Protection against “the liability shift” requires a belt AND braces approach

Home  /  Industry topics  /  Protection against “the liability shift” requires a belt AND braces approach

On November 15, 2016, Posted by , In Industry topics,PCI DSS, By ,,, , With No Comments

Whether you are EMV compliant or not, you cannot afford to take the risk of the fraudulent use of credit or debit card data, or worse still, a data breach of one of your payment terminals. Simple low cost, and effective physical security protection at the point of sale will minimise the risk.

The US economy lost nearly $8billon in 2015 in payment card fraud. As stated by Business Insider, this is over half of the global card fraud total despite the fact that the USA generates only 25% of the world’s card based transactions. The fundamental problem behind these rather startling figures lies in the lack of in-built security afforded by the mag-stripe cards and the obvious issues around using signature verification as a method of identification.

Therefore, it was decided to move the US into line with many other countries by introducing the EMV standard through Chip & PIN enabled credit and debit cards. A deadline of October 2015 to complete the migration to the new cards and readers was put in place, at which point the liability shift of any fraudulent payment will be passed to the party “least in compliance” – which to all intents and purposes means the merchant.

Whilst many of the major retailers have complied, there are many issues that have seen the migration run into a whole gamut of issues.  The liability shift was hoped to encourage retailers to make the upgrade, but it is a complicated situation. Banks needed to supply their customers with the new Chip & PIN cards, and this tortuously slow process has seen only 33% of existing debit cards replaced, as at September this year. The retailers themselves need to roll out the new readers AND upgrade their software on the point of sale to be EMV compatible. This is a costly exercise, and one where the smaller retailer, fast food restaurant or coffee shop saw no obvious benefit for the financial outlay required in relation to the perceived level of threat.

Finally, the customer was supposed to be the winner here with secure payments and faster transaction times. Nothing could be further from the truth. They find that dipping their card is slow, they forget their PIN number and most confusing of all, they are faced with retailers, some of which are using Chip and PIN, some that are asking the card to be just be swiped and some that ask for the card to be dipped but no PIN number entered. In simple terms, a mess!

So, set against this confusing and somewhat hybrid situation that is set to last for months if not years, there are physical protection measures that can be taken to further enhance protection for those who have rolled out EMV and those who are yet to be convinced. The fact remains that the liability shift is in operation, and the consequences of a data breach on a business, of whatever size, could be severe – with Target being a prime example of what can happen.

“the consequences of a data breach on a business, of whatever size, could be severe – with Target being a prime example of what can happen.”

EMV and PCI should be seen together as a complete payment security blueprint

Of course EMV is all about the security of the credit or debit card from the consumer’s point of view, but it is only half of the story. The transaction itself and the subsequent data encryption is down to the terminal, and again, the liability shift in this respect is down to the retailer, enforced by the latest PCI directives, which are backed up with very hefty financial penalties.  It is important, therefore, that EMV AND PCI are seen together as one.

Criminals are getting smarter. We have already seen 3D printed overlays being used on payment terminals to capture card data, and therefore the last line of defence lies with the retailer who must prevent substitution and tampering. This is exactly why the PCI Best Practice recommendations on physical security become a vital part of a combined EMV and PCI compliance strategy.

It is the retailer’s responsibility to ensure devices are secured but also that they take appropriate measures to accommodate correct installation and security around the placement of the payment terminal position at the POS environment.

The threats are real and the requirement to mitigate them under the Payment Card Industry Data Security Standard (PCI: DSS) is critical if retailers want to avoid fines and a loss of customer confidence if data is stolen.

Any security breach of payment card data has far-reaching consequences for affected organisations including:

  • » Regulatory notification requirements,
  • » Loss of reputation
  • » Loss of customers
  • » Potential financial liabilities
  • » Litigation

Help is on hand!

SpacePole Inc., and Ergonomic Solutions are ideally placed in North America and the rest of the world to provide advice and guidance on all aspects of physical security and PCI DSS compliance and best practice at the point of sale. We have knowledge and understanding of the most appropriate payment solution for however those transactions take place, be it static, mobile, or contactless.

PCI themselves recommend the use of “locking stands, cable trays and other securing mechanisms” as best practice, and the SpacePole range of payment mounts and ClickSafe security tethers follow the latest PCI-DSS physical security best practice compliance directives. We are an active participating member of the PCI Security Council.

Globally, we are seen as the experts and have provided over two million payment mounting solutions and are recognised as the world’s leading supplier of payment terminal technology mounts.

payment pci emv

Visit the SpacePole Inc./Ergonomic Solutions booth 1413, at NRF 2017 to see how we can help you navigate the complexities of EMV and PCI, and protect you and your customers from fraud.

Leave a Reply

Your email address will not be published. Required fields are marked *