ITsecurity
twitter facebook rss

Will EMV Require New Security Controls?

Posted by on October 19, 2015.

EMV (EuroPay, MasterCard, VISA) payment cards are coming to the US. This follows a series of huge retail breaches; although it is not entirely certain that EMV cards would make any difference to the outcome of those breaches.

  • CISOs believe their defense against attack is strongĀ 
  • CISOs believe that CNP fraud prevention may need to be improved

VISA_MasterCardThe primary difference between the old mag stripe and the new chip card is that the card details are now held encrypted within a chip. Payment is effected by presenting the card to a special reader. This is done by the card owner, not by the storekeeper or restaurateur. Because the card never leaves the proximity of its owner, there is little opportunity to surreptitiously clone the card or steal the details while in use. User authentication is done either by the user’s knowledge of a personal identification number (PIN), as used in several European countries including the UK; or by the user’s signature (currently the preferred method in the US).

The primary effect of EMV cards, as witnessed by the European experience, will be a drastic reduction in card present fraud (such as using a cloned card to make in-store purchases or drain an account via an ATM machine). However, EMV cards currently have little effect on card-not-present (CNP) fraud; that is, the use of stolen card details to buy goods online. As a result (again, as witnessed by the European experience) the US should brace itself for an increase in CNP fraud.

In order to fuel this type of fraud, the criminals are likely to increase their efforts to steal large numbers of card details from any company that holds them. Consequently, US companies are likely to experience an increase in card records theft attacks. Of course, the Payment Card Industry Data Security Standard (PCI DSS) is designed to prevent this; but we asked a group of Wisegate CISOs whether they will still need to increase their security controls or whether PCI DSS will be enough to keep them safe. We gave six options:

  • EMV will lead to an increase in cyber attacks, so security around card details will need to be tightened
  • Attempted CNP fraud will increase, so anti-fraud controls will need to be improved
  • Insistence on multi-factor authentication will/should increas
  • Compliance with PCI DSS will be enough
  • Compliance with PCI DSS will not be enough
  • Business is not likely to change its existing security posture just because of EMV

The outstanding result is that not a single CISO believes that compliance with PCI DSS will be sufficient to withstand an increase in card-related attacks; while 77% (the single largest vote) specifically assert that PCI DSS will not be sufficient. In fairness, this is probably not so much a dsimissal of the PCI security standard, as an acceptance of the modern consensus: there is no ultimate defense against a well-resourced targeted attack. So in reality it would be more worrying if CISOs believed it to be enough, and were consequently relying upon it.

Eleven percent of the CISOs do not believe they will need to improve security simply because of the arrival of EMV. This could be because they don’t believe EMV will have any affect, or because they are already confident in their existing security controls. I suspect the latter since a much greater number (44%) believe that anti-fraud controls will definitely need to be improved.

This makes sense. You can be confident in your own controls being sufficient to prevent data theft, but you cannot be confident in the controls of other companies. The card details used to attempt CNP fraud could have been stolen from anywhere, and you have no control over that. Consequently, although you may not need to increase security to prevent theft from your own networks, it would be prudent to increase fraud detection to detect the attempted use of card details stolen from elsewhere.

This latter assumption gains greater credence from a full two-thirds of the CISOs suggesting that the use of two-factor authentication should increase. Although 2FA is not strictly fraud detection, it is most certainly CNP fraud prevention. It’s not fool-proof because there are way and means and malware to defeat most 2FA systems, but it is certainly better than nothing.

The overall effect of this poll suggests that CISOs consider themselves well prepared against any increase in cyber attacks caused by the arrival of EMV payment cards, but will consider improving their defenses against an increased incidence of attempted CNP fraud.

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Perspectives | Tags: