Fraud is still on the increase due to the use
of new technologies, causing losses to both users and companies. In
an effort to avoid this, new controls and security technologies are being
developed, including the modifying of paradigms to understand the current
cybercrime topology.
One of the most interesting is the combining of EMV chip card technology
and the PCI standard which defines the minimum data security
requirements that need to be met by any organization that transmits, processes
or stores payment card data. So it involves complying with standards while
adopting technology.
When combating fraud related to new technologies,
the baseline is to understand that, currently, the purpose of cybercrime is
financial gain, which is the main reason it continues to increase.
Using organized, specialized groups, cybercriminals have begun to
run companies, even with models and business plans of their own.
In this context, different sectors may be affected,
but it is without a doubt the financial sector that has
proven most profitable for attackers. When organizations and users’ assets are
to be affected, fraud has been a method frequently used by attackers,
especially fraud related to the banking system’s credit and debit cards.
Bank card fraud – a highly profitable
business for cybercriminals
Card fraud involves unauthorized activities using
the three main types of card: debit, credit and prepay. Unfortunately, there is
a range of threats and different methods by which attackers can carry out their
activities effectively. For example, security loopholes in organizations, theft or loss of
cards, skimming, social engineering, phishing attacks and the development and propagation of
malicious codes, for example PoS (Point of Sale).
This swath of options has made obtaining users’
financial data in order to defraud them its main aim. A recently
published study illustrated the problem of fraud, with over two
thousand data breaches confirmed during 2015, and around four billion
cases of stolen data recorded since 2013. This leads to the conclusion that
credentials and users’ card data around the world have been compromised.
In parallel, the black market in data about
consumers has matured to the point where it is difficult to distinguish it from
a legitimate economy. As a result, recent years have increasingly seen
initiatives to increase and improve protection levels within organizations that
use financial data, from standards that define good practice to migration to
new, securely designed technologies. In a similar vein, the application
of security practices by users, in an attempt to mitigate fraud.
In this context, security plays a very important
role in mitigating current threats, because exposing users’
data puts them at risk, while organizations can suffer damage to their image
and reputation.
Now let’s see why combining technology with
standards could combat fraud.
PCI+EMV: Protection based on authentication
and data control
So, how does combining a standard with a technology
combat fraud?
Transactions involving bank cards are widely used
around the world and, although new methods of transactions are
starting to be seen, it will be some years before we can begin to use other large-scale
payment methods, such as mobile wallets and cryptocurrencies. So it
is essential to use security technology alongside bank cards.
In this respect, there are two elements that,
combined, help increase card data security and, as a result, reduce fraud. Firstly,
security applied to EMV chip (Europay MasterCard VISA) technology,
which uses secret cryptographic keys to make it difficult to
clone cards and carry out fraudulent operations at points of sale.
This is a type of authentication for the point of
sale terminal which works when the card is physically present. Because plastic
cards have an integrated chip, the data resides there and this guarantees that
the cards are real and not a clone.
Secondly, security standards such
as PCI give companies access to adequate security controls so
that the data on customers’ cards is protected throughout the transaction
process. It was designed bearing in mind the possibility that when the card is
inserted into the trader’s system, the holder’s confidential data might be
transmitted or stored on their network without any type of protection, which
means that it is vulnerable.
This is the point at which the PCI norms define
protection elements for the point of sale device and additional security
controls, such as updates and security patches in the systems, intrusion
detection, access management, secure software development, education,
and awareness training for employees, amongst other types of measure.
So the combination of security tools, user good
practice, education about security, and having a protection strategy,
enable us to use the technology more securely and, in this specific case, to
reduce the probability of fraud.