As consumers demand greater access to information, offers and payment functionality-anytime, anywhere-the lines between in-store commerce, eCommerce and mobile commerce are blurring. In this emerging Universal Commerce environment, it is therefore crucial to accurately identify potential new vulnerabilities and build effective defenses to stay ahead of data thieves. This short quiz will help us explore some of the myths and realities of security in the age of Universal Commerce.
Fact or Fiction: Fraudsters will actively look to siphon account information from phones and EMV cards.
Answer: Fact AND Fiction. For passive devices like contactless cards, this is technically possible for criminals to do by picking a consumer’s pocket and attempting to circumvent the devices’ security features. However, it is practically unlikely and has compensating controls to prevent it from being an efficient method of data theft. For active devices (e.g., smartphones, tablets) with secure elements, remote data removal and encryptions, this is unlikely, and to reach the information, it would require a device-level “hack” to penetrate the layers of security. There is the potential that during the time an active device is passing information to a point-of-sale terminal, an electronic “skimming” could be perpetrated by someone in close proximity (i.e., less than 12 inches). If this does occur, the same compensating controls of the passive device are deployed in defense.
Fact or Fiction: If a device is PCI compliant, then it is secure.
Answer: Fiction. PCI is a useful standard, but it does not mean all vulnerabilities have been removed if a device is considered compliant. Furthermore, when an organization receives PCI approval, it doesn’t necessarily apply to new solutions it may introduce. In fact, many breaches today occur with PCI compliant organizations.
Fact or Fiction: Losing your phone puts all of your data at risk for compromise.
Answer: Fiction. Consumers are understandably nervous about this, and it is viewed by many as the primary barrier to adoption of mobile payments. However, most solutions will (and should) store payment data in a mobile wallet, where it is encrypted and PIN-protected. In addition, Trusted Service Manager capabilities often provide remote-wipe functionality to further protect consumers.
Fact or Fiction: EMV encrypts data.
Answer: Fiction. This is a common misperception. EMV provides authentication when used with a PIN, and also provides additional transaction and card level validation. However, encryption and tokenization solutions are necessary in order to protect the data in transit and in storage.
Fact or Fiction: Fraud and security issues can make or break the relationship with the end consumer.
Answer: Fact. This one is a tricky one and has a wide divergence of opinions. Consumers tend to view financial institutions, merchants, credit card companies and themselves as almost equally responsible for ensuring data security. There exists a nuanced tradeoff between the convenience consumers seek and the security they demand. However, if a breach does occur, a significant portion of those customers will end the relationship-leaving us to call this a Fact.
Fact or Fiction: It’s acceptable to start developing a system or solution without the security component, and then add it on later.
Answer: Fiction. Security must be a critical priority before, during and after you build. It is important to embrace multiple layers of security to protect your customers, while providing the services they demand. This approach requires a commitment to building security into every solution, from conception onwards-as well as an ongoing devotion to delivering innovation securely.
Conclusion Perhaps no issue in the payments industry is more prominent than data security. And with the continued proliferation of smartphones, social networks and mobile commerce, potential new vulnerabilities highlight the necessity of employing multi-layered defenses to safeguard consumer data. Retailers have many risk management tools at their disposal, and they must deploy these solutions aggressively in order to secure transactions, devices and account information in the rapidly evolving Universal Commerce marketplace. Meeting the needs of the empowered consumer is a huge opportunity for all of us. Security plays an essential role, and being proactive will allow us to minimize the risks of new technologies, while seizing the opportunities that this new environment provides.