The Security of Payments
At the 2017 NetDiligence® Cyber Risk & Privacy Liability Forum, a panel discussed efforts to keep payments secure. The panel included:
- Bobbie Goldie – Senior Vice President North American Cyber, Chubb
- David Herron – Executive Vice President and Chief Legal Officer – Hyperwallet
- Mark Mao – Partner, Troutman Sanders
- David Ellis – Vice President, Security Metrics
- Andy Lea – Head of Commercial E&O and Media Liability, CNA Insurance
One of the biggest challenges for businesses is coming up with payment systems that are secure, user friendly, and also provide useful marketing data. The goal is to come up with a system that adequately considers all these issues.
There is a false sense of security when it comes to online payment systems. When a company is “certified” as a secure online payment portal that certification is valid that day. If they do not continue to update their systems over time their security could fail. The Equifax breach is a good example of this. They were hacked using a known software flaw that had a patch deployed. They had not updated their system with the patch at the time of the hack.
EMV (Europay MasterCard Visa)
In laypersons terms, this is the new chip in your credit cards. It was found that criminals could duplicate the magnetic strip information in the old credit cards so a better form of security was needed. This was initially developed in Europe for use in the European Union, thus the name. The EMV chip transmits information that is transaction specific so if a hacker intercepted that data it could not be used on future transactions. Thus, it is not possible for a hacker to create a fake credit card using the information from your account.
It has taken time for adoption of this system in the United States because of the costs associated with this change. Cards had to be reissued and new card readers deployed. Now almost all credit cards utilize this technology. In turn, most merchants have gone to the expense of updating their systems to use the chips. Merchants are being “encouraged” to switch to the chip technology because banks are limiting their liability to the merchants who do not have the chip technology in place. Small merchants are lagging behind in this area but eventually the old magnet readers will no longer work so they will have no choice but to change.
With the increased use of the EMV chip cards, credit card fraud in brick-and-mortar locations is decreasing. However, this does not impact fraud for e-commerce. “Card Not Present” transactions are now the leading source of credit card fraud.
E-com businesses have to look beyond the card number itself to fully secure transactions. Part of this is their ability to access information from your computer, device, etc which assists in identifying you. These devices are tied to your identity, so if you are using your credit card on your device the bank’s computer system can see that link. Things like end-to-end encryption and tokenization are also assisting in creating a secure online payment environment.