News Feature | September 7, 2015

How To Help Your Merchant IT Clients Combat Card, Online Fraud Through EMV Transition

Christine Kern

By Christine Kern, contributing writer

How To Help Your Merchant IT Clients Combat Card, Online Fraud Through EMV Transition

The transition to EMV chip-and-PIN cards will not, alone, prevent payment card fraud. Chris Melson, president of Netsurion explained the importance of encryption during his presentation “Deploying EMV? Discover The Impact To Security And PCI,” at Retail Solutions Providers Association (RSPA) RetailNOW 2015, held Aug. 2 to 5 at Gaylord Palms Resort and Convention Center, Orlando, FL.

Melson said, “Everybody has the perception that there’s no credit card data on a mobile wallet, therefore I’m safe.” He continued, however, “As it turns out, when looking at fraud online the mobile wallet has a fraud rate 60 times higher than credit card fraud.” This is because if hackers get the right information, they can set up a fraudulent account with stolen credentials.

He also explained that EMV transactions, if not encrypted, can provide information to hackers who can use the data to make online purchases. Melson said hackers who deal in EMV cards can post data on a black website, where thieves can purchase credit card information, typically worth 50 to 100 dollars. The thief can then use that information to set up an Apple account and pay with Apple Pay using the stolen card. Melson said, “It’s in the cloud, but it’s charging in the cloud until somebody realizes that it’s a fraudulent account.”

Melson stresses the key to combatting this crime is point-to-point encryption, and it’s important not to allow the data to be visible to hackers at any point. He explained the difference between hardware- and software-based encryption: “In a point-to-point encryption environment — hardware point-to-point encryption — basically you have an encryption key that is created by a certified third party and from the point that your credit card is swiped. All information is encrypted, all the way to the end of the transaction. If you’re using a software-based encryption, that doesn’t happen.” Software-based encryption maintains a vulnerable period between the swipe and distribution to the point of sale software.

Through the EMV migration and beyond, magnetic stripe cards will continue to be used, and Melson commented that it will be important to maintain security and Payment Card Industry (PCI) compliance. “There is nothing short of security in your network that’s going to prevent credit card theft,” he said.