Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 31, 2011
Stemming the rising tide of card breach incidents: PCI compliance or chip-and-pin?
Incidents of card data breaches continue to rise despite industry efforts to safeguard customer payment information in transactions with merchants. Arts and crafts retailer Michaels was the most recent target of a large data breach. The company announced on May 4 that several of its stores, including three in Atlanta, had been victimized by card-terminal tampering and that customer credit and debit card information might have been compromised. The tampering activity enabled card data skimming, a scheme used to clone cards to create new counterfeit cards or to make payments online illegally using the customer's stolen identity.
The Payment Card Industry (PCI) Data Security Council guidelines have promoted advances in the way the industry addresses card data security–but in many ways, the PCI guidelines are necessary, unfortunately, because of cards that use mag-stripe technology instead of the more secure chip-and-pin technology, a subject we've blogged on before. With this in mind, is it time to reexamine the long-term effectiveness of PCI guidance as a mitigation solution for payment card skimming fraud?
The growing incidence of skimming schemes
Many are the potential ways for criminals to gain access to card data from credit or debit card transactions today. For example, criminals use various forms of social engineering to install malware over the Internet on victims' PCs to gain access to personal and financial information that they can use to commit payments crimes. Another increasingly worrisome method is card skimming, a scheme that takes place at an ATM or a merchant's handheld or stand-alone point-of-sale terminal. The criminal either embeds an overlay device in the existing point-of-sale card reader to harvest card data or replaces the pin pad altogether by swapping it for a bogus reader to collect card data. Data-skimming breaches give criminals access to the card information necessary to commit identity theft, create counterfeit cards, or use the card information online for illegal purchases.
Bankinfosecurity.com describes the growing prevalence of skimming and payment fraud in an interactive 2010 timeline updated through October 2010. The timeline describes reported skimming events and how the businesses and financial institutions were attacked.
The PCI security standards council has developed guidelines for retailers to best protect point-of-sale card readers to prevent card skimming, including how to detect device tampering. As schemes become increasingly sophisticated, however, these guidelines will likely be less and less effective—a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip-and-pin card technology.
Mag-stripe technology and global crime rings: A perfect storm
The continued shift of retail payments from paper to electronic formats makes online channels attractive targets for sophisticated global crime rings. In fact, the 2010 Data Breach Investigations Report published by Verizon attributes 85 percent of compromised records to organized criminal groups. These groups have established their own illicit marketplaces and online forums that serve as social networks for exchanging black market data harvested in skimming schemes and information on criminal services. The development of this geographically expansive criminal infrastructure online presents global challenges to law enforcement charged with investigation and prosecuting these crimes. In the future, as credit and debit card data become increasingly valuable commodities for these black marketplaces, merchants and financial institutions will likely be challenged by more advanced skimming schemes and possibly more expansive data breaches.
Fighting skimming fraud is challenging but so is technology change
The vulnerabilities inherent in mag-stripe technology are expected to contribute to ongoing skimming attacks in the future, not to mention the associated credit and debit card losses. Other countries, including Canada and many in Europe, that have converted to the EMV chip technology standard have effectively mitigated skimming. (EMV technology relies on an embedded microchip for data storage on the card instead of the magnetic stripe.) As more countries employ EMV, skimming in the United States is expected to rise. In fact, according to a recent article from bankinfosecurity.com, "...skimming has become a staple of Eastern European criminal gangs, who recognize the U.S. is one of the last holdouts on chip and PIN."
However, as my colleague Doug King noted in an earlier post, "the bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging" because of our large number of card networks and payment card issuers, as well as the multitude of acceptance locations in the marketplace. For now, market participants—and in particular, the merchants—will need to be on guard against increasingly sophisticated skimming schemes perpetrated by organized crime rings.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
May 31, 2011 | Permalink
TrackBack URL for this entry:
Listed below are links to blogs that reference Stemming the rising tide of card breach incidents: PCI compliance or chip-and-pin?:
- EMV Comments That Make Me Cringe
- Taking a Quantum Leap into Payment Security
- Looming Questions with the Rollout of NACHA's Mandated Same-Day ACH Rules Change
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- October 2016
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud