The US payments industry should reconsider the value of PCI compliance guidance in the light of increasingly sophisticated skimming attacks and instead consider mitigating risk by moving to chip and PIN, according to a Federal Reserve Bank of Atlanta staffer. In a post on the Atlanta Fed's Portals and Rail blog, Cindy Merritt, assistant director of the retail payments risk forum, calls into question the value of Payment Card Industry (PCI) data security council guidelines in a mag-stripe country.Here's her post:
Stemming the rising tide of card breach incidents: PCI compliance or chip-and-pin?
Incidents of card data breaches continue to rise despite industry efforts to safeguard customer payment information in transactions with merchants. Arts and crafts retailer Michaels was the most recent target of a large data breach. The company announced on May 4 that several of its stores, including three in Atlanta, had been victimized by card-terminal tampering and that customer credit and debit card information might have been compromised. The tampering activity enabled card data skimming, a scheme used to clone cards to create new counterfeit cards or to make payments online illegally using the customer's stolen identity.
The Payment Card Industry (PCI) Data Security Council guidelines have promoted advances in the way the industry addresses card data security–but in many ways, the PCI guidelines are necessary, unfortunately, because of cards that use mag-stripe technology instead of the more secure chip-and-pin technology, a subject we've blogged on before. With this in mind, is it time to reexamine the long-term effectiveness of PCI guidance as a mitigation solution for payment card skimming fraud?
The growing incidence of skimming schemes
Many are the potential ways for criminals to gain access to card data from credit or debit card transactions today. For example, criminals use various forms of social engineering to install malware over the Internet on victims' PCs to gain access to personal and financial information that they can use to commit payments crimes. Another increasingly worrisome method is card skimming, a scheme that takes place at an ATM or a merchant's handheld or stand-alone point-of-sale terminal. The criminal either embeds an overlay device in the existing point-of-sale card reader to harvest card data or replaces the pin pad altogether by swapping it for a bogus reader to collect card data. Data-skimming breaches give criminals access to the card information necessary to commit identity theft, create counterfeit cards, or use the card information online for illegal purchases.
Many are the potential ways for criminals to gain access to card data from credit or debit card transactions today. For example, criminals use various forms of social engineering to install malware over the Internet on victims' PCs to gain access to personal and financial information that they can use to commit payments crimes. Another increasingly worrisome method is card skimming, a scheme that takes place at an ATM or a merchant's handheld or stand-alone point-of-sale terminal. The criminal either embeds an overlay device in the existing point-of-sale card reader to harvest card data or replaces the pin pad altogether by swapping it for a bogus reader to collect card data. Data-skimming breaches give criminals access to the card information necessary to commit identity theft, create counterfeit cards, or use the card information online for illegal purchases.
Bankinfosecurity.com describes the growing prevalence of skimming and payment fraud in an interactive 2010 timeline updated through October 2010. The timeline describes reported skimming events and how the businesses and financial institutions were attacked.
The PCI security standards council has developed guidelines for retailers to best protect point-of-sale card readers to prevent card skimming, including how to detect device tampering. As schemes become increasingly sophisticated, however, these guidelines will likely be less and less effective—a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip-and-pin card technology.
Mag-stripe technology and global crime rings: A perfect storm
The continued shift of retail payments from paper to electronic formats makes online channels attractive targets for sophisticated global crime rings. In fact, the 2010 Data Breach Investigations Report published by Verizon attributes 85 percent of compromised records to organized criminal groups. These groups have established their own illicit marketplaces and online forums that serve as social networks for exchanging black market data harvested in skimming schemes and information on criminal services. The development of this geographically expansive criminal infrastructure online presents global challenges to law enforcement charged with investigation and prosecuting these crimes. In the future, as credit and debit card data become increasingly valuable commodities for these black marketplaces, merchants and financial institutions will likely be challenged by more advanced skimming schemes and possibly more expansive data breaches.
The continued shift of retail payments from paper to electronic formats makes online channels attractive targets for sophisticated global crime rings. In fact, the 2010 Data Breach Investigations Report published by Verizon attributes 85 percent of compromised records to organized criminal groups. These groups have established their own illicit marketplaces and online forums that serve as social networks for exchanging black market data harvested in skimming schemes and information on criminal services. The development of this geographically expansive criminal infrastructure online presents global challenges to law enforcement charged with investigation and prosecuting these crimes. In the future, as credit and debit card data become increasingly valuable commodities for these black marketplaces, merchants and financial institutions will likely be challenged by more advanced skimming schemes and possibly more expansive data breaches.
Fighting skimming fraud is challenging but so is technology change
The vulnerabilities inherent in mag-stripe technology are expected to contribute to ongoing skimming attacks in the future, not to mention the associated credit and debit card losses. Other countries, including Canada and many in Europe, that have converted to the EMV chip technology standard have effectively mitigated skimming. (EMV technology relies on an embedded microchip for data storage on the card instead of the magnetic stripe.) As more countries employ EMV, skimming in the United States is expected to rise. In fact, according to a recent article from bankinfosecurity.com, "...skimming has become a staple of Eastern European criminal gangs, who recognize the U.S. is one of the last holdouts on chip and PIN."
The vulnerabilities inherent in mag-stripe technology are expected to contribute to ongoing skimming attacks in the future, not to mention the associated credit and debit card losses. Other countries, including Canada and many in Europe, that have converted to the EMV chip technology standard have effectively mitigated skimming. (EMV technology relies on an embedded microchip for data storage on the card instead of the magnetic stripe.) As more countries employ EMV, skimming in the United States is expected to rise. In fact, according to a recent article from bankinfosecurity.com, "...skimming has become a staple of Eastern European criminal gangs, who recognize the U.S. is one of the last holdouts on chip and PIN."
However, as my colleague Doug King noted in an earlier post, "the bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging" because of our large number of card networks and payment card issuers, as well as the multitude of acceptance locations in the marketplace. For now, market participants—and in particular, the merchants—will need to be on guard against increasingly sophisticated skimming schemes perpetrated by organized crime rings.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum