Page 34 - GS161202
P. 34
CoverStory
In April, the PCI Security Standards compliant terminals, but only 29 percent were being used
Council released PCI DSS 3.2. to run EMV transactions as of September. However, EMV
is intended to protect against counterfeit card fraud, and
A key change: mandating multifactor according to a July report from Auriemma Consulting
authentication for any organization with Group, counterfeit card fraud was down 18 percent in the
first quarter of 2016, the lowest level since 2013.
access to credit and debit card data, a
requirement that previously applied only to Under a plan put forth by the card brands, most merchants
were supposed to be up and running with EMV terminals
those remotely accessing data. by October 2015 or risk liability for fraud perpetrated
with counterfeit cards. Petroleum dealers were given
In 2016, mobile commerce made significant advances, as until October 2017 to implement EMV security on
increasing numbers of shoppers took to their smartphones automated outdoor pumps. On December 1, though, Visa
and tablets to comparison shop and, in some cases, to and Mastercard extended the compliance deadline for
actually make purchases. BI Intelligence expects U.S. automated fuel dispensers (AFDs) to October 2020, noting
mobile commerce to total $79 billion this year, or about 20.6 the upgrade for AFDs is more complicated than had
percent of all ecommerce. By 2020, mobile will account for originally been expected.
45 percent of all U.S. ecommerce, totaling $284 billion in
sales, the firm predicted. Whereas EMV is about protecting against fraudulent
transactions, the PCI DSS addresses basic security
The Federal Reserve reported in March that 24 percent of requirements for storing, processing and transmitting
adult Americans used mobile devices to make payments cardholder data. As recent reports suggest purloined card
in 2015. Bill payments were most popular, with 65 percent data remains a hot commodity with fraudsters. The website
using their mobiles to pay bills. Digital content and brick- Krebs on Security reported in August that hundreds
and-mortar purchases came in second and third, with 42 of computers at software giant Oracle Corp. had been
percent and 33 percent, respectively. breached, including computer systems used by businesses
with Oracle's Micros POS systems. Additionally, several
Meanwhile, a recent report from eMarketing Inc. revealed individual retailers also reported card breaches this year,
that just 19.4 percent of smartphone owners in the United including Eddie Bauer, Wendy's and Cicis.
States had used their devices in the previous six months
to make payments. "Despite double-digit growth this year But data breaches are not just a large retailer problem.
and next, Americans' use of mobile wallets like Apple Pay, Vantiv LLC stated its research suggests 80 percent of card
Android Pay and Samsung Pay, as well as branded apps breaches involve small retailers. The result: 60 percent of
that include mobile wallets like the Starbucks app, Walmart those shops shutter their doors within six months of being
Pay and CVS Pay, will not reach mass adoption in the breached, according to Vantiv.
foreseeable future," eMarketing wrote.
One reason for slow adoption is a shortage of POS devices In April, the PCI Security Standards Council released PCI
programmed to support near field communication (NFC). DSS 3.2. A key change: mandating multifactor authentication
Support for NFC, the underlying technology for tap-and-go for any organization with access to credit and debit card
payments, has been built into the latest generation of POS data, a requirement that previously applied only to those
devices: EMV-compliant terminals. remotely accessing data. In July, the council provided a
new set of compliance resources designed specifically for
Meanwhile, CurrenC, a mobile payment initiative launched small businesses. The new Guide to Safe Payments, available
by a group of large retailers (known as MCX for Merchant on the PCI SSC website, aims to make the requirements
Customer Exchange) that leveraged quick response codes (which are laden with legalese and technical jargon)
instead of NFC was scuttled in June. easier to comprehend. Acquirers and their partners were
encouraged to download, brand and distribute the guide to
Progress with EMV, PCI their small business customers.
Security always has been an important consideration for card "PCI compliance is important to everyone in the payment
payments. So when the card brands turned their collective processing industry," said Cleveland Brown, co-founder and
attention to implementing EMV (Europay, Mastercard and CEO of Payscout Inc., echoing the sentiments of acquirers
Visa), an industrial strength security protocol, it seemed and ISOs alike. Not everyone in the merchant community
as though the Payment Card Industry (PCI) Data Security accepts this premise, however. The National Retail
Standard (DSS) might assume diminished importance. It Federation in June asked the Federal Trade Commission
has become abundantly clear, however, that is not the case. to investigate the PCI SSC. It argued that because it is
controlled by Visa, Mastercard, American Express Co.,
For starters, EMV implementation is far from universal Discover Financial Services and JCB International Co. Ltd.,
at merchant checkouts. The Strawhecker Group reported the council doesn't qualify as a legitimate standards-setting
44 percent of U.S. card-accepting merchants have EMV-
34
