Vulnerabilities EMV Doesn't Fix

Yasser Abou-Nasr, SVP of Commerce Services at North American Bancard, answered Business Solutions’ questions about what weaknesses still exist after EMV and how software developers and resellers can overcome these vulnerabilities.

BSM: What payment security challenges does omni-channel retail commerce create?

Abou-Nasr:  With omni-channel retail commerce, you have to consider both the card-present and card-not-present aspects of data security. We need to address fraud at the card and cardholder levels, protecting the card data in transit from the point of capture to authorization, protecting data-at-rest in post-authorization data stores and applications, and protecting card-not-present fraud at the merchant-level pre-authorization.

BSM: How can software developers and resellers overcome these challenges?

Abou-Nasr:  There are viable solutions that enhance security and reduce fraud risk in our payment systems. Unfortunately, there is no magic bullet that solves every aspect of data security, as each solution has inherent vulnerabilities.

There is a misconception that EMV is this magic bullet that will solve every aspect of data security. For example, Target believes EMV would have prevented their breach in fourth quarter of 2013 which spilled information on as many as 70 million credit cards. EMV has vast improvements on decades-old technology of static magnetic stripe cards, but that only addresses the authentication and legitimacy of the card and cardholder. It doesn’t address protecting the card data in transit from the point of capture, or later stored by the merchant post authorization, or when chip-enabled card is not present.