Large credit card breaches have been out of the payments industry spotlight for some time, while the US payments industry has focused on other security and fraud related initiatives like EMV, tokenization and encryption. Unfortunately Friday’s announcement by Global Payments that they had uncovered a major breach in early March has brought back a clear reminder that “data at rest” continues to be the industry’s single most consequential security issue.
Underscoring the dramatic nature of the breach, Visa announced on Sunday April 1, that it was making the rare move of delisting Global Payments from its list of “compliant service providers.” As of Sunday night, MasterCard hadn’t yet announced its plans.
Thought to be linked to a parking garage or taxi company in the New York City area, announcements from Visa, MasterCard and Global Payments highlighted the severity of the breach. Ten million cards may be involved, and thousands of banks and credit unions whose customers may have been affected have been notified. Because full Track 1 and Track 2 data was taken it means that compromised card information could be used to make counterfeit cards. News of Global Payments involvement in the breach wreaked havoc on the firm’s stock, causing trading on the NYSE to be halted midday on Friday.
Unfortunately, the industry’s new efforts to push toward an EMV security environment in the US do nothing to address the core issue at stake here. Large data compromises of huge databases of card information continue to have value for thieves, even in a “chip and PIN” environment. Fraud data in EMV compliant countries reminds us that fraud and counterfeit cards continue to be a problem, even though counterfeit card usage in “chip and PIN” countries shifts from POS environments to non-face-to-face environments like the Internet. Moreover, EMV was designed in the context of a European payments environment that faced dramatically different fraud and security challenges that they US. EMV does not address the root causes or key factors associated with these massive breaches, which have been of greater concern to the US payments industry.
The industry might do well in the wake of this latest breach to refocus efforts at root causes of most of these large fraud episodes. Solutions like tokenization and encryption – by focusing on the challenges of securing data a rest – may well gain some more interest in the aftermath of this unfortunate incident. Encryption solutions, available from many industry providers, protect sensitive financial information wherever it is stored, while tokenization solutions use “tokens” to stand in for actual credit card numbers, allowing card transactions to process, without storing sensitive credit card data in multiple vulnerable locations.
As details of the nature of the breach are still emerging, it is not clear that those solutions would have solved this specific problem. It is critical however, once the forensic investigations of this latest breach are complete, it would be judicious for the industry to look at the data about this and other major breaches to determine that the security solutions being recommended to the payments industry at great cost actually address the major security issues of our day.
Margaret Weichert is a Managing Director at Market Platform Dynamics. An acknowledged leader and innovator in payments and financial technology, Margaret has received seven US patents and is an inventor on many additional pending patents. Prior to joining Market Platform Dynamics, Margaret was the SVP, Global Product Marketing at First Data.