EMV and Payment Security: What’s Next

Posted by Mark Greisiger

A Q&A with Dan Fritsche of Coalfire
The introduction of EMV chip cards and newer PCI Security standards go a long way toward reducing data breach incidents and payment card-related fraud. Yet many retailers still have not adopted the technology and EMV in and of itself is not a wholesale solution for data loss. I spoke with Dan Fritsche, Vice President of Solution Architecture at Coalfire, about ongoing payment card concerns for retailers and what they can do to make their systems more secure.

Now that EMV chip cards have been introduced into the American market, what impact have they had on cyber risk?
I always say there is no silver bullet to mitigate payment risks. There are three technologies that should be used in conjunction: EMV, tokenization and point-to-point encryption (P2PE). Most merchants have not conducted a good risk analysis to be able to determine the actual risk from fraud due to EMV-related liability, and therefore are not using an appropriately layered security approach.

Is one of these three technologies more critical than the others?
If I had to choose, I would pick encryption first and EMV second, but preferably they are implemented together. EMV on its own is not going to mitigate the risk of payment data being captured by hackers and used for card-not-present (CNP) fraud. Tokenization comes with most encryption solutions and only addresses the security concern of the storage of payment data, and the need to have recurring transactions.

Most merchants are in the process of migrating over to EMV but as consumers we don’t always know what they are doing to protect against the security of the payment data.

How complete is the migration to EMV at this point?
Most consumers have chip cards and you can use them in places like Walmart and Target and a few smaller chains, but you can’t use them today in most stores. Most merchants are in the process of migrating over to EMV but as consumers we don’t always know what they are doing to protect against the security of the payment data. For retailers, if they don’t have a lot of fraud to begin with there’s not much incentive to change over and invest in the new equipment. Frankly, as a consumer I would be more likely to use Apple Pay, which uses EMVco’s tokenization standard at this point. From a security perspective there’s no card number stored on the phone, nor can it be exposed during the transaction.

How have the newer PCI standards for P2P encryption impacted retailers?
The new standards are more approachable for merchants, in many cases more realistic and practical and certainly more flexible with the new component listing options. The standards provide the highest risk reduction as well as a reduction of PCI DSS controls the retailer has to continue to manage. We’re seeing lots of retailers and service providers getting on the P2PE bandwagon, so to speak.

How has the retail climate changed given the changing standards and the bigger breach cases we’ve seen in recent years?
More folks are interested in doing what’s right for their company and their customers. They come to us and say “I don’t want to be in the papers.” We tell them if that’s the case, then you need to allocate time and resources to security, not just to compliance. Compliance is going to be a natural outcome of a proper security approach and investment.

What are the first steps for a company looking to improve their payment security profile?
Companies need to understand their environment and what is at risk, what is most valuable. It’s a mistake to only focus on cardholder data. You have IP you need to protect, you have PII from your customer base. These are things that need to be protected and PII is more valuable to criminals than cardholder data these days.

What else should risk managers be aware of?
A year before the Target breach we had a customer, a regional retail chain that didn’t follow core guidance for the set up and maintenance of their payment system. Most security breaches’ root cause stems from a result of human error in system implementation or maintenance of that implementation. There were multiple failures beyond the initial setup, but that is what let the malware inside their system. Even if someone planted the malware that targets Point of Sale systems point-to-point encryption could prevent the breach. I encourage people to take an approach similar to the military, and assume the environment is already compromised–which means the need is to then protect the data. Overall, people are taking more and more action, but we need to see it on a universal scale and it’s not quite the norm yet.

In Summary…
We want to thank Dan Fritsche for his insights into EMV and other retailer network-focused risk issues. In discussing retailer POS challenges with both insurance partners and their insured clients, I feel confident that this sector is making continuous improvements, especially with the EMV mandate in place. To echo Dan, there will be no silver bullet and we should expect to see some merchant clients having data/network security lapses due to IT budget restrictions, and a resulting lack of EMV and P2P encryption capabilities. These same clients will likely not have segmented networks or the capability to detect (IDS) a breach in a timely manner. As the saying goes, you eat an elephant one bite at a time.


NetDiligence® is a cyber risk assessment and data breach services company. Since 2001, NetDiligence has conducted thousands of enterprise-level cyber risk assessments for organizations. NetDiligence services are used by leading cyber liability insurers in the U.S. and U.K. to support loss-control and education objectives. NetDiligence hosts a semiannual Cyber Liability Conference attended by risk managers, privacy attorneys and cyber liability insurance leaders from around the world. NetDiligence is also an acknowledged leader in data and privacy breach prevention and recovery. Its eRiskHub® portal (www.eriskhub.com) is licensed by cyber liability insurers to provide education and breach recovery services to their policyholders.