration?” 

EMV is a technical standard for smart payment cards, which was originally created by Europay, MasterCard, and Visa. Today, a consortium called EMVCo manages the standard, which is controlled by a consortium of financial services providers that includes Visa, MasterCard, JCB, American Express, China UnionPay, and Discover. 

By using chip technology in conjunction with PINs rather than magnetic stripes and signatures, the objective of EMV is to reduce the risks of unauthorized swiping and card cloning. The ultimate goal is to reduce credit card fraud, which still makes up the biggest chunk (45 percent) of payment-related crimes.

In the United States, the EMV standard took effect in October 2015. After that deadline, retailers and other merchants became financially liable for any counterfeit fraud losses associated with debit and credit cards that are present at the time of the transaction. A similar shift in fraud liability is set to occur at ATMs and gas pumps in October 2020.

According to the American Bankers Association more than 700 million chip cards have since been issued in the U.S. market, and nearly one-third of U.S. merchants are accepting chip card transactions. However, the United States still lags the rest of the world when it comes to the adoption of EMV. According to EMVCo, in Europe 98 percent of all card-present transactions are being conducted using EMV. In Africa and the Middle East, 90 percent of card-present transactions are EMV-based; 89 percent in Canada, Latin America, and the Caribbean; and 58 percent in Asia.

While adoption has been an inhibitor to greater decreases in credit card fraud, the first year of EMV in the United States can still be considered a success. For example, counterfeit fraud for MasterCard merchants alone was down by 54 percent year-over-year. We can expect even bigger benefits from this standard as adoption increases in the years ahead.

However, EMV is not a Holy Grail and has its limitations. While effective at curbing “petty crimes” such as credit skimming / cloning, it does not address more sophisticated cyber-attacks that target backend systems which contain card holders’ most sensitive information. EMV is tackling only one of many attack surface elements that are being leveraged by today’s cyber adversaries. The data breach at Oracle’s MICROS point-of-sales division is a good example of how hackers are extending the attack surface to bypass deterrents such as EMV. In the Oracle attack, hackers placed malicious code on the MICROS support portal, subsequently allowing them to steal MICROS customer user names and passwords when they logged in the support website. These stolen credentials then allowed them to access the backend system and exfiltrate personally identifiable information belonging to credit card holders.

Advertisement. Scroll to continue reading.

Although EMV will help combat card counterfeiting, which accounts for the largest share of payments fraud, it still only addresses part of an ever-expanding attack surface. Security is no longer just about protecting the network and endpoints, but must extend to the database and application layers to name a few. That’s why, in addition to their work to advance EMV adoption, banks and payment processors should implement cyber risk management practices to identify their attack surface exposure and quickly prioritize remediation of the security gaps with the potential to have the biggest business impact if exploited.

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.