Insights & observations for retail POS
Part 1, EMV
There’s a strong case for US retailers to implement secure payment systems at the retail POS. Between Apple’s recent announcement of its Apple Pay mobile wallet and the continued retailer credit card breaches, we can expect major changes in the payments industry over the next 12 to 18 months.
Since late 2013, there have been breaches at several major retail chains including Target, Neiman Marcus, Michael’s, Sally Beauty Supply, Supervalu and most recently, Home Depot.
Home Depot is the largest breach to-date affecting 56 million cards, versus Target’s 40 million. It’s estimated that the breach will cost the D-I-Y retailer some $62 million. A recent article by VentureBeats reports that infected self-checkout terminals may have been the prime source for the breach. ‘Security experts told VentureBeat that self-checkout terminals typically run Windows XP, use store-bought MS56 or 128 bit encryption, and are easier to crack than POS terminals. While POS terminals are typically operated by cashiers, self-checkout generally has no oversight and that could be aiding hackers.’
The NY Times Blog reports that Home Depot advised that moving to EMV required writing tens of thousands lines of new software code and deploying 85,000 new payment terminals in its stores by the end of 2014. EMV was rolled out to the Canadian stores several years ago.
A proposed solution is Europay Visa Mastercard (EMV, also known as chip & pin) and/or Near Field Communication (NFC) enabled payment systems. It’s easy to make the distinction between the two if you think of EMV as being the contact version (enter PIN or sign) and NFC as contactless because you just tap your card or phone to the payment terminal.
Although US retailers have been slow to adopt EMV (or NFC) because of the costs, they now see how these costs are minimal compared to the direct and indirect costs associated with a major data breach. Target, for example, announced that its breach cost the company $148 million including the costs of hiring experts, the actual company investigation and the loss of customers.
October 1, 2015 is the date credit card networks have set as the deadline for most U.S. merchants to upgrade their payment systems. The target date for ‘pay at the pump’ fuel dispensers is October 1, 2017.
A report by research group Aite estimates that by the end of 2015 some 70% of US credit cards and 41% of debit cards will be EMV enabled, rather than NFC-enabled — although Apple Pay may change those figures. Further the US marketplace accounts for nearly half of all payment cards and terminals worldwide.
Europay Mastercard and Visa (EMV) was established in the 1990s and deployed throughout the world in the 00’s – the US is the notable exception. EMV is a set of specifications for smart card payments and acceptance devices that provide strong transaction security features and capabilities not possible with traditional magnetic stripe cards.
What does the target date mean?
It marks when the liability will shift to merchants for fraud that results from transactions on a system that is not EMV capable. Standards are in development for using an EMV card in ‘card-not-present’ transactions (over the phone or online).
It’s likely it will be the retailers who are liable because the card schemes have demanded EMV adoption and the issuers are providing chip cards. To avoid liability, retailers need to ensure that their systems are EMV-enabled.
“Most top tier retailers already have EMV in place”, says Verifone CEO Paul Gallant. “It’s really about turning on the system as opposed to putting in terminals.” The bottlenecks to EMV migration have been the cumbersome process to certify EMV terminals across a large ecosystem of issuers, card networks and acquirers.
EMV cards are equipped with an integrated circuit chip and use strong cryptography to create a unique code for each transaction making them more difficult to hack or counterfeit than magnetic stripe cards. The unique code is validated by the respective bank for each transaction and can’t be re-used. Transactions using fake cards with stolen data are unlikely to occur with an EMV terminal because it wouldn’t be able to generate the proper code.
EMV is more secure than magnetic stripe credit card transactions where the credit card data is sent from the payment device to the cash register (usually a Windows-based computer) then pushed unencrypted over a USB cable. It is only encrypted after it leaves the cash register. Because cash registers are easier to hack than payment terminals this makes magnetic stripe credit cards more vulnerable than EMV.
EMV can also address card-not-present (CNP) fraud with cardholders using their chip cards and individual readers to authenticate internet transactions.
Although EMV implementation will not entirely prevent attacks it’s likely that hackers will focus on less protected networks.
EMVCo (www.emvco) reports increased adoption of EMV technology as of Q4 2013 with 2.37 billion EMV payment cards in circulation and 36.9 million active EMV terminals active worldwide. It’s expected that over 575 million EMV cards will be issued in the US by the end of 2015. Leading payment terminal provider, Verifone, estimates that 80 percent of the devices it sold in Q2 2014 can accept both EMV and NFC payments.
EMV’s impact is compelling. Losses at U.K. retailers have dropped by 67 per cent since 2004. Their lost or stolen card fraud declined 58% between 2004 and 2009. Similarly Canada experienced a dramatic drop in fraud since their 2008 nationwide implementation with losses dropping from $142 million in 2009 to $38.5 million in 2012.
Walmart is one of the first major retailers to use EMV technology in its credit cards. In June 2014, their Sam’s Club group issued chip-enabled MasterCards. Cardholders of Walmart’s store-brand MasterCard will be receiving their new chip-enabled cards later this year. In addition, Walmart started installing EMV-capable terminals at its checkout counters 8 years ago and now has them installed at some 4600 US stores.
Retail data breaches
Hackers over the past few years have perfected software that lurks on card readers to grab the data, collects it in files hidden on a retailer’s network and then ships it out to awaiting cybercriminals usually on a website such as Rescator where criminals can purchase stolen credit card numbers. Thieves can purchase the exact credit card numbers they’re most interested in because of filters for the bank, state, city and even exact data breach. There are signs that the perpetrators of the Home Depot breach may be the same group of Russian and Ukrainian hackers responsible for the data breaches at Target, Sally Beauty and P.F. Chang’s, among others.
Breaches are conducted remotely, by humans (not viruses or drive-by downloads) usually when they find a vulnerable web server. Once in the system, the hackers are able to map the internal network, determine who has access to the card data environment and then steal those user accounts so they can move around undetected. Once inside the network, there are few if any alarms to alert the company of a breach. The malware which usually infects most systems is BlackPOS and its variants.
In many cases, news of a data breach has been announced not by the retailer themselves but by Brian Krebs http://krebsonsecurity.com/ an American journalist and investigative reporter heralded for his coverage of cybercriminals.
Home Depot – earlier this month Krebs was the first to report signs of a potential breach impacting almost all 2200 Home Depot stores nationwide. Subsequent reports estimate that 56 million cards were affected making it the largest breach to-date.
An investigation by Bloomberg Businessweek found that Target ignored warnings from its hacker-detection tools, leading to a breach that compromised 40 million credit card numbers and 70 million addresses, phone numbers and other pieces of personal information. The breach was linked to the loss of credentials at an HVAC services vendor. In addition to the loss of consumer trust, the breach has cost Target $148 million and includes some 80 million lawsuits filed by consumers.
Michaels estimated its systems were exposed at various stores from May 2013 to January 2014 exposing information regarding credit and debit card numbers as well as expiration dates. Between Michaels and its Aaron Brothers group, some 3 million cards may have been exposed to hackers.
Supervalu announced a breach had occurred between June 22 and July 17, 2014 at more than 100 of its 3300 stores. Supervalu’s internal team quickly identified and contained the intrusion.
Sally Beauty Supply encountered a cyber-attack in late February 2014 which affected 25000 credit card numbers and cost the retailer $1.1 million.
Bloomberg Businessweek reported that the hackers who raided the credit-card payment system of Neiman Marcus Group set off alerts on the company’s security system about 60,000 times moving unnoticed in Neiman’s computers for over eight months. It’s estimated that some 350,000 customer cards may have been exposed.
Will we return to cash?
A recent study by Vision Critical reports that 64% of its respondents say they are more likely to pay in cash after hearing about security breaches at large retailers. From the retailer’s perspective, not only is cash anonymous (no marketing opportunities) but unlike with plastic, shoppers are less inclined to make impulse purchases.
“Do it once, do it right, and ‘future proof’ yourself as much as possible” suggests Oliver Manahan, MasterCard’s vice president of advanced payments about retailers readiness for EMV and NFC.
At Mainstreet, we’ve successfully rolled out new payment terminals for several national retailers. Contact us today to learn how we can seamlessly upgrade your payment terminals to ready your business for EMV and NFC to provide your customers with a secure payment environment.
Next week’s blog post, Apple Pay
Comments or questions, please email me at firstname.lastname@example.org
Follow us on twitter @POSatMainstreet