New Payment Card Security Standards May Redirect Hackers Online

By Dave Zielinski Jan 30, 2015

The rollout of new chip-enabled credit cards to meet an Oct. 15, 2015, deadline in the U.S., will give retailers a welcome new security protection against identity fraud.

Known as the Europay, MasterCard and Visa (EMV) standard, the technology will replace magnetic stripes on cards with a unique code for each transaction. Banks and credit card issuers are pushing through a “liability shift” making U.S. merchants liable for any fraud that results from transactions on systems that are not EMV capable. If hackers breach a payments system, they’ll no longer have access to valuable customer information. Such chip-enabled cards have been used in Europe for more than a decade.

But while the technology will reduce fraud at the point-of-sale, security experts said its implementation shouldn’t cause companies to rest easy. That’s because hackers will likely redirect their efforts to other areas of vulnerability in organizations’ e-commerce, cloud or mobile channels.

“EMV does not protect against security breaches that occur after point-of-sale, where most large-scale breaches in the U.S. are occurring,” wrote the authors of a November 2014 report on cybersecurity from Forrester Research.

Because EMV technology doesn’t prevent fraud in online or mobile channels, it could indirectly cause security breaches in those channels to rise, as it did in Europe and Canada following their transition to EMV, according to the report.

“I think we’ll see the same trend in the U.S. that happened in those regions,” said Eric Knight, CEO of SimpleWan, a cloud-based firewall company in Phoenix. “Hackers are about finding masses of data and points of greatest vulnerability. The more data they can get their hands on, the greater chance they’ll find something of value.”

Troy Leach, chief technology officer at the PCI Security Standards Council in Wakefield, Mass., said he has seen hackers shift their attention to other channels in markets where EMV cards are prevalent. “Implementing EMV doesn’t do away with the need for secure passwords, patching systems, monitoring for intrusions, managing access and educating employees” about good security practices, Leach said.

Companies will have plenty at stake as undaunted hackers begin to probe new network access points. Those risks include legal liability as well as the potential loss of sensitive data or damage to corporate reputations, said Al Saikali, a privacy and data security attorney with Shook, Hardy & Bacon in Miami, Fla.

“A company’s legal obligations are triggered any time there’s been unauthorized acquisition of personal information,” Saikali said. “That doesn’t just include credit card information, it includes employee information and customer information as well.”

How to Bolster Security

One of the best ways to protect sensitive HR or company data in this new environment is to follow payment card industry (PCI) protocols, according to security experts. The new PCI data security standard version 3.0, which features a self-assessment questionnaire to validate security practices, went into effect on January 1, said Leach.

Because it focuses on protecting overall data security, the PCI standard is particularly important during the gradual global adoption of the EMV chip, Leach said. “Combined with the fraud protections offered by the EMV chip at the point-of-sale, the PCI standard provides merchants with the comprehensive controls to secure card data in all environments,” he said.

One of the biggest changes in PCI version 3.0 from earlier iterations is a requirement for more companies to undergo what’s known as penetration testing. That means they have to verify methods used to segment the cardholder data environment from other areas of their computer networks, adhering to an industry-accepted testing methodology.

“Simply put, your computer system that is processing credit cards shouldn’t be on the same network as your other systems and it shouldn’t have regular access to the open Internet,” said Knight. “It should be segmented from the rest of the network like corporate e-mail systems and the like.”

Although the well-documented December 2013 breach at Target originated through one of that company’s third-party vendors, Knight said Target might have prevented the intrusion had it followed those best-practice compliance protocols. “If they were following that compliance to the letter, the hackers shouldn’t have been able to hop from the vendor’s system over to the credit card network with that kind of ease,” he said.

The best security intentions can sometimes break down in the midst of bottom-line business decisions, said Thomas Fischer, a senior security architect with Digital Guardian, a security company featuring single endpoint solutions in Waltham, Mass.

“A business decision-maker might come along and say, ‘We need data in real time so we can analyze it to adjust our prices for maximum profitability, and to do that we have to link our payment systems to our data analytics or other systems,’ ” Fischer said. That’s where IT or human resource information technology leaders need to stress the importance of PCI compliance and the secure partitioning of network systems, he said.

Security experts say it will be increasingly important for companies to create policies that categorize their most sensitive data and protect it accordingly. Equally vital is having the right governance policies in place—determining who has access to what data—and educating employees about good security practices, such as never downloading things like payroll data to unsecure tablets, laptops or USB devices.

Knight pointed to the recent insider breach of client data at Morgan Stanley as an example of the need for strong governance policies. TheWall Street Journal reported that the wealth-management company fired one of its financial advisers after he was suspected of stealing account data on hundreds of thousands of clients and posting it for sale online.

“If you look at the Morgan Stanley breach, the fact an employee at that level had so much access to sensitive account information may have been a policy issue,” said Knight.

New Technologies Gain Traction

It’s not only EMV cards that will give companies greater security protections. The Forrester Research report projects that biometrics will be more broadly tested in 2015 as a way to prevent fraud by authenticating consumers when they’re making payments or accessing accounts. Use of voice and facial recognition, as well as fingerprinting, will grow as a function of the smartphones, tablets and wearables commonly used in those transactions, according to the report.

The Forrester report also said there will be growing interest in use of tokenization to make payment systems more secure in purchases made online. Popularized by Apple Pay, tokenization transforms a 16-digit credit card number into a token, meaning customers’ personal payment data is never stored with a merchant or passed through its back-end computer systems.

“I see more companies moving toward use of tokenization, and I think Apple Pay and others that provide a similar service will continue to grow,” said Saikali.

Dave Zielinski is a freelance business journalist in Minneapolis.

Quick Links:

SHRM OnlineSafety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter

Job Finder

Find an HR Job Near You
Post a Job

Apply by October 19

Get recognized as an HR expert. Earn your SHRM-CP and SHRM-SCP certification, and set yourself apart.

Apply Now


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect