By Marnie Och-Raleigh, Evolve Systems
Making policy with the right information
It’s difficult to watch the Congressional hearings and listen to the information they are discussing when a significant percentage of the data they are discussing is not accurate. Our elected officials are acting as experts in a very complex field and it’s apparent they don’t have a deep understanding of the market. I am concerned their recommendations will not completely solve the issue and we will once again be sitting in a vulnerable position.
2015 EMV implementation maybe unrealistic
EMV is here to stay, it’s not going away, but the aggressive time line to have it implemented in 2015 is not realistic. We expect banks to issue dual cards over the next several years, a dual card has both the traditional magnetic strip on the back of the card and also the Chip/PIN embedded in the cards. The old terminals can accept the dual card but without being upgraded at the merchant level for recognition capture of the Chip/PIN we will still have gaping holes of vulnerability.
Security should come from web servers, equipment and PCI compliance
Over 70% of theft in the world is directly connected to identity theft and over 50% of the fraud cases in the world happen in the United States. Moving towards the EMV Chip/Pin arena will be successful in card present transactions because of the validation process, it requires the original chip validation, but it does not address the issue we experienced with the Target Corporation. EMV would not have stopped their breach because it was at their server level and not the terminal level.
Many merchants complain about the process and questionnaire they are required to complete to receive their PCI certificate. PCI Security standards are the major credit card brands’ 12 requirements to verify that merchants are securing cardholder data.
If they are not compliant they receive a penalty fee and then are frustrated at the amount of money they pay for their services.
Plan to invest in security to protect your business and your customers
In 2007 we were one of the first companies to introduce a pay-at-the-table credit card machine, allowing a server to bring the credit card terminal directly to a client to finalize their own transaction. While this was revolutionary, we were surprised the acceptance was not more widespread. We see this process being accepted in Europe, unfortunately we had little adoption because of the cost of the machines. The cost of the machine was minuscule in comparison of the penalties they would pay should a breach happen, business owners had little to no interest in making the investment to protect their business against fraud.
With the industry moving towards point-to-point encryption, we see positive solutions being developed, unfortunately we also know the criminals and masterminds behind the corruptions are always working furious to crack the next security levels.
We hope the recent tragedy and fraud committed against Target, Nieman Marcus, Michaels, their customers and others will be seen as a wake-up call for all businesses accepting credit cards and that they will need to make the investment in their own equipment upgrades and own their own security enhancements across all their technical systems. This is part of the cost of business and processing payments through debit and credit cards.