Not a Silver Bullet: Closing EMV’s Security Gaps

August 10, 2015         By: Andrew Avanessian

If you’re not hearing about EMV (or chip-and-pin) enough already, you’ll be bombarded with the term in coming months, as the EMV deadline looms ever-closer. EMV is the newer type of credit card containing a data-encrypted chip said to be more secure than the magnetic stripe currently found on most cards. If merchants can’t authenticate these chip-card transactions by October 1st this year, they will be the ones held liable for fraudulent transactions (rather than credit card providers, who carry liability currently).

For security-conscious consumers that are still haunted by the now-famous breaches at Target and Home Depot, the industry’s transition to EMV is a reason to celebrate. But is all the buzz about EMV jading us?

The idea that EMV will bring businesses the safest payments system possible is a concerning misconception. While it’s certainly more secure than processes we have in place currently, EMV is not, by any means, a silver bullet to security.

Transition Costs Mean Adoption will be Slow

With the liability shift deadline just a few months away, merchants are naturally under pressure to start upgrading their point-of-sale (POS) terminals to make sure they are up to date with EMV technology. But upgrading all POS systems will not happen overnight. In fact, Forrester research noted that EMV won’t be broadly accepted in the United States until around 2020.

This is because even after the deadline, the magnetic stripes that were present on older types of credit cards will continue to exist within the new cards for some time before they are completely phased out. With that in mind, not all businesses will be so quick to upgrade their POS terminals, especially since this process can be time intensive and potentially very costly. For instance, while normal card-only terminals can cost anywhere from $100 to $500, more integrated POS terminals with capabilities like inventory management and customer statistics management may run into the thousands of dollars.

Additionally, transitioning to EMV will require more than simply upgrading card equipment. Once this is done, businesses must ensure that they’re continuously in compliance with EMV standards. Adherence will be easier if organizations purchase EMV software, which adds yet another cost to the transition process.

Full roll-out is expected to be slow and expensive, but businesses should not put off their transition and should start as soon as possible. With data breaches becoming so frequent in the public eye, today’s consumers are becoming increasingly security conscious. Soon, people will be looking for and preferring to shop at retailers that have EMV in place, over those that don’t.

It Only Protects Against Card-Present Fraud

Despite all the security benefits that EMV touts, its protection is still relatively limited in scope – especially when you consider how advanced today’s hackers are.

EMV was designed to prevent card counterfeiting, which means that it can only protect consumers when a card is physically present and interacting with an EMV-enabled POS terminal. But what about card not present fraud? Unfortunately, EMV does not protect online or telephone payments.

Brick and Mortar dominates the consumer shopping experience, but online shopping still remains massively popular. Millennials – arguably the least security-conscious demographic – spend around $2,000 annually (per individual!) on e-Commerce. That translates into millions of dollars’ worth of payments that will go unprotected by these new EMV standards. Fraudsters will be aware of EMV’s card-not-present limitation, and will likely shift their attack schemes to target online payments, compromising information using sophisticated malware exploits.

In fact, we’re seeing this happen already. In Europe, where EMV was rolled out several years ago, the deployments of these new cards and POS terminals were correlated with increases in card-not-present fraud. In France specifically, payment card-present fraud dropped by 35 percent between 2004 and 2009 after the implementation of EMV, but card-not-present fraud losses increased more than 360 percent in that same time span!

It’s not just the credit card details that cybercriminals are poaching for online either. Companies gather huge amounts of data about their patrons, like names and email addresses – the key ingredients to targeted phishing scams.

Plugging EMV’s Security Holes

For merchants, defense-in-depth is essential as the industry slowly runs up to EMV. And it will be just as important once EMV is widely rolled out as well, to make up for its gaps in security – particularly, malware-driven fraud in card-not-present scenarios.

Retail IT teams should look to implement defense-in-depth measures like privilege management, application whitelisting and operating systems patching.

Providing IT system administrators with privileges is extremely risky, since malware often seeks out privileged accounts to enter a system and spread across the network. Privileges should be limited to the point where system admins have only the privileges they need to do their jobs – for instance, in responding to break-fix scenarios, like an e-commerce website outage. It also limits the scope of phishing attacks resulting from compromised contact information, by preventing at-risk privileged users from opening and downloading content hosting infected exploits.

Application whitelisting adds more control to the IT environment by letting trusted applications and software run through configured policies, while unauthorized applications are blocked.

The arrival of EMV in the United States is an exciting time for the payments industry, which can now enjoy the same level of credit card fraud protection that Europe has experienced for years. The transition will no doubt relieve a lot of the concern that’s grown around POS recently, but merchants and consumers alike mustn’t lose sight of EMV’s intention. It’s a major step forward, but not a catch-all.

Andrew Avanessian, VP at Avecto
Andrew initially established Avecto’s consultancy (pre and post-sales) and technology services (support and IT.), developing them from the ground up into world class offerings. Now responsible for the strategic direction of pre-sales consultancy, he regularly provides security and technology advice to large global enterprises. His background in IT infrastructure ensures he can clearly translate complex requirements, finding technical solutions to commercial challenges. With a keen interest in cyber security and the end user experience, Andrew is a regular contributor to press articles and security events.