Is the fact that payments fraudsters will have to go online to perpetrate crimes against your customers if EMV capabilities are implemented in store really a good rationalization for not moving forward with new EMV payments terminals and fully encrypted payments processes? If you had water leaking from a hose in two places, would you not fix one problem, for fear the water pressure would push more water through the other hole? Well, perhaps in the latter case, you would buy a new hose, and there is a similar corollary in retail payments. Multiple security holes should be treated with multiple tactics to improve enterprise security, but every attempt should be made to secure transactions and data everywhere vulnerabilities exist. There is absolutely a cost consideration at hand, but there is an even greater risk of not doing everything possible to plug the big holes.
Investing in new payments terminals and implementing new payments processes is costly and time-consuming, but if retailers don’t seize this opportunity to close this door to fraud, they continue to be sitting ducks – just waiting for a fraudster to breach their best efforts to secure customer data. But now that the October 1, 2015 liability shift date has come and gone, stores will be liable for in-store fraud, and this stands to be very expensive when it occurs since recent breaches impacted millions to 100s of millions of customers. Losses due to card fraud are expected to top over $10 billion in 2015. Even if only 25% customer cards had $1 in fraudulent charges that equates to $25 million – certainly not a sum to ignore. Fraud in the UK dropped 27% between 2007 and 2012, the years when EMV became widely accepted in that country. What if your business could reduce risk by 27% or more?
It is true that fraudsters will continually look for new vulnerabilities because unfortunately, that is what they do. But 90% of retail transactions are processed in store, shouldn’t retailers do all they can to close this door? We’d recommend making investments in multiple places in the retail enterprise: 1) to reduce liability in the store (with EMV compatible device deployment) and 2) secure data in flight and at rest everywhere in the organization. A variety of investments that protect the retailer far beyond basic PCI compliance may be warranted including investments related to: data encryption and tokenization; access / authentication; perimeter/endpoint intrusion detection; and security visibility, governance and management.
Are the Radical Shifts in the Payments Landscape Justification for not investing in EMV Capable Payments Terminals?
No, of course not. This is a case of making sure that business decisions are based on the facts – the pros and the cons – and not an excuse for not moving forward. Follow the leaders – not the laggards. Big retailers including Home Depot, Target and Walmart are fully EMV ready, and have also taken steps to enable secure mobile payments schemes that include various combinations of PayPal, Apple Pay and Google Wallet. In a series of 10 retail store visits in the last week (very informal unscientific research), 60 % of retailers had new EMV card readers, but 20% of these retailers had not activated them, and 1 cashier failed to try and use the reader when a card swipe failed (and instead swiped the card again). There is obviously a long way to go in both the acquisition of EMV capable terminals, but probably even more importantly in the software enablement, payment process certification and cashier training. The amount of press that this topic has received may be the retailers’ savior (that is, if they’ve deployed EMV readers), as consumers realize that their new cards have new capabilities, and look for opportunities to utilize the more secure payments scheme.
Also, no longer a mystery to many consumers, proximity payments are also gaining in utilization. But ubiquitous use of any one or two specifically branded proximity method (Apple Pay, PayPal, Android Pay) is not going to happen anytime in the foreseeable future, so holding out for a dramatic consumer adoption shift to this method versus EMV is out of the question. However, IDC Financial Insights forecasts that proximity payments, especially those using near-field communication (NFC), will see the largest growth rate among payments methods in the 2015–2020 forecast period with a five-year compound annual growth rate (CAGR) expected to be 85.9%.
Some of the technology provider announcements in support of making the move to both contactless and EMV chip enabled payments include:
Verifone has been busy for the last several years developing a variety of capabilities designed to serve every retailer of various sizes with hardware, software and services that enable secure, fast and upgradable payments processes. The company has plug in and stand-alone mobile devices and a variety of feature rich capabilities to fit retail consumer engagement requirements. One of many notable features: Verifone leverages its Secure Commerce Architecture (SCA), to enable large retailers to move payment data seamlessly without ever residing on point of sale terminals.
FirstData announced that it now accepts Samsung Pay across their payment terminals including the Clover family, and like Verifone hasn’t been standing still for the last couple of years, but instead has released a steady stream of EMV and contactless compatible devices.
PayPal announced a new payments device for small businesses called US PayPal Here with EMV that has contactless and swipe capabilities, and works on both iOS and Android platforms and accepts chip card transactions, magnetic stripe, and contactless near field communication (NFC) transactions including Apple Pay, Android Pay, Samsung Pay and any other NFC enabled device or card.
Square also announced a new contactless and EMV chip reader payments device that is enabled as an alternate reading device so that users of the existing Square dongle can continue using that to swipe the mag stripe on credit cards. This is available for pre-order at this writing for free, but will also be $49 when is becomes generally available.
Number One Priority – Make Sure Capabilities Are Aligned With Consumer Expectations
Frankly, don’t expect the customer to know what they want beyond the following:
- Seamless, fast transactions
- No payments reconciliation hassle
- No credit card activation complications
- What you tell me to do
IDC Retail Insights consumer research also reveals that consumers will adopt these technologies readily when 1-4 above are resolved. In a study conducted in March 2015, 17.4% of US based consumers reported that they had already completed a payment on their smartphone, and 15.4% reported that they used a contactless payment type in the last 12 months.
Not all consumers have EMV capable cards yet, and most reports put card replacement at something just shy of 60% at the moment will another half billion cards due to be swapped. A long list of credit card issuers that have issued new cards is available at EMV Connection.
Number Two Priority – Guard the Store – CYAssets
POS Intrusions, often thought about first isn’t the only security vulnerability to be concerned about, but it continues to be a significant point of weakness according to a recent Verizon report, 2015 Data Breach Investigations Report. The Verizon report includes security vulnerabilities not always considered side by side with POS intrusions, and reveals that the top areas of concern are (in this order): Web App Attacks, Insider Misuse, POS Intrusions, Payment Card Skimmers, Miscellaneous Errors, Physical Theft/Loss, Denial of Service, Cyber-Espionage, and Crimeware.
Security Breach Economic Consequences
- The Verizon 2015 Data Breach Investigations Report (DBIR), using a new model for calculating the cost of a breach, forecasts the average loss for a breach of 1,000 records is forecast to be between $52,000 and $87,000, with 95% confidence; a breach affecting 10 million records is forecasted to have an average loss between $2.1 million and $5.2 million).
- For retailers, large breaches are impacting 100’s of millions of records, but the frequency of small breaches even among smaller companies makes it clear that it isn’t just the large retailers that need be concerned.
- According a much quoted 2014 study by the Ponemon Institute, the average data breach costs US organizations an estimated $201 per record, or an average of $5.9 million total per breach. (Source: 2014 Data Breach Study; Ponemon Institute and IBM)
- Retail breaches ripple out beyond the expenses of responding to the attack. Sales decline, profits fall, and law suits are file against companies. Company credit ratings and reputations also suffer.
- Most retailers report fines of less than $250K per attack, but almost 2% report fines between $5-10M
- The fourth quarter 2013 Target data breach in which an intruder gained unauthorized access to its network and stole certain payment card and other guest information changed retail breach dynamics forever because it became readily apparent that the customer would hold the retailer accountable for compromising their data. There was an immediate and lasting impact to Target. Reportedly, by second quarter 2014, gross breach-related expenses of $148 million had been tallied; sales were flat; profits fell 46%, law suits were filed against the company; Standard & Poor's downgraded Target's credit rating; and their reputation appeared damaged indefinitely. It was only after CEO and CIO resignations and significant investments in security and other customer centered investments that they bounced back. Additionally, financial institutions alone spent more than $200 million in response to the hack, replacing millions of credit cards whose data had been compromised.
The stars are finally aligning around more secure and consumer friendly payments options, but of course, the ecosystem doesn’t all get to the finish line at the same time. Additionally, payments innovation is happening fast, and we fully expect that mobile multi-factor authentication and proximity payments with schemes such as Apple Pay, Android Pay and PayPal will increasingly become popular among consumers, as they happily shed their physical wallets for digital versions. Mobile devices will play an important role in how consumers shop and pay, but plastic and cash will not disappear any time soon. If IDC’s forecast of 7.1% of total payments being via mobile, then 92.9% will be through other methods. What's more, mobile adoption will vary widely across markets and verticals.
The revolutionary part of the payments market right now is related to proximity payments, with huge impacts in the small business segment where even the smallest businesses are now taking credit, processed on Square, Clover, PayPal and other providers’ technology. This enables the consumer to leave their cash in the bank, and this becomes a habit quite quickly. PayPal radically changed the payments landscape when they, like Starbucks, started letting the consumer leave their cards in their wallets for purchases. But one could argue that real consumer awareness around the possibilities of secure payments on a personal phone in physical retail should be attributed to Apple Pay, even though others including Google had capabilities first. Importantly, Apple helped drive cooperation among the banks, Telco’s, payments networks and device manufacturers, and the Visa liability shift has driven retail investments in new payment terminals – establishing the basis for realistic consumer adoption expectations. And now that the banks are shipping cards with EMV chips, retailers will find more reasons to upgrade capabilities to reduce risk and improve the customer payments process.
IDC Retail Insights data certainly reinforces that adoption is happening and will continue to grow dramatically through the next several years. Only 17.4% of consumers reported using their smartphone to pay in the past year, but this number is more than 2X than what it was the previous year. Similarly, contactless payments have been used by 15.4% of consumers in the last twelve months. These are all harbingers of change that will accelerate within the next couple of years. Retailers need to protect the security of consumer transactions and enable seamless commerce however the consumer wants to participate. Why wouldn’t retailers attack vulnerabilities with the fervor and determination of a the criminal hacker? If they can’t do it, perhaps they should turn the processing over to someone who can.