AFTER falling in love with European coffeehouses on his wanderjahr in Germany in1971, Brian Olson started importing espresso machines to America. Today his three Café Intermezzo outlets in Atlanta employ 150 people and take in $7m a year. But in 2013, after fake credit cards were used in one of his restaurants, his card payment processor started withholding 20% of his revenue in escrow, “holding my business hostage” he laments. He is now an enthusiastic advocate of payment card security, hoping others avoid the “capricious and arbitrary” treatment he experienced. Changes to America’s payment card environment are imminent, but industry experts warn that without an holistic approach to data security fraudsters will continue to cause misery.
2014 was the worst year on record for data breaches and payment card security in America lags much of the rest of the world. A major improvement will occur later this year with the introduction of EMV; the technology introduced by Europay, MasterCard and Visa to the European payment card ecosystem 20 years ago and known outside America as chip and PIN (personal identification number). To authenticate legitimate card users and protect sensitive card details, EMV uses an embedded smart chip instead of the magnetic strip on the back of the cards, which can easily be cloned.
On October 1st the major credit card brands (MasterCard, Visa, American Express and Discover) are shifting the liability for fraud or data breach to the least secure part of the sales infrastructure. The move, designed to encourage take-up of safer point of sale apparatus that can handle EMV payments, is welcome news. But there are 12 million merchants in America cautions Jeremy King, International Director of the Payment Card Industry Security Standards Council (PCISSC), a cross-industry standards-setting organisation. Not all will be ready by October.
A second issue is that EMV allows for different Cardholder Verification Methods (CVM), some of which are stronger than others. PINs checked online with banks (using the debit rails) are the most robust. But one CVM accepts just a signature; a method open to abuse. (Purchases can also be made with no verification at all, for low-value transactions.) What is more, a transaction using a signature CVM uses the credit rails controlled by the major banks, with an attendant higher interchange fee. Mallory Duncan, Senior Vice President at the National Retail Federation (NRF), says that the interchange fee bonus and a reluctance to spend money investing in chip and PIN infrastructure means it is in banks’ interests to promote chip and signature as a CVM. This is despite wide acceptance across the industry that chip and PIN is more secure and retailers’ dismay that they are expected to invest in chip and PIN-reading equipment that may never be used. “Fraud flows to the weakest point,” Mr Duncan warns, “and that’s the signature.”
But unlike Europe 20 years ago, America today is an online marketplace. Measures to protect card details transmitted over the internet, (such as when an online CVM is used), or held within a retailer’s network (helpful in facilitating future sales and providing other services), are not included in the liability shift. Mr King warns that EMV is not a silver bullet and highlights the need for multi-channel protections.
Despite high profile attacks like those on Target and Home Depot, around 90% of data breaches hit SMEs, says Charles Hoff, former General Counsel of the Georgia Restaurant Association and now CEO of PCI University, an online platform providing data security education. Credit card companies expect banks and card processors to comply with data security standards set out by the PCISSC. They, in turn, expect merchants to do likewise, bearing the risk of failure to do so. The rules, expressed in the Standard Merchant Contract, state that following a data breach, merchants may have to employ forensic auditors to examine their network and pay fines, charge backs and card re-issuance penalties in the event of non-compliance. This “cash-flow crunch” can be terminal for SMEs and “within six months of a breach,” says Mr Hoff, “around 60% go out of business.”
Part of the problem is that most small business owners and merchants have the misconception that they are too small to be the target of hackers, says Mr Hoff. As a result, they often feel that they can take their chances and not worry about initiating proper security measures. But after Café Intermezzo was attacked it cost $45,000 to beef up security at each restaurant and a yearly fee of around $30,000 for bank insurance, consultants services and technology maintenance to indemnify against future violations. Many small merchants ask if the exposure is worth the investment. And it is worse for big retailers. Target is spending $100m to change equipment and issue its own chip-based cards following the breach of 40m accounts in 2013.
For a robust and multi-layered approach to payment card security, five things are required. First, chip and PIN should be accepted as the industry standard (with banks absorbing the costs of their infrastructure investment, rather than pass these onto consumers and merchants). Second, as the Primary Account Number (PAN) on a smart card is still transmitted in clear, it is vulnerable. Point-to-Point Encryption (P2PE) along the transmission routes of a transaction should be implemented so that any data intercepted within the merchants point of sale apparatus or on the way to the card processor is better protected.
The third must-do is to remove the PAN from any online transaction as soon as possible. The card payment processor should swap the PAN for a token, so as to lessen the threat from any subsequent breach of the encrypted transmission routes or retailer’s systems’. Neither this process (known as tokenisation) nor P2PE will impact normal business processes and both should be a basic part of standard card processing packages offered by merchant’s banks and card processors.
The fourth element is to educate merchants and consumers and increase awareness of the threat across the whole industry (the NRF are calling for a Data Breach Notification law). Mr Hoff accepts that there is no easy or inexpensive solution and that every participant in the payment card security environment could make a case for someone else paying for P2PE and tokenisation. “It is tricky, but it’s a cost everybody needs to bear.”
Finally, greater industry self-regulation is required to provide a more responsive counter to innovative security threats and avoid the need for legislation. (Congress is always “a dollar too short and a day too late” says Tom Litchford, Vice President of Retail Technology at the NRF.) Initiatives such as Visa’s Technology Innovation and Secure Acceptance Incentive programmes encourage small merchants to employ the most secure and PCI-validated systems, says Ruston Miles, Chief Innovation Officer of Bluefin Payment Systems, the first company to offer PCI-validated P2PE to merchants in America. He hopes MasterCard will follow suit to produce an industry-wide “safe-harbour programme”.
In Café Intermezzo, Mr Olson says PCI-compliance is a crucial issue but he knows many restaurateurs who are unaware of the threat, the potential costs to business or of the EMV shift. “It takes a major negative experience to motivate us to do what we should have been doing in the first place,” he says.