Merchants need to educate themselves about where fraud and cyberthreat actors may strike next and stay current with security measures designed to protect cardholder data.
Cybercrime and payment fraud have become big business. The most productive actors look for targets that will yield payment account information, data they can monetize on the dark web, companies they can hold for ransom, or control that allows them to gain free merchandise or divert funds directly. So, it’s no surprise that payment security continues to be a top priority for retailers and other merchants.
However, payment security is a game of cat and mouse. When consumer behaviors change and technology advances, cybercrime shifts to take advantage of it. And when the industry finds a way to secure one area of payments, criminals move on to less secure targets. One example is the activity following EMV technology implementation. Before a country or region supported EMV, "card-present" fraud was rampant. Actors could use stolen or counterfeit magstripe cards virtually undetected at the point of sale. However, with EMV, counterfeit "card-present" fraud decreased by 87 percent from September 2015 (when EMV was available in the U.S.) to March 2019. But unfortunately, from Q2 2015 to Q1 2016 alone, online "card-not-present" fraud rose 137 percent.
Where’s the Target Now?
Threat and fraud actors continue to target in-store payment devices, for example, using skimmers or overlays to steal payment data from merchants that haven’t migrated from magstripe to more secure ways of accepting payments. In response, a positive trend addressing this threat is that merchants are taking more responsibility to secure their environments and educating their staff on how to look for skimmers or other devices that may have been placed on or near payment terminals. They’re also paying more attention, scrutinizing the background of new hires to ensure they can be trusted not to be involved in fraud or data breach schemes.
But merchants need to look past the payment terminal to ensure payment security. For example, with more payments taking place via mobile devices, there’s an emphasis on application security. The payment security provided by the hardware platform hasn’t gone away, but with emerging technologies such as tap-to-phone, merchants don’t have the advantage of a hardened security platform to protect transactions. The expectation is that software developers are doing more to ensure their applications properly secure cardholder data.
Furthermore, the biggest target for fraudsters – $5.7 trillion globally– is e-commerce, and the cost of e-commerce fraud is expected to total $206.8 billion in 2023. Establishing best practices and securing digital channels is vital, particularly for businesses that are just expanding to do business online.
Artificial intelligence (AI) fraud is also on the payments industry’s radar. With the widespread availability of generative AI platforms now, merchants and organizations throughout the payments chain are posturing to defend against attacks that actors using AI could initiate in the coming years. In response, the Accredited Standards Committee X9 (ASC X9) for Financial Industry Standards is starting up a study group to investigate current AI offerings and the risk they may pose to the financial industry (for more information or to participate, got to https://x9.org/aistudygroup/)
What’s New in Payment Security?
Payment technology companies continue to work to keep terminals secure and protect cardholder data. One advancement is in the area of cryptography. Encrypting payment data protects it by replacing human-readable information with ciphertext that can only be deciphered if you have the appropriate cryptographic key. Triple DES (data encryption standard) has been the go-to encryption algorithm used by the financial industry for some time. However, computers are getting better at breaking the code. As a result, the industry is exploring a move to AES (advanced encryption standard) and, at some point in the future, implementing post-quantum cryptography, which is developed to defend against attacks from quantum computers.
Payment industry leaders are mapping how the transition to new encryption standards would take place. Certainly you can update software so that it has access to the latest cryptographic methods, but the biggest challenge to overcome is that there are no secure methods or replace existing cryptographic keys with stronger cryptographic keys in the field; to do this, merchants would have to send terminals back to their payment technology providers for re-keying.
Another significant change on the horizon is the implementation of key blocks. Key blocks are a cryptographic wrapping technique that bind a key's use to the enciphered key value, ensuring that threat actors can’t misuse cryptographic keys. As of January 1, 2025, the Payment Card Industry Security Standards Council (PCI SSC) will require the use of key blocks when a payment technology inject new keys into terminals, whether locally or remotely.
Another change in payment technology security is the transition to the most recent version of the PCI PIN Transaction Security (PTS) standard for validation. PCI phases in new versions of its PTS standards that address evolving attack techniques and newer security practices that have become industry norms. This phased adoption gives merchants time to transition. PCI is currently phasing out PCI PTS version 4. For that reason, Ingenico won’t sell devices that are PCI v.4-validated as of April 2024. Instead, we’ll focus on PTS v5 and v6 devices that support new cryptographic algorithms.
The continually evolving payment security space must be a focus for merchants and payment technology and solutions providers that equip them with devices and systems to accept payments. If you want to learn more about how Ingenico is meeting this challenge, contact us.