Level 3 Communications

Chris Richter

Brick and Mortar Point-of-Sale Protections Force Fraudsters Online

Retailers, if you think that with the recent implementation of point-of-sale credit card chip technology, you can finally turn your attention elsewhere, take note: while you’ve been focused on transitioning, fraudsters have been rethinking their tactics.

The Europay, MasterCard, and Visa consortium technical standard (EMV) promises to reduce incidents of card-present fraud, or fraud conducted in-person by physically swiping a credit card, making cards themselves much harder to counterfeit. Sure, the day of reckoning for magnetic stripe readers may still be as much as two to three years away, but if early EMV adopters like the UK, France and Australia offer any indication, U.S. retailers should expect to see a marked increase in card-not-present (CNP) fraud committed over online and contact center payment channels. In the U.K., alone, CNP channels increased nearly 40 percent in the 10 years after the EMV technology shift. That’s because fraudsters will turn their efforts to the space with the greatest potential, and, given the less stringent authentication protocols, online and contact centers are increasingly attractive targets. In 2015, the U.S. experienced a 30 percent uptick in CNP fraud when compared to 2014, due in large part to the rapid growth of mobile commerce.

Complicating matters is the way in which the U.S. is making the EMV shift, namely, by focusing on chip and signature over chip and PIN. Part of the protection EMV offers is the PIN-authentication that ties to the embedded chip in the credit card – an element that is much harder for criminals to fake. And, really, how often do signatures get scrutinized at point-of-sale terminals? But some in the industry argue that the infrastructure and public sentiment aren’t ready to support such a change from our current age of swipe and sign. For example, users who forget their PINs would have to physically go to a bank or ATM to have them reset in order to use their cards. What’s more, proponents of chip and signature argue, EMV transactions already generate a unique transaction code for each single purchase which cannot be used again, making them inherently more secure than our current systems.

Regardless of consumer preference for chip and signature or chip and PIN, this shift in threat vector reveals the potential for security risks and underscores the need for a comprehensive security posture. Retailers need solutions that enable them to be proactive in detecting and mitigating fraudulent activity, both in-store and online. I suggest retailers large and small follow these foundational steps in building a strong security posture:

  • Review your cybersecurity policy. It is only after an organization has undergone a thorough risk assessment can it apply proper security and process controls to protect its data. The type of controls and the amount spent on those controls, should be based on data value, vulnerability, likelihood of breach, and impact. Not only can such a risk-based approach improve an organization’s security posture, but it can lower its costs.
  • Apply proper governance. Retailers, and enterprises in general, need an ongoing, enterprise-wide GRC (governance, risk, and compliance) management program to identify and treat vulnerabilities and risks.
  • Conduct an information asset inventory. Many organizations don’t have a comprehensive inventory of all the systems that may be storing sensitive data. This is especially true of enterprises that have undergone several organizational changes. Data tends to be scattered across a multitude of systems, and is often housed in “shadow IT” infrastructures, which only exacerbates the problem by making the application of proper security controls nearly impossible. To avoid this, make sure you know what is of value, and its location, so you can build appropriate controls.
  • Do penetration tests. Don’t just scan your perimeter; test your security processes for employees.
  • Conduct breach-response simulations and walkthroughs. Build use case scenarios for accidental as well as deliberate insider threats.
  • Develop and manage a GRC program that incorporates these activities as well as PCI audit and certification. Share your GRC with the board.

Fraud perpetrated over online and contact center channels is predicted to outnumber POS card fraud nearly four to one by 2018. For example, one increasingly popular method, buy online / pick-up in store, has risen nearly 30 percent over previous years. If retailers have any chance to stay ahead of the anticipated surge in fraud through CNP channels, it’s in implementing a proactive and comprehensive approach to security that looks beyond just the point of sale.

In other words, don’t just guard the front door – pay special attention to the back door and the windows, too.