When it comes to preventing payment data fraud, is EMV the cure-all?
Joe Majka, Chief Security Officer at Verifone, thinks not. He recently shared his thoughts with PYMNTS on the future of protecting payments: who is most vulnerable to data breaches (and why), and what types of adjustments merchants can make to help “change the game."
While acknowledging that EMV is presently a worthwhile and necessary endeavor, Majka warns that the technology is “not the magic elixir for preventing credit card fraud.” He notes that EMV’s strength lies primarily in preventing the counterfeiting of credit and debit cards, but it is ineffective when it comes to preventing lost/stolen or card-not-present fraud and protecting data stored on computers or being transmitted over networks.
“EMV,” says Majka, “would not and could not have prevented the compromise of millions of card payment accounts due to data breaches at major retailers in recent years.”
Majka concurs that those types of breaches “should become increasingly irrelevant” as the payments industry inches closer to full conversion to an EMV standard, adoption of point-to-point encryption (P2PE) and use of tokenization, which will eventually make physically-presented card data unusable to cybercriminals.
“But it is going to take years before we’re able to eradicate mag-stripe cards completely,” he cautions, “and online fraud is another issue altogether.”
What is important to factor, says Majka, is that smaller retailers are as much at risk of data breaches as are larger ones – and their vulnerability is on the rise.
"Most people only hear about the ‘mega’ breaches,” he says, “but hundreds of smaller merchant data breaches occur on a regular basis. In fact, as larger retailers fortify their defenses, smaller companies are increasingly tempting to thieves."
Majka points to a recent investigative report by Brian Krebs on security breaches that shows that the shift by cybercriminals from targeting major retailers to innumerable, smaller-scale merchants is “giving financial institutions a run for their money” (nearly literally, perhaps), creating great difficulty in tracking down the parties responsible for ongoing fraudulent actions.
By Majka’s observation, restaurants currently appear to be the most popular target for data breaches, along with grocery stores and “just about any small- to medium-sized business.” He asserts that three factors make this segment vulnerable: lack of sophistication in data security; improper use of remote access (particularly in the franchise environment); and the use of integrated POS.
Although small merchants do not possess the dedicated security teams (or the budgets) to which their larger counterparts have access, Majka states that they can nonetheless “rewrite the rules of the game” and protect their customer payment data – as well as their brands – by utilizing EMV coupled with point-to-point encryption (P2PE) and tokenization as part of a multi-layered approach to effective security.
Additionally, for retailers of any size to stay ahead of data breaches, asserts Majka, they must implement payment architecture that is more advanced than traditional models.
In traditional models, payment data is routed from the terminal to the POS or electronic cash register (ECR) and then to the processor host. To provide contrast, Majka describes the architecture that Verifone offers (called Secure Commerce Architecture), wherein sensitive payment data is encrypted at the POS, using a format preserving encryption technique, then transmitted directly to the merchant’s payment processor. The non-sensitive information (such as the amount of the sale and items purchased) are stripped out and sent to the merchant’s ECR.
This is what Majka refers to as a “semi-integrated POS approach.”
Upon transaction approval, a token – not the account number – is returned to the merchant. As a result, explains Majka, “the merchant can still use transactional information for processes such as inventory and charge-back, but without having to retain sensitive payment data in the POS environment."
Majka asserts that advanced encryption models like the one he describes can – by offering a simplified and secure process – break down previously held arguments against implementing the technology and, for all intents and purposes, become a game-changer.
Vice President & Chief Security Officer at Verifone
Joe Majka was appointed Vice President and Chief Security Officer May 1, 2014. He is responsible for leading Verifone’s global security operations across the business enterprise. Areas of security oversight include product, services, hardware, information, facilities and emerging risk.
Mr. Majka has more than 30 years of experience in the financial services sector, managing security, fraud, cybersecurity and data breach incident response. For the past 18 years, Mr. Majka has managed electronic payment fraud for Visa and is considered one of the leading industry experts in the industry. Mr. Majka has spoken internationally on the subject of cybercrime and payment card fraud.
During Mr. Majka’s career at Visa, he led Visa’s data security incident response team, handling the payment industry’s largest merchant and processor data security breaches over the past decade.
In 2009, as Head of Global Fraud Control and Investigations for Visa, Mr. Majka, testified before the U.S. House of Representatives Committee on Homeland Security, Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.