There’s only one thing that you can really count on when it comes to online fraud: as soon as a better lock comes along, a better lock pick does too. That’s at least the perspective of Drew Luca, Partner and Co-lead of PwC’s U.S. Payments Practice who sat down with PYMNTS to reveal his view of the truths and myths of how the business of cybercrime is run. He also has some sobering news for everyone looking for the “silver bullet” too – there aren’t any.
According to recent industry statistics, online transactions will jump from $2.5 trillion in 2014 to $4.7 trillion by 2019. At the same time, cyber-security has become a growing challenge, as technologies change on average about every 18 months. How can organizations keep up?
DL: I think technology is changing rapidly, and it is difficult to keep up with it. There’s been a drive toward a much more customer-centric view over the course of the last few years. That’s likely to continue as time goes by, with other technologies like EMV and mobile emerging in the US and becoming much more mainstream.
EMV provides an opportunity for us to upgrade not just the terminals but also the points of sale, and along with that, to be able to build that much more customer-centric view. While EMV is based upon a very stable but older technology, smart cards have much processing capability than a USB stick or even a smartphone. So as we start to think about that process, and what will roll out for technology, there needs be an eye for what will come out next.
We’ve seen lots of developments in payments within the last year, and in particular, within the last couple of months, than we have in the last few decades, making for an exciting time. Keeping up with the technology will become much more relevant and important.
EMV chip cards are considered to be more secure than magnetic stripe cards, but it’s widely known that merchants would need to spend billions of dollars to install EMV-compliant card readers. Wouldn’t other approaches like end-to-end encryption and tokenization also offer substantial fraud-prevention potential at a lower cost?
DL: That’s potentially true, and one thing that’s important to remember about EMV is that it’s just like everything else – it’s not a silver bullet. It’s really targeted at the card present environment, not withstanding other developments that are emerging that could blur the line a bit more. But tokenization and point-to-point encryption are still solutions that can be used with EMV, furthering enhancing it.
EMV is also going to make it difficult for the fraudsters to steal cards from a card-not-present environment and use that information to create cloned cards to be used at POS’s or ATMs. EMV will help to raise the bar in that respect, but other technologies will help protect the information as it moves in transit.
There are other things, too, as we look down the path, that could potentially allow us to transact without revealing information at all, or make the information that we reveal largely irrelevant to others. For example, dynamic data – card verification values or card numbers – are certainly things that could also help to raise that bar further.
PwC has recently completed a survey with over 5000 global respondents. The survey had a very large scope ranging from fraud, to IP infringement, to corruption and cybercrime. What are some of the trends and analyses that this survey helped you uncover?
DL: I think a couple of the interesting points that can be brought forth from that survey are related to cybercrime and money laundering, both relevant to the payments industry. One of the things that we’ve discovered over the course of the last several years is that cybercrime is organized – it’s well conducted and well thought through. That’s now led to larger breaches, better ability to exploit the breach and commit more amounts of fraud in smaller periods of time.
At the same time, we’re starting to see other crime related to fraud like money laundering, the ability to leverage general purpose reloadable prepaid cards, or trading one thing for another, allows for us to see a little bit more money laundering coming to the table.
What are some of the biggest misconceptions in the market today with cybercrime and what is their potential impact on payment security?
DL: As I mentioned, the fact that cybercrime is organized. One of the misconceptions is that the fraudsters are not a business, or not engaged in business. They absolutely are – it’s organized crime. There’s also a belief that there’s state sponsored crime occurring around this to attack and steal card numbers – that hasn’t been officially proven yet but there’s definitely a belief in the marketplace that that’s occurring.
The second misconception is that there is somehow a silver bullet. EMV is not a silver bullet. Tokenization is not a silver bullet. P2PE is not a silver bullet. These items, when chained together, can certainly help to provide a much stronger environment and a much better solution, but they are just pieces that will help to protect and strengthen the chain as it goes. The reality is, as a better lock is built, a better lock pick comes onto the marketplace. Part of that comes from security that’s been bolted onto the back of a solution that wasn’t originally envisioned in that manner.
The misconception is that we can actually secure the environment, and I think one of the realities that we have to become comfortable with is that there will continue to be breaches and losses until the environment is engineered from the ground up with security in mind. But with where we stand today, it will be awhile before we master that.
We invite you to explore the rich trove of data, trends and analysis of economic crime uncovered in PwC’s 2014 Global Economic Crime Survey Infographic by clicking the download button below.
Partner and Co-lead, U.S. Payments Practice, PwC
Drew is a Partner in PwC’s Advisory Financial Services, Banking Strategy Technology and Operations practice and co-leads PwC’s US Payments Practice. Drew has more than 20 years of experience with large payments and financial services clients in the government, retail, technology and healthcare industries. His areas of expertise include delivery of numerous enterprise-wide projects to financial institutions, card associations and payment technology providers in functional areas such as payment strategy, product development, business and technology architecture, cost reduction/interchange optimization, fraud and AML.