Lessons Learned from the Recent Credit Breaches

Payments Leader

Posted on March 6, 2014

The recent breaches of payment card data raise some critical questions. However, given the severity and financial impact of these breaches, as well as the vulnerabilities they’ve exposed, there really is only one salient question: What are we going to do about it? Make no mistake; these events affect everyone in the payments ecosystem, including the cardholder. A financial institution or merchant may think they have the best security measures in place, but to trust it to withstand today’s sophisticated cyber-attacks is a mistake.

If you doubt that, just ask Target, Neiman Marcus, or Michaels Stores who have all been impacted. In fact, it has been stated that Target passed a Payment Card Industry (PCI) data-security standard inspection just three months before 110+ million customer payment card numbers were compromised. Clearly, the hackers and organized financial crime is spending the time and inordinate amounts of money to develop and uncover vulnerabilities in your security. If they aren’t resting on their laurels, how can you rest on yours?

At FIS, we continue to be proactive with our clients – protecting your data and securing our systems. What does that mean? First, it means that we are “Secure by Design,” therefore; we are not in panic mode. This is the time to remain steadfast and lean on your partners. Protecting the financial welfare of our consumers is serious business. That is priority number one. This is not the time to be reactionary. Dramatic moves some consumers are being advised, like migrating from cards back to using cash, just don’t make sense.

Second, it means we need to be solution-oriented. At this particular time in our industry, we must focus on working together to find solutions that will help every member of the payments ecosystem. One effective payments fraud tool working across the globe is EMV chip card technology. To date, the United States has been slow and reluctant in implementing this solution for several complex reasons. To many, the cost of migrating to chip-enabled cards, card readers and access devices, new software development and the rest of the complicated technology required to enable this solution is just part of the challenge.

However, as the companies mentioned above have learned many new and hard lessons, there are greater costs in terms of the loss of consumer confidence and the hit to a company’s reputation. In the aftermath of the data breach, Target is ramping up its own efforts. Quoted in a blog entry posted on The Hill, Target executive vice president and chief financial officer, John Mulligan, was quoted as saying, “Since the breach, we are accelerating our own $100 million investment to put chip-enabled technology in place…Our goal: implement this technology in our stores and on our proprietary REDcards by early 2015, more than six months ahead of our previous plan.”

EMV has some powerful backers, including both VISA and MasterCard, whose respective CEOs have been vocal in their support of the initiative. VISA CEO, Charlie Scharf, in an article entitled, Visa CEO Scharf Pushes EMV Chips, Tokenization to Combat Fraud, was quoted as saying, “People don’t live in a vacuum. When you see the kinds of breaches that [the market] has seen, you want to make sure we’re all doing all that we can to minimize fraud in the future. There’s new cards, new terminals, new software development, we do understand it’s expensive but it’s necessary.”

In an article entitled, As Newcomers Invade Payments, MasterCard Seeks Opportunities, his MasterCard counterpart, Ajay Banga, offered these words: “This is not about finger-pointing, because we need to get past all of that nonsense and get EMV in place and get everyone on that bandwagon…We are seeing a lot of progress in EMV and a lot of merchants and banks committed to it. EMV in the U.S. is a necessary and critical step because it makes the stolen data less valuable.” Barga also made the point that, since the breach at Target seemed to have been focused on the company’s server environment rather than its payment systems, saying “…EMV would have nothing to do with that.” He did add that EMV would mitigate the ability of hackers to make new cards from stolen account numbers.

What is clear is while EMV is certainly a major step in the right direction to help curtail card present fraud, it is not going to resolve security issues and erase identity theft and account exposures all by itself. Even the addition of tokenization, a process where card data is replaced by a secure token thus significantly decreasing the value of the information hackers steal, may not be enough. What is required is a collaborative effort involving all the parties involved in the payment process plus the best efforts of government, financial institutions, retailers and others to restructure an environment that provides consumers with the security they not only require but deserve.

Here at FIS, we are invested heavily in participating in such an effort. As a company, we are committed to doing our part to help our clients help their customers enjoy a level of security and peace of mind they deserve. As an example, FIS has already issued EMV enabled credit cards to clients as well as being fully underway in its analysis/preparation to support encryption and tokenization.

We are not content to wait for tomorrow to come. There is too much at risk for all of us. We are taking care of tomorrow today.

Leave a Reply

Payments Leader

Payments Leader from FIS provides insights on credit, loyalty, fraud and emerging payments strategies through blog posts from our industry experienced authors.