Global Payments Inc.’s massive data breach underscores the need for the U.S. to embrace the EMV standard without delay, at least one chip card proponent contends.
U.S. adoption of the chip card technology would not prevent such breaches, but it would make such capers a lot less worthwhile to thieves, Randy Vanderhoof, executive director of the Smart Card Alliance, tells PaymentsSource. The alliance is an advocate for chip card payments.
The payments processor on April 1 updated earlier reports, confirming that thieves may have stolen "Track 2" payment card data for up to 1.5 million consumers (
Such information, which includes customers' payment card account numbers, expiration dates and security codes, can enable thieves to create cloned magnetic stripe credit and signature-debit cards and conduct fraudulent transactions "relatively easily," Vanderhoof says.
Widespread EMV technology adoption largely would eliminate this risk because chip card technology "devalues the transaction data by introducing a dynamic data element," so if criminals intercept such sensitive account data they would be unable to create counterfeit cards with the information, he says.
With processors not having to store such mag-stripe card data if they fully adopt EMV technology, the lure of such readily cloned data would greatly diminish, Vanderhoof says.
"If there is no mag-stripe data stored inside the secured processor or merchant point-of-sale system, why would hackers make the effort to break into it?" he asks.
Indeed, processors still would need to handle sensitive personal-account data associated with EMV transactions, such names and account numbers, "but there would not be enough data stored for an EMV transaction to create a fully functioning cloned copy of a payment card," Vanderhoof says.
Many reports have focused on stolen credit card account data, but Vanderhoof says it is likely that signature-debit card data was equally at risk for exposure.
"Given the fact that credit card and signature-debit card data is structured the same and usually stored similarly, I would assume that hackers got to debit cards as well as credit cards," he says.
As Global Payments isolates the segments of cards that may have been exposed, banks likely will issue new payment cards to affected customers.
But if issuers fail to cancel some cards with exposed data, cardholders' accounts could be at risk for far longer than the next few payment cycles, he says.
"Unless the issuer cancels an account and reissues a card, that card data will be out there on the black market and may be used any time over the next couple of years,” he says. “Affected cardholders would need to be vigilant to watch for fraudulent transactions on an ongoing basis."
Visa Inc. and MasterCard Worldwide in recent months introduced incentives to encourage card issuers and merchants to adopt chip card technology that largely would block thieves' ability to clone new cards (
But few have moved yet on the initiatives, citing confusion and a lack of central coordination in tactics (
Vanderhoof says Global Payments' breach should be a wake-up call to industry participants that are on the fence about EMV.
"No, it wouldn't stop breaches from happening, but it would dramatically reduce the economic gain from (payment card data breaches) and eliminate the cost and inconvenience of re-issuing millions of cards whose mag-stripe data was stored inside at the time of the breach," he says.
What do you think about this? Send us your feedback.
