EMV Does Not Address More Sophisticated Cyber-attacks That Target Backend Systems Which Contain Card Holder Data
October 2016 marked the one-year anniversary of the implementation of the Payment Card Industry (PCI) “EMV” mandate. However, a steady stream of data breaches impacting millions of shoppers and their credit card information including last year’s hack of Oracle’s MICROS Point-of-Sale Division, begs the question: “Is EMV really helping to reduce credit card fraud and minimize the risk of data exfiltration?”
EMV is a technical standard for smart payment cards, which was originally created by Europay, MasterCard, and Visa. Today, a consortium called EMVCo manages the standard, which is controlled by a consortium of financial services providers that includes Visa, MasterCard, JCB, American Express, China UnionPay, and Discover.
By using chip technology in conjunction with PINs rather than magnetic stripes and signatures, the objective of EMV is to reduce the risks of unauthorized swiping and card cloning. The ultimate goal is to reduce credit card fraud, which still makes up the biggest chunk (45 percent) of payment-related crimes.
In the United States, the EMV standard took effect in October 2015. After that deadline, retailers and other merchants became financially liable for any counterfeit fraud losses associated with debit and credit cards that are present at the time of the transaction. A similar shift in fraud liability is set to occur at ATMs and gas pumps in October 2020.
According to the American Bankers Association more than 700 million chip cards have since been issued in the U.S. market, and nearly one-third of U.S. merchants are accepting chip card transactions. However, the United States still lags the rest of the world when it comes to the adoption of EMV. According to EMVCo, in Europe 98 percent of all card-present transactions are being conducted using EMV. In Africa and the Middle East, 90 percent of card-present transactions are EMV-based; 89 percent in Canada, Latin America, and the Caribbean; and 58 percent in Asia.
While adoption has been an inhibitor to greater decreases in credit card fraud, the first year of EMV in the United States can still be considered a success. For example, counterfeit fraud for MasterCard merchants alone was down by 54 percent year-over-year. We can expect even bigger benefits from this standard as adoption increases in the years ahead.
However, EMV is not a Holy Grail and has its limitations. While effective at curbing “petty crimes” such as credit skimming / cloning, it does not address more sophisticated cyber-attacks that target backend systems which contain card holders’ most sensitive information. EMV is tackling only one of many attack surface elements that are being leveraged by today’s cyber adversaries. The data breach at Oracle’s MICROS point-of-sales division is a good example of how hackers are extending the attack surface to bypass deterrents such as EMV. In the Oracle attack, hackers placed malicious code on the MICROS support portal, subsequently allowing them to steal MICROS customer user names and passwords when they logged in the support website. These stolen credentials then allowed them to access the backend system and exfiltrate personally identifiable information belonging to credit card holders.
Although EMV will help combat card counterfeiting, which accounts for the largest share of payments fraud, it still only addresses part of an ever-expanding attack surface. Security is no longer just about protecting the network and endpoints, but must extend to the database and application layers to name a few. That’s why, in addition to their work to advance EMV adoption, banks and payment processors should implement cyber risk management practices to identify their attack surface exposure and quickly prioritize remediation of the security gaps with the potential to have the biggest business impact if exploited.