Guest Column | September 19, 2016

Beyond EMV: What's Next?

EMV Liability Shift

By Yanky Weiss, CTO, Cardknox

Merchants across the U.S. have gone through the expense and pains of adopting EMV, expecting it to be the one-stop solution to fraud. As the majority of merchants are implementing EMV, fraudsters are looking for any points of entry. Unfortunately, even EMV has its vulnerabilities.

False Expectations

EMV was expected to solve the issue of fraud, at least for in-store purchases. Merchants flocked to make the transition, especially after last October’s liability shift. Most chose to integrate EMV with an out-of-scope solution as it is the simpler route to EMV certification. An out-of-scope solution does not allow the merchant to touch the credit card data; instead it goes directly to the processing bank. Coupled with the additional benefit that EMV chips cannot be duplicated by a fraudster, EMV is a big step forward in fighting fraud. However, these security measures are still potentially susceptible to fraud by an expert hacker.

EMV’s Vulnerabilities

Although merchants cannot touch the credit card data, an EMV transaction stills flows to the bank through an internet connection. Here, the raw data can be accessed and extracted by malware or even by the merchant themselves, then used in non-EMV locations such as online purchases.

An expert hacker can take things a step further by altering the magnetic strip on an EMV card, tricking the terminal into allowing a swiped transaction. Generally, terminals can differentiate between an EMV and non-EMV card based on a three-digit service code that accompanies the credit card number. By resetting an EMV card’s code to mimic that of a magstripe card, the fraudster can potentially use the card at EMV-enabled locations as well.

EMV protects merchants from chargeback liability, but data “sniffing” is still a tremendous risk factor. EMV alone is not the answer.

A New Solution

A solution is Point-to-Point Encryption, or P2PE. Where EMV transactions are vulnerable to malware attacking the data, P2PE encrypts the data from the moment it touches the terminal. Even if someone were to intercept the data sent through the merchant’s internet connection, the information would be encrypted and thus useless to them.

Not every P2PE solution is certified with the PCI Security Standards Council, an independent third party that verifies an organization’s security standards for credit card information. In addition to maintaining the highest level of security, “PCI-validated” P2PE has the added benefit of drastically reducing the scope and cost of a merchant’s PCI requirements.

PCI-validated P2PE is next big thing in the payments security. It truly protects the cardholder data, so data breaches simply don’t happen. In-store fraud is reduced, and merchants have the added benefit of reduced PCI compliance. It’s a win-win for everyone.