view counter

CybersecurityBusinesses looking to bolster cybersecurity

Published 24 April 2014

Since the recent data breaches at retailers Target and Neiman Marcus, in which hackers stole millions of customers’ credit and debit card information, consumers have been urging card providers to offer better secure payment processors. Legislators have introduced the Data Security Act of 2014 to establish uniform requirements for businesses to protect and secure consumers’ electronic data. The bill will replace the many different, and often conflicting, state laws that govern data security and notification standards in the event of a data breach.

Since the recent data breaches at retailers Target and Neiman Marcus, in which hackers stole millions of customers’ credit and debit card information, consumers have been urging card providers to offer better secure payment processors. Legislators have introduced the Data Security Act of 2014 to establish uniform requirements for businesses to protect and secure consumers’ electronic data. The bill will replace the many different, and often conflicting, state laws that govern data security and notification standards in the event of a data breach.

In response to the breaches, Visa and MasterCard formed a new cross-industry security task force focused on expediting the adoption of new payment technologies. “We were pushing that direction, but this Target event has given it the kind of urgency that it didn’t have before,” said Ellen Richey, executive vice president, chief legal officer, and chief enterprise risk officer for Visa Inc. The adoption of microchipped debit and credit cards for physical transactions, and a technique known as “tokenization” to secure online transactions, are expected to replace current payment cards. The technologies will limit the value of consumer data stored by retailers, thereby discouraging hackers from stealing card information.

McClatchy DC reports that several European banks are already using debit and credit cards embedded with microchips known as EMV (Europay, MasterCard, and Visa), and more than half of all credit cards in the United States are expected to shift to EMV by 2016. MasterCard, Discover, American Express, and Visa have committed to a policy urging banks and merchants to adopt EMV technology by October 2015 otherwise those banks and merchants will have to bear the losses from fraudulent transactions.

“It’s a fairly powerful incentive,” Richey said.

In the United States there has been reluctance to adopt chip cards because of the high costs associated with replacing traditional magnetic-stripe cards and payment terminals, estimated at $15 billion to $30 billion. “Because of that high cost, there were definitely folks out there who were skeptical of whether they should or shouldn’t implement it, and now because of the data breaches that seems to be moving a whole lot faster,” David Fortney, senior vice president for The Clearing House, which provides payment clearing and settlement services, told McClatchy DC.

The chip cards use radio signals to connect to a payment terminal, so a customer only has to tap or hold a card or mobile phone close to the terminal to make purchases. The microchip in each credit and debit card produces a new cryptographic message for each transaction, making the account number registered to the card relatively useless to thieves. For online transactions, temporary random numbers, tagged to a customer’s account called tokens issued by the registered bank, will be transmitted to the merchant, authorizing purchases. Most retailers welcome the new payment technologies, and many are urging card providers to enhance chip card security by requiring a pin for payments instead of signatures.

As Congress pressure banks and merchants to improve data security, legislators are cautious not to mandate specific technological solutions. “These technologies could change quickly, so if they were to get mandated it would be a bad thing,” Fortney said. “It would probably mean the industry didn’t roll this thing out on its own and then it would be a law. As technology evolved it wouldn’t be able to adapt to it.”

view counter
view counter