Adopting EMV: The Word from Ponemon

Posted by Mark Greisiger

EMVmediumA Q&A with Michael Bruemmer of Experian Data Breach Resolution
The deadline for merchants transitioning to the EMV payment system looms: Organizations are expected to adopt the technology by October. I spoke to Michael Bruemmer of Experian Data Breach Resolution about a recently released Ponemon Institute study documenting industry attitudes toward this shift.

What is EMV and why is it a better option for card security?
EMV is commonly known by the term “chip and pin.” The technology has been around for many years in Europe and incorporates, as the name says, a microchip inserted into a card reader at the point of purchase. At the same time, the user has to put in a four-digit pin that only they know to validate any transaction. This technology came into being because there was fraud committed on mag strip cards. When it was first implemented, the number of fraud cases did go down. However, EMV is not a bulletproof solution. It reduced fraud in onsite transactions but online fraud has grown, so we’ve seen that the threat has migrated. It’s expected that when EMV is implemented in the United States, the same thing will happen.

Based on your recent study, “Data Security in the Payments Ecosystem,” what is the general feeling about payment security right now?
We surveyed about 800 executives across constituencies from payment issuers and processers to providers of payment systems and users. We found that 59 percent of respondents said EMV is an important part of payment strategy but only about half believe that chip and pin will decrease the risk of data breaches. It’s not specific to chip and pin—respondents also feel similarly about mobile payment like Apple Pay. We also learned that only 60 percent of merchants required to transition to chip and pin will make it by the October deadline.

What were some other key findings?
Fifty-three percent of respondents said they prioritized customer convenience over security. Forty-three percent were concerned about the loss of a reputation due to a breach event. There’s the pressure to migrate but there’s also the frustration of having to do it so quickly and the concerns about security during that process of transition.

What are the deadlines for merchants to be aware of?
Only one date is important, and that’s October 1, 2015. There may be a grace period as that date approaches but for right now all merchants need to be EMV-compliant by October 1 of this year.

What are the ramifications and liabilities for not migrating? Who’s at risk?
One concern is that issuers and merchants using non-EMV compliant devices and accepting transactions made with EMV compliant cards assume liability for any fraudulent transactions. The most important question is whether there’s going to be any regulatory enforcement actions for those that don’t adopt the new technology. We don’t really know yet. In terms of risk, if you look at it from a breach perspective, those early adopters may be at risk because the date of transition has been announced and for years hackers have been watching and devising ways to work around chip and pin. Organizations in transition may also be at risk. If you’re a large retailer and you’ve converted some but not all of your systems across, say, a thousand stores, there may be ways for hackers to get in. We saw this with HITECH—as organizations rolled out electronic medical records there were gaps in security. Finally, the last group at risk is those who have not moved over to the more secure technology. So there’s risk all across the ecosystem.

The bottom line is that no system is bulletproof. The system is only as good as the people who adopt it and how they balance security versus convenience.

What role does mobile payment play in all of this?
As I’ve said, there’s skepticism about its security. We’ve already seen a couple mobile system payment issues, such as the recent case at Starbucks. The bottom line is that no system is bulletproof. The system is only as good as the people who adopt it and how they balance security versus convenience.

Any other findings of interest to our readers?
One of other important points of the study is that 85 percent of people responded said it’s important to collaborate around securing this emerging payment ecosystem, but 50 percent said there was minimal to no industry collaboration. Based on that feedback, I’d say that there needs to be more collaboration as we approach the October deadline if we want these payment systems to be secure.

In Summary…
We want to thank Mr. Bruemmer for his insights into looming EMV issues. It will be interesting to see if the plaintiff lawyers raise this issue as a gross negligence claim in future class action lawsuits following the October deadline for data breach incidents.