Federal security requirements for merchants and credit cards are imminent. Privacy and cybercrime was the topic of a Senate hearing on February 4 that featured testimonies from representatives of Target, Neiman Marcus, Symantec, and the Consumers Union. As stated in an earlier blog, over 1000 million customers have had their credit card information stolen from Target and Neiman Marcus’ brick-and-mortar stores in the past few months. Cyber attacks have been bombarding a multitude of markets including retail, leisure, and even government, as evidenced by the recent breach of the healthcare website, exposed to attackers searching for registrants’ personal information. Up to this point, there is very little legislation concerning standards of security that businesses dealing with personal information must adhere to. The Senate committee centered the hearing around a few specific aspects of security that retailers would have to focus on. Malware prevention standards will be the primary laws enacted. These standards will be strong but flexible, in order to make them robust against attacks while also being able to change with the ever-evolving nature of cyber attacks. Senators also pushed for a breach notification law that would require organizations that have undergone a data & security breach to swiftly contact any consumer whose information may have been compromised. There are currently no laws requiring the company to do so.
Senators also debated with the business representatives about the future of payment. The current trend in America is a standard credit card with a magnetic strip that identifies the card when swiped through a machine. The Senate and business representatives came to a consensus that this technology needs to be updated to a chip-based solution as soon as possible. Chip-and-PIN or EMV technology is already integral to daily life and transactions in Europe and several other countries, where magnetic strip credit cards are obsolete. The EMV technology requirement that the US Senate is now proposing based on feedback from retailers, banks and the consumer union on inherent costs involved, is a chip-and-signature solution. The reason for choosing this technology over chip-and-PIN is rooted in the fact that it is very similar to the current mode of payment here in the United States. Chip-based cards, by themselves, provide more advanced security and prevent cloning of cards. PINs are an additional security layer that can potentially become a part of the solution at a later date, to minimize initial investment costs. Europe has seen a significant drop off in cyber attacks on brick-and-mortar stores since the introduction of the chip-and-PIN system. However, by making a clear distinction between what is desirable and what is possible in the near term, the aim is to, at the very least, upgrade to a payment option that is much ahead of the current, outdated magnetic stripe-based alternative.
At VDC, we believe that the future of payment will go beyond EMV technology to include mobile wallets. These digital wallets allow the consumer to pay directly from their personal handheld device, usually a smartphone or tablet. We expect the solution to be consumer-friendly because they help store information for multiple credit cards in a single device while also being retailer-friendly since these can be scanned by camera-based 2D imagers already in place at many stores. A MasterCard representative recently told the Wall Street Journal that they are developing the idea of a tag that could be attached to phones for mobile payments. The Senate considered this technology too underdeveloped to take immediate action on. The security of mobile wallets was called into question because this connected device is just another potential target for cybercriminals. As discussed in the hearing, layered security – featuring network segmentation, two-factor authentication, sophisticated network monitoring, and chip-and-pin technology – is no longer synonymous with consumer information protection and a secure transaction future. Increased sophistication of attackers today helps them evade all best practices and industry benchmarks. Retailers firmly believe that sharing intelligence across communities and the entire ecosystem will help them stay close to, if not get ahead of, these attacks and security breaches. That said, it will be interesting to see if retailers, banks, merchant processors, card issuers and the federal government are able to come together in the near term and work towards a common objective of adequately protecting consumer data and enforcing security.
(By Jake Ferry, Research Assistant)