What Comes After EMV?

Dan Brames
FIS | Head of Retail and Corporate Payments
Posted on May 30, 2017

What is your business doing to keep your customers safe?

Just like a Sherpa layering up to protect from the Himalayan cold, merchants need layers of protection to fight fraud. EMV technology represents a base layer, but counting on EMV compliance alone is akin to riding out a snowstorm in a sweater. It protects merchants from chargebacks, but the adoption of signature to verify the user instead of a personal identification number (PIN) provided a wider opening for fraud.

Hackers move on to small and medium-sized merchants

By 2016, hackers had wormed their way into the systems of many of the largest merchants. Stealing cards numbers was bad, but cards can be replaced. The real damage came from stolen consumer identities, including answers to common security questions – e.g., what’s your mother’s maiden name – that could make other accounts vulnerable, as well.

Now, fraudsters have turned their attention toward small and mid-sized merchants which could pose an even greater threat because those merchants are more vulnerable than the big ones. It’s a two-part problem: many smaller merchants lack the resources to keep pace with fraudsters, and those who haven’t experienced an attack often feel that their money would be better spent elsewhere.

Third party vendors – the next layer of protection

Third party vendors represent the next layer of fraud protection for many merchants. They add security capabilities that retailers couldn’t otherwise keep up with, but they also represent a point of vulnerability. And any merchant using a gateway, independent software vendor or value-added reseller is most vulnerable. Retailers may not even be aware that they are using a gateway. But if a retailer employs a software provider for its point-of-sale (POS) system, transactions may be going through a gateway before they reach the processor. Also, third parties are not always installing software correctly, changing default passwords or ensuring that they haven’t left any ports open.

Merchants need to know where their transactions are flowing and at what points in the flow their systems are vulnerable. Processors can often help identify points of risk.

Identification of third-party vendors as a potential source of vulnerability has resulted in new mandates from VISA and the PCI Security Standards Council. Small- and mid-sized merchants (levels 3 and 4 designations by PCI) must now use a QIR (Qualified Integrator & Reseller, authorized by the PCI Security Standards Council) to install their POS software to ensure no open ports or vulnerabilities are left after installation.

Other layers to limit losses

Data breach insurance can help limit losses. But, insurance kicks in after an event. It can’t prevent a breach or fix the loss of reputation. A layered approach to security, however, greatly reduces the probability of experiencing a breach. Additional layers to consider beyond being EMV compliant include point-to-point encryption and tokenization.

Point-to-point encryption prevents personal account numbers (PANs) from entering the POS system. Information is encrypted at the moment when a card is read – the point where fraudsters stole Target’s non-encrypted data. Although additional hardware is required, point-to-point encryption is the strongest defense merchants have to protect their customers’ information.

Tokenization replaces the PAN with a tokenized PAN. Tokenization often is used for card-not-present transactions and transactions for which consumers want to store their card information for future use (for example, Amazon, Apple Pay, PayPal).

Remain vigilant

It’s crucial to the success of your business to remain vigilant to security threats:

  • Discuss security in management meetings
  • Discuss security with your front-line staff members who are “ringing the register”
  • Discuss the layered approach to security with your processor and make sure your processor informs you when additional layers of security are created


Leave a Reply

Dan Brames
FIS | Head of Retail and Corporate Payments

Dan brings over 20 years of financial and payments industry experience to FIS through senior marketing and management roles. Most recently, he was a management team member at Valutec which was acquired by Metavante in 2007 and FIS in 2009.