Written by Steve Cole. Senior Product Manager for EMV
In today’s increasingly connected world, the ability for, and likelihood of, someone with ill intent to access the payments systems of small businesses is growing daily. If concerns about losing your customers’ payment data or becoming the victim of card fraud are not keeping you up at night, this article is for you. Small businesses are increasingly coming into the crosshairs of criminals intent on committing card fraud. These threats to your payments security can be viewed from a couple of different lenses; payments data in your environment that can be compromised and previously compromised payments data that can be used in your environment. These can also be thought of as theft of the data and fraudulent use of the data. Merchants, large and small, need to address both of these threats.
When considering payments data in your environment, the old adage “the less, the better” is an okay approach and the new adage (that I just made up) “none is best” is the goal for which every merchant should strive. Any payments data in your possession whether electronically or physically is a risk to your business. The PCI Council has reported that over 71% of data breaches target small businesses. Why is this? Small businesses often don’t have the resources or technical expertise to implement a secure payments solution and therefore make “softer” targets. The Council further reported that 43% of customers stop doing business with a merchant after being the victim of fraud and over 60% of small businesses close within 6 months following the identification of a breach. Given these stakes, keeping sensitive payments data out of your environment is essential. Sensitive data includes track data, card security codes (i.e. CVV, CVC) and PIN data.
But how does one go about achieving this lofty goal of “none”? The key is to create layers of defense, and not just software defenses. A solid payments security plan will include not only technical solutions like firewalls, point-to-point encryption and tokenization, but also adherence to PCI standards and having documented policies and procedures for handling sensitive payments data whether in electronic or paper form. And, with two out of three breaches related to weak passwords, using complex passwords are essentially a “free” component of your security program. Regarding technical solutions, using a hardware-based point-to-point encryption solution not only turns the sensitive payments data into unintelligible gibberish for a would-be data thief, but also reduces PCI scope.
This brings us to other lens to view payments security which is data, previously compromised, used at your business to conduct fraudulent transactions. While the payments data was most likely the result of a breach at another merchant, the holder of that data is now looking for a pay day and an easy place to cash in. The problem for many small merchants is that they have no tools to detect if the card being presented to them is legitimate or if the person on the other side of the counter is authorized to use the card. This is where EMV comes into play. EMV is a chip-based payments standard created by Europay, MasterCard and Visa that helps ensure the card presented for payment is genuine and not a counterfeit copy of the real card.
The chip on an EMV card accomplishes this by taking data from the terminal, transaction and card to create a code that is unique for each transaction. Using secret “keys” known only to the card and the issuer of the card to encrypt the data, the data is turned into a digital signature that only the issuer can verify. Because this process uses dynamic data for each transaction, the issuer can also determine if a fraudster is attempting to “replay” a previous legitimate transaction. In some markets where EMV has reached critical mass, counterfeit fraud has dropped by over 90%1. When combined with PIN verification of the cardholder, lost and stolen fraud can also be effectively combated. In addition, many of the newer EMV-capable terminals also have support for contactless transactions allowing merchants to accept mobile payments like Apple Pay and Android Pay. Merchants that have not implemented support for chip-based transactions need to understand that they may now be liable for chargebacks resulting from counterfeit fraud as well as chargebacks for lost/stolen fraud in some cases if PIN is not supported.
It’s important to note that EMV is designed to address card-present counterfeit fraud. For merchants that have an online presence, other techniques and tools need to be employed. Address Verification Service (AVS) can be used to confirm the customer’s billing address with the card issuer. Participating in card security code (CVV2, CVC2, etc.) verification can help ensure that the card is genuine and tied to a legitimate account. For merchants with more sophisticated eCommerce needs, 3D Secure may be an option. 3D Secure provides a higher level of cardholder authentication giving the merchant more confidence that the purchase is legitimate. If your eCommerce or online cart provider offers 3D Secure, it should definitely be considered especially if you are selling high ticket goods like jewelry. Beyond technology, merchants should put processes in place to identify transactions that may be higher risk. Risk indicators include new customers, ordering multiples of an item, different shipping and billing addresses, high dollar orders and requests for expedited delivery.
Today’s technology provides small businesses with new tools to reach a vast market that was unimaginable to previous generations. However, that technology also provides criminals with the tools to steal data from your business and commit fraud in your stores. In order to protect your business and customers, a robust payments security strategy is an essential component to every small merchant’s business plan.
1. Face-to-face domestic fraud rate in France, 2012 Banque de France