By Nicholas Cucci
Network Merchants Inc.
A significant data breach, disclosed in October 2012, comes once again as an attack on POS devices. This case affected retail customers of bookseller Barnes & Noble Inc. The company determined through an internal investigation that the compromise was linked to device tampering at its stores in nine states. I call this fraud incident the Hurricane Sandy of the payments industry.
This type of widespread number-skimming fraud brings up an interesting debate at a time when the payments industry is gearing up to make a massive technology change. The transition to the Europay/MasterCard/Visa (EMV) standard will address card-present fraud committed by retail customers, rather than the most prevalent types of card fraud the United States faces: card data theft through device tampering and database breaches.
On Oct. 24, Barnes & Noble confirmed the breach, which hit 63 stores. Criminals planted bugs in compromised PIN pad devices, allowing for the capture of card and PIN numbers. The bookseller said it had disconnected PIN pad devices at all stores nationwide as of Sept. 14. The breach reportedly affected only card-present transactions, and its customer database for its e-commerce business continues to be secure.
This breach is causing card issuers to take stock of the fraud prevention and detection challenges they face. In order to determine the source of this fraud scheme, card issuers reportedly monitored the case beginning in the spring of 2012 using cross-channel detection. Most of the cards linked to this breach were reportedly used at nearby ATMs.
Barnes & Noble recommended that customers who swiped their cards at any of the stores with affected PIN pads take the following steps to protect their accounts. Card users were advised to:
Card issuers are on the front lines of fraud detection. They are typically the first to identify a pattern when a retailer has been breached. Poorly maintained POS networks and devices are a primary cause of retail data breaches.
This incident raises a topic for debate as the industry gears up for a transition to EMV technology in 2013. Is EMV the right technology for the United States now?
EMV is a global card standard that Visa Inc., MasterCard Worldwide, American Express Co., and JCB International Co. Ltd. use to ensure security on contact and contactless card payments. The technology is usually called chip and PIN. EMV was developed to combat card-present fraud, which at the time was rampant in Europe.
According to the ATM Crime Statistics report of the European ATM Security Team, ATM fraud in Europe has dipped by 55 percent thanks to chip-and-PIN technology. Of an estimated 359,000 ATMs in Europe, 68 percent now use EMV, up from 63 percent in 2006.
U.S. merchants are confused by the recent EMV push from the major card brands. Many larger merchants already swapped out POS equipment in the last three years to stay current. Now, they will again have to replace equipment for EMV-capable terminals. Domestically, merchants suffer more from database breaches and POS terminal breaches than card-present fraud.
In the United States, card-present fraud rates do not seem to justify an equipment swap like this. So any decline in fraud will not offset the costs of implementing EMV or contactless terminals. Currently, the card-present fraud rate in the United States matches that of Europe.
With the advent of smart phones, devices and mobile wallets, EMV has no definitive advantage now. The costs of an EMV transition will be paid for by merchants and processors, with limited return on investment. I believe we have missed the window for the EMV push in the United States. What do you think?
Nicholas Cucci is the Director of Marketing for Network Merchants Inc., a graduate of Benedictine University and a licensed Certified Fraud Examiner. Cucci is also a member of the Advisory Board and Anti-Fraud Technology Committee for the Association of Certified Fraud Examiners. NMI builds e-commerce payment gateways for companies that want to process transactions online in real time anywhere in the world. Contact him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next