Breaking down EMV and the “Liability Shift”


There has been a lot of talk relating to EMV as well as some confusion as to how it impacts on merchants. As we have reached the magic date of 10/1/15 when the “Liability Shift” is to occur; let’s decipher what this all means:


The acronym EMV actually stands for Europay, MasterCard and Visa.  EMV is a global standard for credit cards equipped with computer chips and the technology used to authenticate chip-card transactions.   Don’t be confused if you also hear EMV referred to as Smart Card, Chip Card, Smart-chip Card, Chip-enabled Smart Card, or Chip-and-Choice Card (PIN or signature).

The problem with traditional credit and debit cards pertain to the “magnetic stripes” on the cards which store unchanging data.  This means that whoever accesses the data gains the sensitive cardholder information necessary to make purchases.  This is why traditional cards are targets of counterfeiters who are able to easily convert stolen card data to cash.  If someone copies a mag stripe, they are able to replicate that data over and over again because of the static nature of the mag strip.  
In contrast to traditional cards, if a hacker steals a EMV card a typical card duplication would not be effective because the stolen transaction number created in that instance wouldn’t be usable again and the card would simply be denied.   The bottom line is that EMV technology would not prevent data breaches from occurring, but this dynamic data approach will make it much more difficult for fraudsters to profit from what they steal.  
The U.S. credit market has been criticized for being the last major market still using the magnetic-stipe card system.  In contrast, many European countries moved to EMV technology years ago to combat high fraud rates.   When EMV cards were introduced in Europe and other parts of the world, POS fraud was greatly reduced as expected.  However, fraudsters followed the path of least resistance and focused more on online fraud where EMV’s security features do not apply.  As a result online fraud spiked.
There remains a primary distinction between EMV as introduced in the U.S. to that utilized throughout Europe.  In Europe, EMV is often referred to as “Chip-and-Pin” cards and operate just like the type of checking account debit cards that Americans have used for years.  Entering a PIN connects the payment terminal to the payment processor for real time transaction verification and approval.  This additional verification process provides an additional level of protection.  
In contrast to Europe’s Chip-and-Pin cards, the U.S. form of EMV is characterized as a “Chip-and-Signature” card transaction.   As with the traditional magnetic stripe credit cards, Americans consumers, with rare exception,  will continue to sign on the point-of-sale terminal to take responsibility for the payment when making a chip-and signature card transaction.  Some commentators have projected that it may take two to three years to fully convert to an EMV “Chip-and-Pin” format once the transition to EMV is fully under way in the U.S.   Others see signs that the direction is to move away from “plastic” towards contactless payments.
EMV is not helpful for e-commerce transactions as it only applies for “Card Present” Transactions.
As EMV is not encryption since it does not encrypt the Primary Account Number (PAN), the card data must still be protected according to PCI guidelines.  Simply put, EMV technology does not override PCI obligations nor does it satisfy PCI requirements.
Merchants are advised to consider EMV as a valuable weapon against fraud while recognizing that it should be implemented in a layered manner along with validated point-to-point encryption (P2PE) to reduce PCI scope and protect data.  Additionally, using tokens (tokenization) after authorization can prevent the card data from being used in the event that it is stolen.
In today’s card processing environment, if an in-store transaction is conducted using a counterfeit, stolen or otherwise compromised card, consumer losses from that transaction routinely fall back on the payment processor or issuing bank.  (Of course, the Issuing Bank or Card processor routinely holds the Merchant contractually liable should they find that there were any PCI infractions associated with a fraudulent transaction).
After the October 1, 2015 deadline created by the major U.S. credit card issuers, the liability for card-present fraud will shift to whichever party is the least EMV-compliant in a fraudulent transaction.   For example, let’s take the example of a financial institution that issues a chip card that is used at a Merchant’s store that has not made the investment to change its system to accept chip technology.   Should a counterfeit card be successfully used by a fraudster in such a case, the Merchant would face the liability since it failed to upgrade its POS in order to utilize the chip card.
The major credit card issuers have each published detailed schedules pertaining to the shift in liability.  Obviously, the “Shift” is intended to help bring the entire payment industry on board with EMV by encouraging compliance to avoid liability costs.  In fact, most Merchants that were not EMV-ready by October 2015 may expect much higher costs in the event of a large data breach.  (Automated fuel dispensers will have until 2017 to make the shift to EMV).   Given the massive U.S. market, it remains to be seen as to the percentages of banks and retailers that will be EMV-ready.
According to Javelin Research & Strategy, the average cost for a bank to issue a new EMV card is $3.50, and the average cost of an EMV-compliant POS terminal is $500.  Retailers using mobile payment devices such as Square will also have to purchase new equipment to read the chips on EMV cards.  EMV debit cards may be issued to consumers at an even slower pace as banks have to prep their software to accept those cards as few POS systems were equipped in the past to accept debit cards in the U.S.  The overall price tag for retailers to upgrade payment systems to accept new cards is estimated to be more than $8 billion.
Given the massive U.S. market, it remains to be seen as to the percentages of banks and retailers/merchants that will be EMV-ready in the foreseeable future.  The percentages for businesses that have missed the 10/1 date are quite high.  According to the National Processing Solutions, 73% of businesses remain non-EMV compliant as of 10/1.  This same source reports that only 25% of consumers have received chip enhanced cards and that only 27% of merchants are EMV compliant.  No matter how you do the math, clearly the U.S. market is not uniformly prepared for EMV.

PCIU Supports Clark Howard’s efforts to Educate SMBs on Avoiding Security Breaches


The following is a letter from our CEO and Co-founder, Charles Hoff, to consumer watchdog Clark Howard adding helpful information to his site’s article on EMV’s ability to help fight fraud:

I read with interest your very fine 8/18 article on EMV entitled “How Debit Card Chips Fight Fraud.

Although the article is indeed accurate and contains helpful consumer information,  I believe that your readership would want to know a few additional facts when it comes to EMV.

I) Chip & Pin vs Chip & Signature:  The roll-out of EMV in the U.S. is different in that found in Europe.  Instead of a “Chip and Pin”version used overseas, most of the cards being issued in the U.S. are classified as Chip and Signature.  In Europe the Chip and Pin card works much like a traditional “debit” card as a consumer is protected not only by the imbedded microchip, but also has the benefit of a double authenticator as the user must punch in their pin number as well.  In the U.S., we don’t have the benefit of the “pin” protection as consumers continue to sign their receipts which does not afford any greater security.

2) Limitations to Fraud Protection:  EMV does in fact help prevent both counterfeit and stolen card fraud.  However, it does not do anything to protect consumers against e-Commerce fraud and hackers. In fact, the incidences of e-Commerce fraud spiked in Europe after the introduction of EMV.  Hackers habitually gravitate to the most vulnerable enterprises.

3) Fraud Prevention Requires a Layered Approach:  Cybersecurity experts require a holistic or layered approach consisting of the

  1. EMV – to tackle counterfeit and stolen card related fraud;
  2. Point to Point Encryption – a 3rd party solution that encrypts data from the credit card swipe until data reaches a secure decryption environment, and is the best protection during card transmission;
  3. Tokenization – which protects post transmission data by replacing data with alias values/tokens that are meaningless to someone obtaining unauthorized access;
  4. Education/Awareness – no matter what technology investment companies make, human error and lack of training continue to be responsible for a substantial number of breaches.

As roughly 85 – 90% of data security breaches are to small and medium sized businesses, I believe that you and Clark Howard can make an even greater difference in protecting consumers and small business owners by providing just a the few additional helpful tips above on this paramount issue.   Please feel free to call on me as a resource if I can be of any help.

Trust Trustwave but Verify

With very little fanfare, Trustwave, the market leader in cybersecurity in North America, announced last month that they had signed a letter of intent to be acquired by Singtel, Southeast Asia’s largest telecommunication firm.  The absence of concerns voiced in public forums suggests either confidence or apathy on the purchase of the largest cybersecurity firm in the U.S. by a foreign company.  It would appear that the general American public as well as the Federal Government are willing to let this deal pass quietly into completion.

Trustwave is a great American success story.  Established in 1995 in Chicago – it now has over three million customers.  One is hard pressed to find a large bank operating within the U.S. which does not use Trustwave; many of them exclusively.  Even the Secret Service has a long standing relationship with Trustwave.  One can only admire how Trustwave has worked hard to become the predominant and most powerful cybersecurity company in the U.S.

In the current environment, data security breaches are rampant from the White House to our favorite neighborhood restaurant.  This raises the question of whether the sale of a company to a foreign national institution that is so vital to national security is too great a risk.

Singtel and Trustwave have said all the right things to assuage fears.  They affirm they will keep Trustwave independent within the U. S. and maintain “Chinese walls” around sensitive security information.  There is no reason to suggest that there is any insidious intent on the part of Singtel.  Neither is there evidence to suggest that its domicile government intends to improperly use the treasure trove of sensitive information on U. S. companies and institutions that Trustwave has in its possession.  However, it would be prudent for the U.S. government regulators to properly examine Singtel’s prospective purchase of Trustwave and provide guidance on how the company should adhere to specific restrictions to safeguard the sensitive security data it maintains on U.S. companies.

The Committee on Foreign Investment in the United States (CFIUS) was established by executive order in 1975 with the purpose of overseeing national security implications of foreign investors.  The National Security Act of 2007, which is administered by CFIUS has provided the Federal Government with increased opportunities to review acquisitions and mergers of U.S. companies by foreign interests and, when appropriate, block or enforce stipulations (i.e. ongoing monitoring) on such acquisitions for national security reasons.

CFIUS and Congressional oversight can be triggered upon two kinds of acquisitions; 1) Those that may result in a foreign government or an entity controlled by a foreign government taking control of a U.S. company or 2) acquisitions that could result in the control of any critical infrastructure in the United States.  On the surface, it would certainly appear as if the Singtel acquisition of Trustwave falls under the purview of the National Security Act and the jurisdiction of CFIUS.

There is a clear precedent for government intervention resulting in either halting or imposing necessary restrictions on a corporate acquisition when national security is at stake.

In 2005 a Chinese State owned oil and gas company, CNOOC, made an offer to purchase Unocal Corporation.   The U.S. House of Representatives voted for the President to review the transaction at which point CNOOC backed out of the deal in an effort to sooth tensions.

In 2006 Dubai Ports World attempted to acquire terminal operator P&O which managed ports in New York and New Jersey.   Congress opposed the deal, although CFIUS and President George W. Bush had approved it.  This resulted in Dubai Ports World letting the sale of P&O’s U.S. operations go to American International Group, Inc (AIG).

More recently, in 2012 President Obama, acting in the interest of national security, ordered the Ralls Corporation (owned by Chinese company Sany Group) to divest four wind farms in Boardman, Oregon due to the fact that they were located near a U.S. weapon systems training base.

Hopefully, CFIUS will perform its intended purpose and better ensure that America’s ability to defend against cyber attacks will not be compromised by Singtel’s acquisition of Trustwave.

Charles Hoff is CEO of PCI University whose platform helps small business owners understand PCI in plain English.

Will Uber Change Course & Properly ‘Steer’ Customer Data?


As fans a of Uber, I applaud the company’s effort to disrupt and improve the domain of taxi and limousine services. However, what has been painful to observe is Uber’s efforts to also play the role of a “Big Data” enterprise.  When done correctly “Big Data” is an effective leveraging tool that improves customer service. But when done poorly (in the case of a data breach) exposed data of driver information, customer ratings, etc, can have a severe impact to a company’s public image and customer trust.

Just when I had hoped that Uber learned from its media dust up with a
Buzzfeed reporter over the threat of exposing critics’ private data comes word that
approximately 50,000 driver names and license numbers may have been
subject to a third party data breach in 2014.  A presumed class action
suit filed in San Francisco on behalf of a Portland Uber driver also
claims that Uber failed to make a disclosure for approximately five
months after the breach came to light.  As Uber is defending the suit,
time will tell as to what precisely occurred.

The critical concern that Uber needs to recognize is that customer
trust is not to be taken for granted.  One of the great features of
Uber is that no customer credit card information is ever shared
directly with the Uber driver. Instead, all charges are handled inside
the Uber app. The customer never has to take the credit card out of
their pocket. For this considerable benefit to continue to work
effectively, Uber must maintain the sacred trust of the public that
credit card information stored by Uber will be properly safeguarded
and not be subject to the type of wide spread breach which is reported
to have occurred to Uber’s drivers.  The obvious concern is that if
Uber cannot protect its own drivers’ records, can customer card and
data breaches be next?

Hopefully, Uber will take some of its venture capital to invest in
proper security technology such as encryption and tokenization as well
as train its personnel on the finer points of Payment Card Industry
Data Security Standards (PCI DSS).  We certainly hope that Uber will
learn from its missteps.  It will mean the regaining of what any
business can lose when suffering a data breach, customer loyalty.

What’s Behind PCI U’s Strategic Alliances?

Payment Card Industry

Merchants and franchisors now have more access andopportunity to benefit from powerful, innovative education tools that could save them hundreds of thousands of dollars, thanks to a new partnership between PCI University and Bluefin Solutions. This is in line with PCI’s efforts to utilize industry leading companies as platforms for our diagnostic tools that measure data security risks for businesses.

The card processing industry is on the front line of making its merchant customers aware of their PCI obligations.  Unfortunately, too many card processors do not do a good job fulfilling this responsibility as witnessed by companies that  charge their merchants PCI compliance fees without providing any effective means to understand how to actually minimize data security exposure.  Yet other processors simply go through the motions, providing customers ineffective assessments that bootstrap to minimal scanning services and a guide to filling out SAQ’s. Too many merchants are left with a false sense of security, thinking that these limited services are sufficient to provide them with all the PCI compliance they need to sufficiently reduce their risk of data security breaches.

What we admire about Bluefin is that they do not pay lip service about data security – they walk the walk!  Their care for merchant clients is reflected in their approach and commitment. For example, Bluefin is a participating organization at the PCI Security Standards Council and was the first company to receive PCI validation for a P2PE Solution in 2014.  Simply put, this is the kind of partner which PCI University strives to work with in order to make a real difference in helping merchants combat the serious data and card security risks they confront on a daily basis.

Healthcare Wake up Call

PCI BreachIt is hoped that Anthem’s breach of 80 million of its customers will be the kind of wake-up call for the Health Care Industry of the need to take comprehensive data security measures that the Retail industry experienced with Target and Home Depot. The fact is that information from Health Care files are even more valuable to hackers than Credit Card information as Medicare and Health Insurance information sells for a premium on websites that sell data on the black market. Anthem’s records include names, addresses and Social Security numbers which can be used to open new accounts without the individual suspecting anything until the damage has been done. With pilfered Social Security numbers, ID thieves can seek benefits from victims and even apply for employment.

The Health Care Industry and Hospitals have experienced something of a fatigue in the case of patient security and privacy having undergone over recent years the extensive and expensive requirements imposed by HIPAA. Having implemented HIPAA’s stringent security requirements, many in the health care industry have been either complacent or under the false impression that they do not need to comply with PCI DSS requirements as well. There has also been a false impression that hackers will be content to continue to focus on the the retail, restaurant and hospitality industries which had been low hanging fruit for hackers over the last few years. However, there is no substitute for the type of layered data security measures encompassed by implementing encryption, tokenization and the type of employee training that are required under PCI DSS. Hopefully, the Health Care industry will take heed of the painful lesson experienced by Anthem’s massive and costly breach.

The Year of the Hack

PCI - Payment Card Industy

It seems only fitting that 2014 should have ended with the much publicized hacking of Sony as the American public was inundated all year with one sensational account after another of damaging data security breaches. Those surrounding Target, UPS, K-Mart, Staples, Dairy Queen, and Home Depot have certainly received the full attention of the media, as it should given its magnitude. However, this publicity masks a much deeper rooted strategy of hackers toward their typical target (with a small “t”). The predominant number of security breaches, up to ninety percent, occur with small merchants such as your neighborhood restaurant, convenience store or clothing boutique. The fact is that the typical operator of a franchise is most often a small business owner and not a large corporate entity. These smaller players simply go out of business or spend years attempting to recover from their losses.

The more telling story is that hackers are successfully penetrating the very backbone of U. S. commerce because these small and medium sized merchants are much more vulnerable as they are considered by hackers to represent low hanging fruit. Rather than resigning themselves to another year of devastating breaches that drain the economy and damage the public trust, this would be a good time for executives to make a New Year’s Resolution that they will take a little time to understand where the underlying vulnerabilities are in their systems and take the relatively simple measures to severely reduce the risks. Credit card companies have developed a comprehensive list of best practices and procedures (Payment Card Industry Data Security Standards best known as PCI DSS) that U.S. merchants are required to apply in an effort to significantly lessen the prospect of hackers gaining entrance to their store’s Point of Sale systems, which act as the gateway and nerve center for merchant commerce. The overriding problem is that banks, card processors, and POS companies have failed to effectively educate merchants on these standards. As hotel managers, restaurant operators and retailers are consumed with the day-to-day challenges of running their businesses, they understandably don’t find the time to do anything but pay cursory attention to related webinars or email blasts on the subject.

The solution really isn’t very complicated. The vast majority of security breaches can be avoided by simply having the merchant understand and apply common sense practices and make a few modest investments in basic security measures. For instance, a significant number of breaches can be eliminated by employees knowing not to use default or simple passwords as well as changing passwords frequently.

Breaking down into plain English and demystifying the basics behind security mechanisms such as firewall, encryption and tokenization are really not that difficult. Although the ease of a restaurant operator having remote access to their Point of Sale terminal may be very desirable, it can help a hacker gain a path to customer credit card information if not used properly with sufficient authentication measures.

We have more than adequate security controls available today if they are simply understood and utilized properly. We don’t have to wait until the mass introduction of alternative technology, such as Chip and Pin, to dramatically reduce the volume of breaches. In fact, Chip and Pin is not a silver bullet solution. Merchants must not become complacent and lose sight of the fact that it is necessary to engage in a layered approach to keep their customer data safe which incorporates, Chip and Pin, encryption, tokenization and employee education.

Small and large merchants alike can cut through the background noise and understand how best to use accessible and effective controls and practices so that more painful data security breaches will not continually be repeated.

Franchises: What You Need to Know

Payment Card Industry

There have been a dramatic proliferation of credit card and security breaches impacting large franchisors. Many of the breaches that impact on the Franchisor’s brand and pocket book emanate from mistakes caused within their Franchisee locations. This “weak link” is difficult to plug up as franchisors are unable to exercise and push down the same security controls and system awareness to their Franchisees as they do with their own employees.

What franchisors have learned is that there is a greater impediment that they face in minimizing the risk of security breaches that is not common to the rest of the corporate world. Thanks to the legal concept of Joint Employer Liability, Franchisors attempt to stay clear of their Franchisees’ day to day operational decisions so that the Franchisor can avoid being sued by a plaintiff’s attorney seeking redress against one of their franchisees for a “local” action or omission. Although this has been an effective approach for Franchisors over the years in other areas, it is more problematic for Franchisors trying to implement a comprehensive plan to better safeguard their enterprise from the immense harm hackers can cause to their brand. As a result, Franchisors are compelled to find trusted third party PCI DSS experts that understand the dilemma and can properly walk the tight rope between Franchisor and Franchisee.

Avoid Paying Expensive Add-on PCI Fees

Payment Card Industry Education

A number of Card Processing companies add on to merchant’s monthly bill a “PCI Compliance Fee”. Oftentimes they are not doing anything more than presenting their commercial customers with something so cursory and basic that it has the effect of lulling their customers into a false sense of complacency and security. There have been too many cases where merchant clients have been breached and learned after the fact that the monthly processing “compliance” fee was nothing but an excuse for the processor to make more money without providing a meaningful or tangible service. Ask your processor precisely what they are doing to justify their add-on fee. Avoid being a victim of the worst kind of rip-off where companies exploit the real fear of security breaches, but economically capitalize on this fear while leaving their customers unduly exposed by failing to offer any real or substantive protection to their customers.