Key Trends in Merchant Security: A Multi

 First Data Market Insight Key Trends in Merchant Security: A
Multi-Layered Approach that Will
Dramatically Reduce Risk
The world of payments is changing at the point-of-sale and beyond, and
opportunities are seemingly endless. The US will adopt EMV standards
(even if no one can say how or when). The move from magnetic stripe
payment cards to contactless wave-and-go will finally take hold as mobile
payments become more main stream. Existing technologies such as
tokenization and data analytics are becoming stronger forces as
innovations continue to erupt.
These opportunities and more extend to merchants, financial institutions,
processors, and a host of new-to-the-industry players. Cybercriminals, on
the other hand, will have more obstacles to overcome. It is a certainty,
though, that fraudsters will adjust, even as heavy-duty security options
grow. Criminals will continue to take the path of least resistance. When a
merchant plugs one hole in the “security dam,” criminals will move to
another hole.
April 2011
© 2011 First Data Corporation. All Rights Reserved. All trademarks, service marks and trade names referenced in this material are the property of their respective owners. First Data Market Insight
Any security program that does not include the most up-to-date barricades throughout the
payment processing chain will drown. Adding layers of data security and fraud prevention tools
will better ensure merchants can manage vulnerabilities throughout the payment processing
sequence. You must proactively seek the holes and potential weak spots in the dam and plug
them.
Along with looking at payment systems holistically, growing with the times is essential. Keeping
up with data security and fraud protection tools—and being one step ahead of fraudsters’
schemes—is more critical now than ever. The statistics remain compelling:
→ For the fifth year in a row, data breach costs have continued to rise, hitting an
average of $214 per compromised record in 20101
→ US fraud losses (credit, debit, and prepaid cards) were $6.89 billion in 2009, and
experts believe that fraud will reach $10 billion per year by 20152
→ 43 percent of consumers who have been the victims of fraud stop doing business with
the merchant where the incident occurred3
→ In 2010 alone, one annual study included investigations of nearly 800 new breach
incidents—the same number of incidents investigated, in total, over the course of the
prior five years from 2004-20094
INTRODUCTION
Payment choices are expanding. Technology is progressing. Data security tools are advancing.
And cybercriminals are adapting.
So what is the solution? There is not one. That is, no single solution exists: a multi-level
approach to data security and fraud detection allows flexibility and provides a solid defense.
Merchants should base their current and future security plans on technologies that complement
one another, solving for many susceptibilities throughout the payment processing chain.
To help merchants determine their go-forward approach to data security and fraud detection,
First Data has identified four trends impacting payments that, together, are already shaping the
way businesses protect their payments and their customers’ personal information.
→ EMV
→ Tokenization
→ Contactless/One-Time Use Account Numbers (Dynamic PAN)
→ Advanced Fraud Prevention and Detection Tools
These industry-changing drivers provide ammunition for significant advances in preventing and
protecting from breach and fraud, and guarantee that security will be factored into investment
choices and operational plans moving forward. The growing significance of data security and
fraud detection requires merchants to look today at the potential impacts of tomorrow. Early
adopters will have a distinct competitive advantage.
© 2011 First Data Corporation. All Rights Reserved.
firstdata.com
page 2
First Data Market Insight
EMV
EMV (which stands for EuroPay, MasterCard, and Visa, the three companies that devised the
standard) is a common set of standards for payment applications that use chip-based cards.
A card’s embedded microprocessor chip interacts with an EMV-enabled terminal to validate the
integrity of a card number. It also verifies certain static and dynamic data used in a transaction
to ensure the card is not fraudulent and the person using it is the owner of that card.
As of the end 2010, there were more than 1 billion5 EMV
compliant chip-based payment cards in use worldwide. More
than 60 countries use the EMV standard, yet the US is the
only member of the G20 not to have EMV in place6.
It is not a question of “if” but “when” EMV will become
standard in the US. “With the rest of the world migrating to
EMV, the US will be at the receiving end of hyperbolic growth
in card fraud costs7.”
Implementation of EMV in the US has the potential to
dramatically impact merchants, financial institutions, and
consumers. Fraud losses resulting from credit, debit, and
prepaid cards in the US are growing at a rate of half a billion
dollars each year8. The EMV system provides increased
security and authentication measures to help reduce fraud
beyond what a traditional magnetic stripe payment card
environment provides.
“With the rest
of the world
migrating to
EMV, the US
will be at the
receiving end
of hyperbolic
growth in card
fraud costs.”
Additionally, EMV may bring a payments fraud “liability shift.” In many regions across the world
where EMV is in place currently, a non-EMV compliant merchant/issuer is responsible for
fraudulent card payment transactions9. It is not clear if this particular criterion would be included
in the US implementation of EMV standards.
What to consider
There is no set timeline for EMV standards to be adopted in the US; however merchants who
wait for widespread implementation will begin at a disadvantage when the standard is accepted.
To help reduce fraud, many banks and large retailers are already preparing to implement an
EMV solution. Additionally, if a fraud liability shift occurs, EMV-ready merchants are in a much
better place to manage their compliance.
Tools you select today should be able to evolve as your needs and the industry changes. For
example, choose terminals and card readers that are already EMV-capable such as First Data’s
EMV-enabled proprietary POS equipment, scheduled for availability in 2011.
For your overall security investments, think about a compilation of parallel solutions to help
safeguard various points in the payment process. EMV provides protection against common
consumer-level attacks such as the fraudulent use of lost or stolen cards. EMV does not offer
© 2011 First Data Corporation. All Rights Reserved.
firstdata.com
page 3
First Data Market Insight
that same protection in card-not-present (CNP) environments, however. Nor does it safeguard
against the theft of sensitive cardholder information while that data is “in-transit” for processing
and acquiring or “at-rest” (stored in terminals or data warehouses). EMV is most effective when
used in conjunction with other solutions that protect payment card data once the card is waved
or swiped. For a more complete data security resolution, add combinations such as encryption
and tokenization to EMV to help safeguard security exposures that exist at various points in the
payment process.
Tokenization
Tokenization is an increasingly popular approach for the protection of sensitive cardholder data.
It works by removing Primary Account Numbers (PANs) from the merchant environment and
replacing card numbers with random token numbers (or aliases). The alias becomes the
customer identifier (as opposed to the actual card number) in the merchant’s system.
This solution vastly reduces a merchant’s risk if a data violation occurs. Customer payment data
housed in back-end systems by merchants is one of the main opportunities for data breach.
Criminals can insert malware to extract large amounts of sensitive cardholder information. For
example, in 2010, 49 percent of almost 800 breach investigations were attributed to malware10.
The tokenization process eliminates actual cardholder data from entering a merchant’s
environment after a transaction has been authorized. If a merchant’s system is breached, the
criminals would get the token numbers, which are useless gibberish to a fraudster and cannot
be monetized.
Compliance management is another important benefit of tokenization. Using token numbers
instead of real card data (or even encrypted card data) in back-end business applications
shrinks the merchant’s cardholder data environment that is subject to PCI DSS (Payment Card
Industry Data Security Standards) compliance requirements and audits. The token number has
no value or link back to the original PAN and is therefore out of scope of PCI DSS requirements.
This reduction of PCI DSS scope can save merchants significant time and money.
What to consider
Noncompliance can be
costly. In a 2010 survey,
the study’s respondents
didn’t realize that
noncompliance with PCI
DSS could include fines of
thousands of dollars and a
per-card fee for each card
that has to be cancelled.
© 2011 First Data Corporation. All Rights Reserved.
As with all data security and fraud detection
solutions, tokenization is only one tier of an effective
security program. The tokenization process prevents
sensitive cardholder data from entering a merchant’s
environment after a transaction has been authorized.
Combining this technology with encryption protects
the payment process even more effectively.
Encryption, which transforms plain text information
into a non-readable form, helps protect payment card
data prior to authorization. (Encryption on its own is
not an all-encompassing solution either: the process
meets the PCI DSS requirements for protecting data,
firstdata.com
page 4
First Data Market Insight
but encrypted data is still considered within the scope of PCI DSS requirements for assessment
by the PCI Security Council because the actual data is still present.) Noncompliance can be
costly. Merchants responding to a 2010 survey didn’t realize that noncompliance with PCI DSS
could include fines of thousands of dollars and a per-card fee for each card that has to be
cancelled.11
When used together, the tools help protect data from the point-of-wave or -swipe through postauthorization storage. That combination of layered tools, which is available in the First Data®
TransArmor® solution, shrinks the risk of stolen card data and can lower the cost and effort of a
merchant’s annual PCI DSS audit.
Contactless and One-Time Use Account Numbers
(Dynamic PAN)
More than 28612 million Americans have mobile phones and 68 percent13 will have smartphones
by 2015. People are texting (over 1.5 trillion14 text messages sent in 2009) and downloading
apps (over 3 billion apps15 in four years).
Contactless is a wave-and-go payments model. At checkout lanes with specially-equipped
readers, consumers with a contactless-enabled payment device can save time by simply waving
the device within close proximity to a contactless-enabled reader. The technology uses a Near
Field Communication (NFC) chip embedded in the
payment device—a phone, a card, a key fob, and much
Payments via magnetic
more.
stripe technology are on
the way to extinction.
Contactless payment methods are not new and many
payment cards have been contactless-enabled for
several years. However, the adoption of contactless in
the form of payment cards has not been fully embraced by consumers or businesses. Mobile
phone payments and mobile-delivered promotional offers are emerging, though, and these new
tools will cause the usage of contactless technology to skyrocket. Mobile contactless
transactions are expected to top 2.2 billion16 in 2011.
The question on many minds in the industry today pertains to the security of contactless
transactions. An electronic payment must be connected to a user’s Primary Account Number for
authorization—so if a PAN is stolen, how do we ensure it is not used over and over in a
contactless environment?
Traditionally, the PAN is read from the magnetic stripe on the payment card when the swipe
occurs at the point-of-sale. That real account information is used to complete the payment,
leaving the data vulnerable to breach at almost any point in the payments processing lifecycle.
With one-time card number technology (also known as Dynamic PAN), for each transaction a
consumer makes, the chip transmits a card number that is good for only a single use. The
consumer’s real account information is not used in the payment transaction and would not be
available to criminals hacking into a merchant’s system. (The 2010 report of an annual Verizon
© 2011 First Data Corporation. All Rights Reserved.
firstdata.com
page 5
First Data Market Insight
study noted that hacking impacted 89 percent of breached records. Their analysis included
more than 800 data security investigations17.) Even in the cases of skimming—intercepting card
data between the card and the reader—fraudsters would retrieve the one-time card number and
not the real card information.
Beyond data security, one-time card numbers help alleviate PCI DSS compliance concerns, just
as tokenization does, since customers’ sensitive data is not kept in the merchants’ systems.
What to consider
Are you prepared for the contactless revolution? Every indication is that contactless payments
are the wave of the future. For example, evidence from various pilot programs shows
overwhelmingly that once consumers have tried contactless payments, especially Generation Y
users, they have a strong preference for this method. The 35 years-and-under consumer
segment uses contactless methods twice as often as other consumer segments and should be
considered a preferred target market for new contactless products18.
The revolution will likely be small spurts of users jumping on board rather than a mad rush. But,
as with EMV and the other trends included in this paper, being proactive is in your best interest.
Invest in solutions that work for you today and that are prepared for the inevitable industry
changes. Now is the moment to equip your business with contactless-enabled point-of-sale
devices if you have not already done so.
Arguably, as the mobile revolution is poised to erupt, the most important preparation is around
security. For contactless payments, one-time card number technology is the industry-leading
tool in single-solution security. But the theme of layers continues. Include one-time card number
technology in your overall plan, in conjunction with EMV to reduce fraud prior to the transaction
and tokenization for the same purpose post-authorization.
Advanced Fraud Prevention and Detection Tools
Fraud prevention and detection tools are not new to the market; however the most recent
solutions and those on the horizon are far more sophisticated than previous options. The latest
innovations are based on the analysis of commerce behaviors, using shoppers’ overall
purchase habits and shopping patterns—not just transaction data—to check for anomalies.
Through automated transactional risk scoring and associated decisioning engines, suspicious
transactions can be identified and examined in real-time.
While merchants should still use Address Verification System (AVS) and Card Verification Value
(CVV)—note the premise of stages, again—stronger strategies leverage fraud detection and
prevention systems that “score” the risk level of a transaction based on an expanded database
of information. The score is used during the authorization process to determine if a transaction
should be accepted, rejected, or flagged. (Placing the parameter control in the hands of the
merchant allows the automated decisions to be tweaked and revised as trends emerge based
on the merchant’s risk tolerance and transaction handling preferences.)
© 2011 First Data Corporation. All Rights Reserved.
firstdata.com
page 6
First Data Market Insight
What to consider
Accepting eCommerce and other CNP payment
options makes automated transactional risk
tools even more critical. Online commerce
continues to grow; cybercrime is increasingly
more prevalent; and customers want more
payment options. One of the most difficult
challenges with CNP transactions is validating a
shopper’s identity: an advanced transactional
risk tool is a powerful safeguard to help
eCommerce merchants avoid accepting
fraudulent payments.
An experienced, qualified partner is critical to
implementing and evolving a sophisticated
automated prevention and detection factsbased solution—especially to help you manage
data-related issues and to identify your risk tolerance.
Meeting customers’ demands for
eCommerce and other card-notpresent payment choices is good
for business.
Using layered security methods
throughout the payment process
will help merchants manage the
additional security needs that
come with CNP payment
processing capabilities.
Data is critical to developing the best fraud strategy to protect your business; however,
gathering and analyzing the right information is often a challenge. Combining device recognition
data with customers’ spending habits and patterns, along with transaction data, is essential to
ensuring the right level of protection while maximizing the number of completed sales.
CONCLUSION
The trends discussed in this paper—EMV; tokenization; contactless and one-time use account
numbers; and advanced fraud prevention and detection tools—will define the direction of a
successful security strategy going forward. They will impact more than just payment card
security and fraud detection: overall business approaches will change as security becomes a
higher priority.
Savvy merchants are taking more responsibility for their customers’ private data (as evidenced
by the recent growth in tokenization use). Staying on top of security requires constant vigilance
and growth, however. An approach must be comprehensive and dynamic. Organizations that
secure cardholder data with multiple layers of safety measures will be better able to reduce risk
and fraud. That, in turn, will enable more business as new payment technologies arise and new
ways to steal the sensitive data are devised.
Brick-and-mortar, brick-and-click, or completely Web-based, it does not matter where payment
transactions take place. Organizations must realize that data security and fraud prevention are
essential to the success of their entire business. They are not options; they are a critical to keep
the entire dam from bursting.
“Money moves and transactions travel but lack of security can stall spending.”19 And customers’
spending is, of course, the basis of all business.
© 2011 First Data Corporation. All Rights Reserved.
firstdata.com
page 7
First Data Market Insight
Additional Reading: White Papers from First Data
Top 10 Tips to Help Keep Your Data Safe
Why Wait for EMV to Solve Your Fraud Problems? One-Time Use Card Numbers Can Reduce
Debit Fraud Now
A Primer on Payment Security Technologies: Encryption and Tokenization
Implementing Tokenization Is Simpler than You Think
Strategies for Reducing the Risk of eCommerce Fraud
Data Security Made Simple
Sources
1
2010 Annual Study: U.S. Cost of a Data Breach. Ponemon Institute, LLC. March 2011. Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011. 3
Javelin Strategy and Research. June 2009. 4
. Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United States Secret Service. 2010. 5
www.emvco.com 6
Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011. 7
Six Myths Preventing EMV Migration in the US: Fact vs. Fiction. Bell ID. 2011. 8
Ibid. 9
“My Card Club” blog. August 2010. 10
Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United States Secret Service. 2010. 11
Small Merchant Data Security Study. First Data and National Retail Federation. 2010. 12
Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction Costs. White paper. First Data. 2010. 13
Mobile Wallets report. Javelin Strategy and Research. January 2011. 14
Mobile Payment Revolution: How Merchants Can Use Mobile Payment Specifications to Manage Transaction Costs. White paper. First Data. 2010. 15
Ibid. 16
“Smart Cards in the US: Contactless Payment Cards.” Packaged Facts May 2007. 17
Verizon 2010 Data Breach Investigations Report. Verizon Business RISK Team in cooperation with the United States Secret Service. 2010. 18
2010 Study of Consumer Payment Preferences. BAI and Hitachi Consulting. November 2010. 19
PYMNTS.com. April 2011. 2
© 2011 First Data Corporation. All Rights Reserved.
firstdata.com
page 8