We haven't heard about significant data breaches at any retailer's brick-and-mortar lately. In fact, the prevalence of cybercrimes and malware-related incidences has momentarily redirected our attention to payments made through online and wireless channels along with related payment crimes such as social engineering and malware-enabled account takeovers and card data theft. However, according to Verizon's 2012 Data Breach Investigations Report, while most attacks are not related to physical tampering, "there was no shortage of payment card skimming in 2011, and there were notable arrests." In fact, a recent press release from a major book retailer is cause to sharpen our focus on in-store card payments and the use of mag-stripe technology at payment terminals.
Tampering with PIN pad devices in stores
On October 24, 2012, the retailer announced that it had "detected tampering with PIN pad devices used in 63 of its stores" and that it had notified federal law enforcement to support an investigation into the criminal activity. Furthermore, it is working with the banks and payment card network brands to identify potential compromised accounts. Much to the retailer's credit, the press release also outlines precautionary steps consumers should take if they have shopped in any of the impacted stores—namely, changing PINs, reviewing account activity for unauthorized transactions, and notifying banks about unusual or unauthorized activity.
PCI compliance is not enough
How can retailers protect themselves from PIN pad tampering fraud? We explored the growing prevalence of card data breach incidents in a May 2011 post describing how a crafts retailer had experienced card terminal tampering that may have led to customer card data compromise. The post noted that while the Payment Card Industry (PCI) Data Security Council guidelines attempt to address advanced security measures, the vulnerabilities inherent in mag-stripe card technology present serious management challenges. The threats to terminals can come in the form of crime rings, company insiders, or the terminal manufacturers themselves.
Will merchants follow the EMV migration roadmap?
Card network brands separately issued announcements in 2011 and 2012 with their own EMV deployment milestones, which can be viewed as a collective roadmap. A summary of these milestones, grouped by payment network, is included in the October 2012 edition of Smart Card Talk and reproduced below. This publication explains the incentives in the form of audit relief from PCI compliance as well as liability shifts for counterfeit card losses for noncompliant banks and merchants.
However, many industry experts surmise that merchants are willing to take their chances on the potential card fraud losses for such a liability shift, judging them to be lower than the costs involved in terminal replacement for chip card acceptance.
Technology adoption stalemate
Industry participants continue to argue about the inequities in the economics for moving forward to a new security environment enabled with more secure chip-based technology. It is highly likely that there will never be a collective path forward considered fair to all, with the large number of industry players and dichotomies in revenue and cost-sharing expectations. So as the U.S. payments industry keeps moving along the same path, with participants arguing the merits and inadequacies of various deployment options for chip-based payments, we can expect to see more crimes at retailer terminals. These crimes will cause merchants to experience technology costs and even customer loss in unexpected and unpredictable ways. And bank issuers will continue to pay for cleanup in the aftermath, by issuing new cards. Perhaps an analysis of the economics of moving to chip-and-PIN should reflect a higher emphasis on the cost of data breach events and their cleanup efforts in the aftermath.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum