The recent rash of data breaches at major restaurants and retailers have spurred many banks to expedite the roll out of EMV cards and encouraged some enterprises to similarly speed up the implementation of EMV-based solutions. However, as one researcher from security firm ESET noted, simply implementing EMV solutions at the point of sale may not be enough to fully protect organizations from cybercrime and data theft.
“Simply implementing EMV solutions at the point of sale may not be enough.”
Cameron Camp, a security researcher at ESET, noted in an article for PaymentsSource that while two-factor authentication used in EMV solutions does indeed enhance security, it is still not a foolproof method of warding off digital criminals. Using POS-based malware could still allow thieves to swipe the information (and money) of prospective customers, which means these illegal activities will still be common for years to come.
In fact, because European-based cards typically sell for approximately 30 percent more than U.S. cards, according to Camp, stealing EMV cards may be even more lucrative for crooks.
“One of the points of failure lies in how the information is initially captured and authenticated,” Camp explained. “If either the hardware or associated software has been tampered with, information can be silently spirited off to bad actors to print fake cards for resale. This data is typically exfiltrated slowly enough to not trip network sensors or other defenses, so the business wouldn’t even necessarily know.”
The growing importance of tokenization
While EMV POS solutions may not be foolproof, they are a great first step toward bolstering security and protecting sensitive information. While some smaller organizations may be hesitant about the move toward EMV due to the costs associated with swapping out legacy solutions, it is something all enterprises should at least consider and determine whether the upgrade is a good fit for their business.
At the same time, businesses should also look toward solutions that make use of encryption and tokenization. These safeguards offer more protection than EMV, so even if criminals make it past the two forms of authentication employed by EMV solutions, they still will not gain access to sensitive payment details.
Likewise, POS software developers and vendors should look to incorporate encryption/tokenization into their systems, as that will help ensure their clients are adequately protecting their customers from digital criminals and other threats.