Why Employees Are the Last Line of Defense Against New EMV Card Fraud

November 10, 2015         By: Tom Pendergast

The October 1 EMV deadline is finally upon us, but the banking and retail industries have been painstakingly preparing for years. Along the way we’ve experienced some pretty stark wake-up calls – like the Target and Home Depot breaches – reminding us that we can’t delay the transition any longer. And now the U.S. officially joins the rest of the developed world in deploying the new chip-based payment cards with the promise of making purchases at the check-out counter more secure.

It’s time for the CSOs and security staff at banks and retailers to pull out the balloons and streamers, right? After all, counterfeit card fraud is expected to drop by 51% or $1.8 billion due to the introduction of EMV chips, according to Aite Group. But as many of you already know, our work has just begun. While counterfeit card fraud will significantly drop, card-not-present (CNP) fraud – fraudulent payments made via the internet, fax, mail, or phone – is expected to jump by 106% or $3.3 billion.

On top of that, lost-and-stolen card fraud will continue to escalate with chip-and-signature (not chip-and-PIN) as the primary cardholder verification method for EMV cards. Aite calculates that lost-and-stolen card fraud will reach $1 billion by 2018. We can debate on the wisdom behind issuing chip-and-signature versus chip-and-PIN cards, but the fact is the banks and financial services industries have already decided for us by issuing primarily chip-and-signature cards over the last several months. What businesses need to do now is educate themselves about what’s next and how best to prepare.

All we have to do is look at our global counterparts to understand the new vulnerabilities that come with EMV adoption. After the introduction of EMV in Europe, online credit and debit card fraud rates in Europe doubled from pre-EMV levels. Additionally, CNP fraud accounted for an alarming 60 percent of total fraud incidents across Europe in 2012 and, at the time, was projected to increase in 2013 and 2014.

The U.S. will be no different, that is, if we don’t learn from our global counterparts. Data protection planning and execution is a lot like squeezing a balloon: just as technologies improve, the attack surface shifts. With a more fraud-proof card technology, criminals will turn to the path of least resistance, which in many cases will be the unsuspecting or poorly-trained employee. With more and more fraud moving to CNP, technology alone isn’t enough to protect cardholder data. As before, retail and financial services employees will be a last critical line of defense against a new wave of payment card fraud.

While it may seem basic, many of the fundamentals of PCI Compliance are vital for employees tasked with handling and processing payment card data in this era of CNP fraud. For example:

  • Processing Transactions: When processing payment card transactions, using cardholder data obtained via phone, fax, e-mail, online, or any other instance where the physical payment card is not present, employees must understand how to secure the information received and verify the identity of the payment card owner. There are several red flags employees must understand and practice using so they can assess possible payment card fraud.
  • Responding to Fraud: Employees must understand protocols for alerting supervisors if they have any suspicions about the validity of a payment card or a person’s behavior. They should not alert the person without consulting with their supervisor first.
  • Retention, Access, Distribution: Some tried and true principles for protecting cardholder data remain: employees should be retaining only the cardholder data needed for business, legal, or regulatory purposes; protecting cardholder data by allowing access only to the people who have a “need to know”; and distributing cardholder data to other departments and third parties only under approved conditions.

The problem many organizations face is not distributing these kinds of guidelines to employees; it is translating these fundamentals into knowledge that leads to real behavior change and ultimately, cultural change. The only way the retail and financial services industries can achieve a risk-aware culture is through a well-designed awareness training and reinforcement program that helps build security-minded habits and behaviors. Many of the retail companies we work with have been ramping up their employee risk-awareness programs to ensure strong PCI compliance thraud associated with the introduction of the new payment cards.

A risk-aware culture starts from the top down, which is why it is important for every employee, from executives to entry-level staff, to participate in training. Comprehensive training and reinforcement is important because employees are only as smart as their most recent training; it takes adaptive, ongoing training to address the concerns that tomorrow’s security challenges bring.

Retailers who understand this recognize the coming era of payment data protection requires a twofold solution: better technology and better-trained employees. Achieving excellence in security awareness isn’t simply a matter of presenting information in an annual company meeting. Just knowing something isn’t enough to cause change. The only way companies can expect sustainable behavior and cultural change, is for employees to feel something. They have to be motivated. They have to understand and connect with the importance of achieving the goal. And then they have to continually practice it.

The same holds true with the rollout of EMV. While it is certainly a more secure step forward for the payment industry, to truly advance towards a more secure payment ecosystem, we must work even harder to secure the employee.