By now you’ve almost certainly heard of the record amount of data breaches that occurred during 2015 – placing personal data protection at the forefront of everyone’s mind. 2015 was the year of the hacker, with an incredible number of high profile data breaches occurring at major banks and retailers, as well as travel & leisure establishments.
Aside from the high cost of loss for the major banks and credit card companies like MasterCard and Visa, there was the ever increasing headaches for the end-users and customers who often bore the brunt of this attack on personal data protection. In an age of internet-driven transactions – where we buy everything from airline tickets to baby formula online – these breaches continue to be the number one priority for both banks and retailers alike.
Maintaining consumer trust and confidence that personal data and finances are safe is the foundation on which all ecommerce is built. Keeping in mind that each of these transactions provides a small percentage of the total sale back to the card issuer/bank in the form of a transaction fee, you can begin to see why having secure transactions is paramount to their bottom line.
Make no mistake, losing even a small portion of these transactions – not to mention the reimbursement of fraudulent transactions that occur – has many loss prevention executives wide awake at night worried about the next possible breach.
It’s no real surprise then (according to Wired Magazine) that a great many of these banks and retailers have spent billions on personal data protection: trying to stay one step ahead of the hackers. Over the past couple of years alone, card issuers have spent upwards of $800 million just on re-issuing potentially compromised cards. When you consider that the average card costs ~$1.10 to make and distribute, that’s a lot of cards.
Personal Data Protection Standards – The Numbers
The industries latest tool in the fight against the hackers has been to roll-out a new technical standard for both credit and debit cards known as the EMV (Europay, MasterCard, & Visa) card or what is more commonly referred to as the “Chip & Pin” card. While very common in the UK and Canada, these new Chip & Pin cards have just begun to roll-out in the US since the Fall of 2015.
In theory and application, these cards are designed to provide a high level of two-factor authentication in order to improve personal data protection on the end-user’s side of things. First, the chip contains all the relevant account data that the old magnetic strip used to contain, only this time it is in an encrypted form. Because of this, retailers have had to spend upwards of $8 billion (yes with a “B”) on new card readers that are able to handle the encrypted transactions.
So far, so good.
The second layer of protection comes in the form of a pin number that the cardholder provides at the time of purchase. Providing this pin completes the two-factor circuit by providing something that you have (the card) and something that you know (the pin).
When used as intended, this “one-two punch” is designed to provide a very high degree of security whenever a brick and mortar purchase is made. The increase in security for personal data protection has been so well received that cardholders in Canada and the UK have come to know and heavily rely on these EMV cards ever since their implementation back in the early 2010’s.
Sluggish Adoption, Negligible Change
Oddly, U.S. retailers and banks have not only been slow to adopt this new standard but they have also decided to settle on a watered down version that often negates the need for the use of a PIN. The “Chip & Signature” approach that many have chosen continues to rely on the encryption ability that the chip provides, but in what many security analysts see as a major oversight: it forgoes the PIN number requirement instead allowing the card owner to use their signature in its place.
All of this begs a simple question: why spend all this money on new chip cards, card readers and compliance standards when a lot of banks and retailers aren’t taking full advantage of the increased personal data protection that the full chip and PIN combp provides?
In a word: convenience.
Many retailers still have card readers that have electronic signature pads that allow for their customer’s signature, according to Randy Vanderhoof, director of the EMV Migration Forum. There is also a tacit concern that adding a PIN number to the transaction would add cost, complexity, and inconvenience that may negatively impact the potential for a sale.
Another contributing factor is the timing for the new compliance regulations. Right now, full compliance is required by late 2017, which means that until that point many retailers and banks are happy to “kick-the-can” on the whole PIN vs. signature issue. For retailers, this has the potential to be a double-edged sword as they have been informed by the card issuers that any fraudulent transactions that occur on non-EMV related cards may fall back on the retailed to cover financially.
In reality, retailers are playing a bit of a cat and mouse game with the hackers by hoping that the new encryption levels that the chip provides is enough to severely curtail the hacker’s success. It would appear that the fear of losing a sale outweighs that hackable personal data protection methods.
Convenience Can be Crippling
What really cannot be questioned, however, is how the mind of the hacker works. Hackers will focus their energies only on what needs to be overcome. Removing the PIN as an obstacle allows these hackers to focus their efforts on cracking the encryption that the chip provides. It remains to be seen how hack-proof these new EMV cards will remain, and how the general public will respond to the sub-standard personal data protection provided by this existing system.
In this instance, a good many of these decisions are left out of the consumer’s control. We get what we get and we comply as best we can. Deciding when, if, and how these new security standards are implemented is largely out of our hands.
Fortunately, there are a number of things that we can control to help improve our personal data protection as much as possible. Things like the complexity of our own passwords and PIN numbers, or when and how we access our data (e.g. a secure vs. non-secure Wi-Fi connection) can go a long way towards providing a strong first line of defense against hackers. We here at PortalGuard always encourage you to make your passwords as complex as you can, and to change them often. We also strongly recommend that you don’t access any unsecured public Wi-Fi hotspots (no matter how tempting!).
We live in an interesting time for data security. With the rapid evolution of our security technology, and various situations like the lackluster adoption of Chip & Pin technology to the fullest extent of its security benefits, it is becoming more and more clear that convenience is not always the best driving force. Finding the balance between usability and security has always been a difficult to reach goal for data security, but our personal data protection methods should not sacrifice high-end security for the sake of a faster, or simpler transaction. It’s just not worth the risk.
What are your thoughts on that matter – feel free to let us know in the comments below!