Recently representatives of the G7 Roma Lyon Group, an organization of senior security experts from the countries of Canada, France, Germany, Italy, Japan, the United Kingdom and the United States gathered in Berlin, Germany to talk about one of the most important global economic threats – payment card crimes. The PCI Security Standards Council (PSI SSC) was invited to participate by the U.S. Department of Justice (DOJ) and I was honored by the invitation and the opportunity to lead a discussion on EMV chip technology.
This important meeting of security experts from around the globe discussed security initiatives for consideration by the G7 in order to ensure a shared approach among our countries. The focus on payment card crimes comes as a result of relentless cyber-attacks every day from sources all around the world. Just this year alone, there will be an estimated 42.8 million cyber-attacks.
{mosads}Much of our discussions centered on EMV chip technology. While Europe has utilized this technology for the past decade, Americans are just becoming familiar with it. Most Americans have now been issued with a chip card and are getting use to inserting their credit/debit cards into payment terminals instead of the traditional swipe.
The chip, known as EMV computer chip technology, prevents criminals from creating duplicates of the payment cards they steal and then sell on the black market. The computer chip creates a unique code (cryptogram) with every transaction. It’s something criminals have had a tough time counterfeiting ever since it was introduced in Europe and then Asia ten years ago. In the UK and France, the rollout of EMV Chip cards resulted very quickly in a reduction of counterfeit card fraud of over 75% and this figure has remained consistently low ever since.
However the last 10 years has seen huge changes in how we shop and pay for goods and services with growing numbers of consumers using online shopping and more recently their smart phones. These are great new opportunities for both merchants and consumers alike, but unfortunately, provide great opportunities for the criminals.
The global organized criminals have been very quick to realize this, these criminals don’t quit, they evolve and plan new lines of attack. This point is a critical point and was an important part of the G7 meeting. There are those in the U.S. and around the world who see EMV chip technology as a “silver bullet” that eliminates card payment fraud. It isn’t a silver bullet. While EMV chip technology does significantly reduce face-to-face fraud, we have seen a steady switch to and rise in Card-Not-Present (CNP) fraud. Indeed CNP fraud now represents over 70% of card fraud across the whole of Europe.
My message at the G7 was this fight is not lost. Information sharing and collaboration between the private and public sector is mission critical. The payment industry has three technologies that when implemented properly, will devalue the data making it useless in the hands of criminals, organized crime and state funded actors – EMV at the point of sale, point-to-point encryption and tokenization. The best approach to stopping payment card crime is to render the data useless for the criminal community. If the bad guys can’t monetize the data, they will move on to other low hanging fruit. EMV chip technology will deliver on its promise to defeat counterfeit cards and lost and stolen, but let’s be clear, it is an important layer of our defensive posture, and security is all about a layered approach. PCI has long advocated for a combination of EMV Chip technology, point-to-point encryption and tokenization – it’s our view of the desired end game.
Best practices for securing data starts with companies developing a culture of security, from the board room to the sales counter. Companies that fail to make data protection an everyday priority run the risk of being breached. Data security has to be an all-day, everyday priority. Vigilance combined with data security best practices is a must in today’s global, online and mobile economy. There is no single technology or security short cut to make us safe.
The G7 meeting was encouraging and inspiring on many fronts. In particular, the law enforcement organizations who were present were very impressive. The United States Secret Service, Europol, and Interpol were very supportive and engaged as they are in their everyday battle against cyber criminals. We in the United States should take great pride in the fact that the U.S. Secret Service is held in very high regard by our friends and allies. Their presentation at the G7 was superb. There seemed to be universal consensus on the importance and value of private and public sector cooperation and information sharing. Our best defense against those who would hurt our economy and steal from consumers is to work together across countries and payment platforms.
Stephen W. Orfei General Manager PCI Security Standards Council.
The views expressed by authors are their own and not the views of The Hill.