In October, credit card companies are rolling out a liability shift that moves the onus for fraudulent transactions away from the big three — EuroPay, MasterCard and Visa (EMV) — and places it squarely on the shoulders of financial institutions and merchants that don’t meet new EMV chip-and-PIN standards.

Best Practices for Card Security

Companies need to develop secure and compliant point-of-sale (POS) infrastructure for credit cards. Here are five best practices to simplify the process.

1. Shelve the Signature

As noted by IT Director, the adoption of EMV-standard cards in Europe has prompted significant fraud reduction. In the U.K., for example, credit card fraud dropped by 30 percent after chip-and-PIN cards were introduced. Today, more than 96 percent of all transactions in Europe are conducted using chip-and-PIN technology. In the U.S., meanwhile, this number is less than 1 percent since magnetic stripe cards are the dominant market force. But there’s a problem with this way of doing things: Credit card fraud is a simple matter when signatures are the only barrier between criminals and consumer goods because no other identification or verification is required by the merchant.

As of October, any company that isn’t set up to support EMV and is still using outdated technology automatically assumes liability for fraud. According to MediaPost, however, 42 percent of companies haven’t made any efforts to comply with the new standards. Best practice here? Get ready for chip-and-pin cards. While spending on new readers that allow consumers to dip their card and enter a PIN isn’t appealing, the alternative is worse: Weakest-link payment systems will be on the hook for thousands (or even millions) in fraudulent transactions.

2. Consider Contactless

Another best practice to handle the incoming payment standard shift? Opting for contactless POS systems that leverage near-field communication (NFC) and allow consumers to use their chip-and-PIN credit cards without the need for physical swiping or reading. That reduces criminals’ ability to skim data.

According to TechWeekEurope UK, over 1 billion contactless transactions have been completed in the past year. NFC World noted that MasterCard has now issued a new deadline for contactless technologies: By January 2020, all companies accepting MasterCard or Maestro must support payments from both contactless cards and NFC devices such as smartphones. Here, the idea is to get ahead of the game by rolling out contactless POS systems early — consumers get the benefit of increased convenience, while issuers and merchants are out in front of American EMV requirements.

3. Talk Tokenization

What happens when a consumer dips a card into a POS terminal and enters the PIN? The primary account number (PAN) on the card is transmitted to the relevant credit card network for approval and then sent back with confirmation. The problem? Intercepting this PAN data makes it easy for malicious actors to commit credit card fraud. One solution is tokenization, which replaces approved PAN data with a token made up of upper- and lowercase letters, numbers and special characters, depending on the algorithm used. This token is then stored on merchant POS systems in place of a PAN, making it extremely difficult for attackers to recreate account data even if they’re able to gain access and steal tokens.

There are several iterations of this POS protection, including single-use systems that generate a new token with every transaction, even if the same card is used. Others always return the same token, making it easier for companies to collect use data and create fraud metrics.

4. Prioritize P2PE

While chip-and-PIN credit cards are by nature more secure than swipe-and-sign alternatives, there’s the still the problem of transmission. If data is intercepted en route to a credit processor or when it’s heading back to a seller, consumers and merchants alike could be caught unawares when fraudulent transactions start piling up.

As noted by PCI Security Standards Council guidelines, however, one effective solution is to implement point-to-point encryption (P2PE), which encrypts card data at the point of interaction (POI) and does not decrypt this data until it reaches a secure decryption environment. Worth noting here is that a third-party solution is required to handle P2PE devices, applications and processes. As a result, companies must thoroughly vet any potential P2PE provider to ensure they’re not the weakest link in the liability chain.

5. Learn the Limits

Chip-and-pin cards aren’t without limits, however, and companies must be aware of the threat posed by card-not-present (CNP) fraud. This encompasses virtually all online transactions that don’t require users to produce a physical card but instead ask for a card number, expiration date and CID security code. In this scenario, both security features of new EMV cards — the electronic chip and user PIN — aren’t part of the transaction, making it possible for fraudsters to circumvent extra security measures.

In fact, Slate suggested that the new regulations may simply move credit card fraud from physical terminals to e-commerce stores, at least until EMV rolls out another security upgrade and coordinating mandate. For companies dealing with the EMV transition, CNP fraud lies outside the purview of new standards, but companies with higher-than-average rates of online fraud should expect greater scrutiny from PCI compliance experts.

The Bottom Line on Chip-and-PIN Solutions

October looms, and this year more than a few companies may get tricks instead of treats if they don’t meet new EMV standards. Avoiding the problem of shifted liability means implementing new best practices: Ditch the signature, deploy contactless POS, roll out tokens and P2PE and understand the limits of CNP fraud.

More from Fraud Protection

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

What to do about the rise of financial fraud

6 min read - As our lives become increasingly digital, threat actors gain even more avenues of attack. With the average person spending about 400 minutes online, many scammers enjoy a heyday. Old impersonation scams continue to deceive people every day, as con artists and hackers are armed with advanced technologies and sophisticated social engineering tactics. According to the Federal Trade Commission, financial fraud increased by over 30% from 2021 to 2022, with total losses surpassing $8.8 billion. This ever-evolving threat will continue to…