Securing the card
payments infrastructure
Where are we headed?
July 2014
1
PwC
Not too long ago, theft of a consumer’s credit or debit card would require physical robbery. It was a job for the daring, and it was a type of crime that didn’t scale well.
That’s all changed. Today, payment card theft and related fraud is usually accomplished electronically by sophisticated criminals who steal account information associated with thousands or millions of payment cards.
Unlike most muggings, digital attacks are meticulously researched. Technically proficient threat actors constantly probe the information systems of merchants and payment processors to identify vulnerabilities that can be exploited. They may then gain access to a payment system
through a faulty firewall or by using stolen credentials from employees or third-party vendors.
Once inside the network, they often introduce malware as a means to intercept, log, and store card data while cloaking their activity to avoid detection. The information is then surreptitiously transferred to locations where it can be downloaded for later use or sold on the black market. Those who buy payment card numbers may embed them on counterfeit magnetic-stripe cards to perpetrate card-present fraud or use them in committing card-not-present fraud. In card-present fraud, the spurious cards may be distributed to accomplices who purchase and resell easily fenced items like jewelry and electronics. They continue do so until the theft is discovered and the cards are blocked.
Key players in the card payments ecosystem
Merchant: Any business that maintains a merchant account with an acquiring bank or with a card brand. The account allows the merchant to accept payments from cardholders.
Acquiring bank (Acquirer): A financial institution licensed by the card network to allow merchants to accept the network’s branded cards. The acquiring bank
underwrites merchants and provides a range of services that facilitate card acceptance.
Issuing bank (Issuer): Banks that issue payment cards. They are licensed by the card network and must abide by the network’s rules and operating regulations.
Payment processor: A financial services firm that provides transaction routing and back-office services for merchants in partnership with acquiring banks. These firms often offer back-office transaction processing services for issuers as well.
Card network: A card network is the owner of the card brand name and facilitates the payment process. It governs institutions that issue its cards, and determines where payment cards can be used, establishes bank-to-bank interchange fees, and dictates which technologies are used in the
2
PwC
It will also demand financial investment and cooperation among all entities in the payment ecosystem, including card networks, banks, payment processors, merchants, and even consumers. (See sidebar, “The players in the card payment ecosystem.”) Individual companies may need to update business processes, tighten security controls, expand employee training and awareness, and enhance internal and external communications. Effective cybersecurity dictates that businesses understand the data targets, motivations, and capabilities of their cyber adversaries. It also will be necessary to consider how these threat actors may leverage vulnerabilities in future payments systems. In other words, security and business leaders should be prepared to “think like a cybercriminal.” That will be no small feat, given that they are among 21st century’s most adaptive class of innovators.
As data theft grows more frequent, targeted, and
costly, safeguarding card payment systems has become
a top business priority.
This type of digital theft has become increasingly common in the US, despite deeper investments in information security. According to PwC’s Global Economic Crime Survey 2014, cybercrime is now the fourth-most reported type of economic crime, and 71% of US respondents say the risk of cybercrime has increased over the past 24 months.1 Our research also shows that among US companies that had detected a security incident in the past year, 27% said customer data had been compromised, the second most cited type of incident according to The Global State of Information Security® Survey 2014.2
Not surprisingly, the costs associated with data breaches continue to climb. In 2013, US organizations spent $5.8 million per company to mitigate data breaches, an increase from $5.4 million the year before, according to the Ponemon Institute’s 2014 Cost of a Data Breach Study.3
As data theft grows more frequent, targeted, and costly, safeguarding card payment systems has become a top business priority. Strong security will require implementation of new microprocessor-based payment cards and supporting information systems.
1 PwC, Global Economic Crime Survey 2014, February 2014
2 PwC, Global State of Information Security® Survey 2014, September 2013
3
PwC
Out of the breach:
Moving to a more secure environment
A string of recent breaches has spurred stakeholders in the US card payments industry to strengthen the security of the payments infrastructure and implement a more advanced standard for cards.
Most payment and debit cards in circulation in the US employ magnetic-stripe technology, which was developed in the 1970s. The magnetic stripe on the back of the card comprises tiny bar magnets that can store information such as the primary account number (PAN), card expiration date, and discretionary data determined by the card issuer. When a card is swiped, a merchant’s card reader transmits cardholder account information embedded in the stripe to a card-processing network.
The global standard for payment card technology, however, is a more secure microprocessor-based system referred to as EMV, short for Europay, MasterCard, and Visa, the organizations that created the specification. The EMV standard entails more than the card format: It ensures interoperability between EMV cards and EMV-compliant card payment terminals. The cards contain an embedded microprocessor that protects customer data by creating and encrypting a unique code for each transaction. As a result, they are much
less vulnerable to compromise compared with magnetic-stripe cards.
Not only are EMV cards more resistant to compromise and counterfeit, but the chip technology also makes it possible to embed on a single card multiple payment applications—debit and credit, for instance— and nonpayment applications such as loyalty points and membership accounts. Issuers also can remotely manage cards: If a card is reported stolen, the issuer can remotely block the account; if the card is subsequently found, the issuer can unblock the card. A further benefit for consumers is that adoption of EMV technology will enable travelers to use their US-issued cards abroad.
Today, a very small percentage of payment and debit cards in the US employ the EMV standard. But several major card networks have begun migration to the chip-based EMV standard and have set an October 15, 2015 deadline for implementation of EMV technologies. (Gas station owners will have until October 1, 2017 to migrate to EMV.) Thereafter, fraud liability will shift to the party that is not EMV-compliant. By the end of 2015, an estimated 70% of US credit cards and 41% of debit cards will be EMV-enabled, according to the Aite Group, a financial services research firm.4
Chinks in the armor: How breaches occur
2007 2008 2009 2012 2013
The crime Several large retailers hacked by an organized group of criminals
A major payment processor’s network infiltrated
A payment processor’s system for payroll debit cards hacked
A payments processor’s network hacked
A large retailer infiltrated via stolen credentials of a third-party vendor
The tactics SQL injection and malware that enabled perpetrators to gather data from magnetic stripes
SQL injection and malware
Increased account limits of debit cards and created counterfeit cards used to withdraw cash from ATMs
Unauthorized access to the payments processing system
Malware to corrupt credit- and debit-card readers in physical stores
The take 160 million payment cards compromised
130 million payment cards compromised
$9 million stolen
from ATMs and 1.5 million payment cards compromised
1.5 million payment cards compromised
70 million payment cards compromised
The cost $100 million $140 million Unavailable $94 million $200 million
4
PwC
The challenges of change
Clearly, the migration from magnetic stripe to chip-based technology is no longer a matter of if, but when. This migration will require a concerted effort—and perhaps considerable patience.
The cost to upgrade the payments infrastructure may be significant. Merchants, in particular, may be required to make investments in upgrading their
payment terminals; those that do not currently accept PIN debit cards will need to add PIN pads or secure terminals. It may be an expensive initiative: The cost to buy, deploy, and integrate EMV hardware has been estimated at an average of $500 per terminal.5 Beyond the point of sale, merchants and others in the payment industry may need to upgrade back-office software and authorization systems. Even the cards themselves will add expenses: The cost to produce EMV cards can top $2 each, while magnetic-stripe cards can be manufactured for as little as 8 cents apiece.6
Legal and judicial matters further complicate the migration to EMV. An amendment to the Dodd-Frank Act of 2010, for instance, ensures merchants a choice of two or more unaffiliated debit networks. This stipulation, which was designed to lower merchants’ debit card-acceptance costs, is relatively easy to accommodate with magnetic-stripe cards. But EMV cards employ proprietary applications, and transactions must be routed through the network that owns the technology. As a result, processing standards will need to be modified to support more than one network.
Finally, the individual cardholder may present certain challenges. Some consumers enthusiastically embrace technology innovations, and those who frequently travel abroad may be eager to use cards that are accepted globally. Most, however, are satisfied with the status quo and may resist change. New EMV cards may require customer education, especially if a signature is no longer required. What’s more, consumers who have multiple cards and PINs may find elimination of signature backup frustrating if they are required to memorize several PINs.
Adding encryption and tokenization to strengthen EMV security
The implementation of chip-based payment and debit cards will not fully secure the payments infrastructure. But two technologies—encryption and tokenization—used in conjunction with EMV can help merchants create an environment that is more impervious to cybercriminals.
Encryption can help merchants protect captured cardholder data while the transaction is being authorized. This technology transforms plain-text information into unreadable cipher text using an encryption key, which specifies how the text is encoded. Decrypting the information and returning it to readable text requires a decryption key.
Encryption has been used for years to protect data “at rest,” such as information stored in databases. Point-to-point, or session, encryption, is a less prevalent technology that protects data “in motion”
by encrypting the communication path in which the transaction flows from the merchant to the payment processor, as well as within the merchant’s POS ecosystem. This type of protection is increasingly critical as many data breaches have captured cardholder information while it is in transit.
Tokenization helps merchants protect and safely store cardholder data after a transaction has been authorized. This technology replaces card data with random identification values called tokens. Once authorization is approved, payment data is routed to a secure server for storage. The merchant—and only the merchant—can then use the token in place of the card number to initiate subsequent authorization transactions as well as other internal financial and reconciliation processes. The actual card number is no longer stored in the merchant environment.
Clearly, the migration from magnetic
stripe to chip-based technology is no
longer a matter of if, but when.
5 Javelin Strategy & Research, EMV in USA: Assessment of Merchant and Card Issuer Readiness, April 2014 6 Celent, EMV Migration in the US Progress Report: What Progress?, November 2013
5
PwC
Developing a comprehensive security strategy
Improved payment card security is indisputably critical to merchants, banks, payment processors, card networks, and consumers alike. As with most information security challenges, there will be no quick and easy fix.
Effective security for card payment systems will require a layered approach that is implemented over time. A security strategy should combine technology with the appropriate controls, processes, training, and organizational structures that can help minimize breaches and ensure rapid response when incidents do occur. It will require that businesses:
• Improve monitoring and detection: Companies should sharpen their ability to quickly detect fraudulent activity, which is often not discovered for months after an infiltration occurs. Sophisticated data analytics and forensic techniques, coupled with advanced out-of-band intelligence, can help companies detect breaches early and prevent further encroachment and damage.
• Defend customer data: It is no longer possible to protect all data at the highest level, but customer information should be a priority. To do so, businesses should ensure that payment systems and data are physically segmented, applications that access payments systems and data are strictly limited to employees based on business needs, and employees who have access to customer information are assigned a unique ID.
• Strengthen fraud training and education: It is critical that businesses implement thorough employee training and awareness programs that emphasize detecting and responding to fraud.
• Centralize security: Cybercriminals exploit vulnerabilities that can occur when security responsibilities are distributed and are not aligned and coordinated across the business ecosystem. A centralized security program can help strengthen security.
• Make security an executive-level responsibility: Security is a business-critical issue that should concern the entire organization—and particularly executive leadership. Top executives and the Board of Directors should be actively involved in security strategy, processes, and risks.
• Employ breach-indicator tools: While criminals develop and constantly fine-tune malware that can elude detection, an intrusion often leaves behind clues known as breach indicators. Breach indicator tools gather data elements that can be forensically analyzed and compared with known breach indicators from past and ongoing cybercrime investigations.
• Communicate with customers: Businesses should enlist customers to help monitor for fraud through an open dialog on risks and common tactics.
• Think like a criminal: Cybercriminals actively monitor and test payment systems for vulnerabilities. Companies should do the same by assigning teams to poke holes in their systems and conduct scenarios to identify areas of weakness.
These steps will help businesses proactively address risks to the card payments infrastructure and prepare to adopt EMV technologies. They will not, however, guarantee that cardholder data is absolutely safe from cybercriminals. Today’s persistent and technically audacious threat actors make it their business to continually identify and exploit potential weaknesses of every link in the hyper-connected payments infrastructure chain. The challenge for security professionals and the payments industry will be to stay one step ahead of these cybercrooks. Doing so will require constant vigilance and a top-down commitment to devising and deploying technologies and processes to predict and detect risks.
Effective security for card payment
systems will require a layered approach
that is implemented over time.
To have a deeper conversation, please contact:
David Burg
Principal, US and Global Cybersecurity Leader [email protected] Michael Compton
Principal, Cybersecurity Strategy and Operations
[email protected] Peter Harries
Principal, Health Industries [email protected] John Hunt
Principal, Public Sector [email protected] Mark Lobel
Principal, Technology, Information, Communications and Entertainment [email protected]
Gary Loveland
Principal, Consumer and Industrial Products and Services
[email protected] Shawn Panson
Partner, Risk Assurance [email protected]
www.pwc.com/cybersecurity
www.pwc.com
PricewaterhouseCoopers has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information. PricewaterhouseCoopers gives no express or implied warranties, including but not limited to any warranties of merchantability or fitness for a particular purpose or use and shall not be liable to any entity or person using this document, or have any liability with respect to this document. This report is intended for internal use only by the recipient and should not be provided in writing or otherwise to any other third party without PricewaterhouseCoopers express written consent.
© 2014 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the US member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
Andrew Luca
Principal, Financial Services [email protected] Joe Nocera
Principal, Financial Services [email protected] Chris Morris
Principal, Financial Services [email protected] Shawn Connors
Principal, Financial Services [email protected] Pieter Penning
Principal, Technology, Information, Communications and Entertainment [email protected]
Gregory Holmes
Director, Financial Services [email protected]
