Financial institutions have been and continue to be one of the favorite targets for criminals across centuries because they are the direct sources of money and perhaps the main first adopters of technology. While financial firms are always under pressure to keep up with the latest technology that provides convenient options to customers to carry out financial transactions, and being competitive, they are also required to protect themselves from the new generation of tech-savvy criminals specializing in cybercrime. The article “Banking and Financial Sectors are Prime Target for Hackers: Survey” discusses how banking and financial sectors are a prime target for hackers and the vulnerabilities that they have exploited across different countries.  Because of the variety of techniques used by cybercriminals, cybersecurity for financial organizations requires not just strengthening the technical systems within the organization but also educating employees, customers, and business partners to participate in security processes. As mentioned in an article by PwC, it is not a question of “If” criminals will target a financial services firm but “When.”  It also provides some guidelines on implementing cybersecurity policies and actions and mentions how it needs to be ingrained in everyone rather than something for the technology teams to fix. This remains the most important part of regulating, policing, etc.
One of the most public and yet most vulnerable endpoints for financial services is the payment card. Securing both card present and card not present payment transactions is essential in protecting most financial services organizations from fraud. While various laws and regulations provide guidelines and requirements to implement cybersecurity, Payment Card Industry Data Security Standard (PCI DSS) is the most relevant information security standard for organizations that handle branded payment cards (an industry requirement for VISA and various other electronic payment methods). Protecting cardholder data through encryption and secure networks and devices is one of the main goals of this standard. This applies to everyone who is part of the Cardholder Data Environment, including merchants, acquirers, issuers, financial institutions, and service providers. The standard specifies 12 requirements to ensure security in operational and technical processes for all organizations involved in payment processing.  The requirements provide a guideline to establish policies and procedures concerning employees, applications, networks, monitoring/testing of systems, and access control to data and systems.
The migration from magnetic stripe cards to EMV chip cards was one of the key steps devised to help reduce card fraud in the past decade.  Magnetic stripe cards store data by modifying the magnetism of tiny iron-based magnetic particles which are contained in the plastic-like film on the card. Information like the card number, name, CVC, expiration date, and service code are stored on this film. The card reader is capable of reading this data when the card is swiped. This static data on the tape can be easily replicated or copied, which made magnetic stripe cards prone to fraud. EMV chip cards or chip-enabled smart cards contain chips, which generates a unique cryptographic code called a token for every transaction. Since the transaction code is never repeated, it would become useless for a thief who manages to steal it. Thus, it is very difficult to read or copy any account holders data from the card. This, combined with pin-based authentication, provides added security against fraud. EMV cards are backward compatible, so they come with the magnetic stripe, which can be read by the old readers. As such, the safest way to use an EMV card is with a compatible reader. Some cards come with (near-field communication) NFC technology so that you can simply hold it close to the reader, and it still generates the same unique token to complete the transaction.
Concerning card payments, PCI compliance is mandatory for financial institutions and merchants. Europay, Mastercard, and Visa (EMV) are not mandatory, but it has and is becoming the recommended standard. While EMV provides the authentication technology, PCI DSS provides the data security controls required to protect the cardholders data throughout the transaction process. The whitepaper, however, does provide details on how PCI DSS and EMV work together and provide a layered approach for securing multi-channel transactions.  With the EMV chip embedded in the card and additional authentication provided by signatures or PIN’s, the merchant can be sure that the card being used is real and belongs to the person using it. This reduces the possibility of frauds due to the use of fake, lost, or stolen cards. The PCI DSS standards, on the other hand, ensures protection for the point of sale device itself and provides layers of additional security controls throughout the transaction process. This includes standards for developing secure software, educating employees, using firewalls, etc. Following these standards can help in securing the card, not present transactions where having an EMV chip in the card does not help. Thus, implementation of EMV chip cards in combination with the security controls specified in the PCI DSS standard can greatly help in improving cybersecurity across the digital payments industry.
About the Author
David Smith is a cryptographer with 12 years of experience in both the public and private sectors. He is currently working on his second start-up (currently in stealth mode) that will track and interpret the use of contactless payments in the Greater China region. His expertise includes system design and implementation with contact and contactless smart cards, smart card personalization, mobile payments, and general knowledge and experience with APAC market trends and consumer preferences.
Disclaimer: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of EC-Council.