The December 2013 data-breaches experienced by both Target Corp. and the Neiman Marcus Group, in addition to a few other retailers, have shown a spotlight on the issue of card data security. More specifically the use of EMV technology to provide better security in credit cards, versus the traditional magnetic strips that are currently used in the U.S. Although many experts believe that the new EMV chip card technology will be sufficient to deter security data breaches in the future, other experts caution that EMV chip card technology, coupled with compatible point-of-sales terminals would not have been enough to prevent security breaches of the type that were experienced at Target. These experts feel that a more viable solution is point-to-point data encryption, but experts that favor EMV chip card technology believe that using only data encryption as a data security solution does not provide the extra benefits that EMV card chip technology does.
Experts that are in favor of using data encryption say that security data can still be transmitted unencrypted or in plain text during EMV transactions. The data that hackers would be able to acquire from the transactions is the same information that they cam acquire from cards that use magnetic strips. This information includes the primary account number for the card, the card’s expiration date, and the card holder’s full name. Experts that favor EMV chip card use say that this information would be of no use to hackers intent on committing fraud. Vice president of business development at Shift4 Corp., Bob Lowe, says “The whole thing EMV is attempting to cut out is the ability to make a new card.” This does not take into account the fact that the information that hackers can access could still be used to make fraudulent purchases. Lowe also states that there are still vulnerable plain-text points in the payment-processing chain, even though the places where data is moved in the payment process have shrunk over the years. He and other experts say that if you connect a magnetic strip or EMV point-of-sales terminal to the internet, it opens up the possibility for hackers to steal card data unless that information is immediately encrypted as soon as the card is swiped or the card information is entered, and not decrypted until it arrives at a secure location outside of the merchant’s business.
Experts that are against the use of EMV credit card technology, specifically Branden R. Williams, executive vice president of strategy in the U.S. office of Dublin, Ireland-based security-technology provider Sysnet Global Solutions, states that “The same controls that would keep the data safe in an EMV world would also keep the data safe in a non-EMV world, so, the stock answer is no, EMV by itself would not have prevented the Target breach.” Another expert, Mark English, the executive director of product development at merchant acquirer Heartland Payment Systems Inc. stated “It’s not a security panacea, as the mag stripe does, it needs encryption at the earliest possible point, and tokenization.” His personal experience with this issue comes from the biggest reported data-breach to date, which occurred in January 2009. This breach comprised a compromise of over 130 million cards. As a result, Heartland developed a line of end-to-end encrypting terminals and peripherals called E3 to combat the problem. Over 50,000 Heartland merchant use the E3 system, and Heartland has promised to cover the merchant’s costs if they do sustain a data-breach. This system does not decrypt any card information until it leaves the store, which helps to prevent the possibility of data hacking. Point-of-sales encryption does add a level of security against stolen payment data being used in instances when the physical card is not being used, such as online sales. This includes instances where retailers aren’t using additional security controls such as the CVV2 code printed on the card. Even so, experts that are for the use of EMV technology state that “Encryption adds no security benefit to prevent counterfeit fraud. It is another security feature, but it comes with added cost and complexity for retailers. It is not a substitute for EMV.”