Introduction
Nothing is more important to the future of electronic payments than maintaining consumer trust and, in particular, consumer confidence that sensitive financial information will remain secure. To preserve that confidence, stakeholders in the payment system have made enormous investments in data security and fraud prevention. As a result, Visa’s fraud rates remain stable at or near their historic lows.
This achievement has been due to a combination of advancements that have been implemented both at the “edges” of the payment network, where payments are accepted, and at its center, where more efficient technologies detect fraud by using the processing platform.
Yet the payments environment continues to evolve. Innovations, such as mobile payments, are poised to revolutionize the acceptance environment. In a world of constant change, stakeholders are asking: What will the point of sale (POS) of the future look like?
At the same time, in the wake of the Durbin Amendment, one particular security solution has become embroiled in an entirely different debate grounded not in security, but in economics: namely, the routing of debit transactions over “signature” vs. “PIN” networks.
With these debates raging, it’s hard to keep one’s mind on security. However, we’ll attempt in this article to do just that. We’ll pose the following questions: How important are cardholder verification methods (CVMs) in general and personal identification numbers (PIN) in particular to preventing payment fraud, and how important will they be in the future?
An analysis of the marketplace suggests that PIN is currently playing a useful role, enhancing security and creating benefits for consumers and merchants. However, as is almost always the case when it comes to combating fraud, criminals are focused on cracking this now familiar and increasingly ubiquitous technology. This suggests that payment systems will need to evolve new solutions in order to stay ahead of the fraudsters.
The State of Play with PIN Today
The concept of PIN originated with the introduction of the Automated Teller Machine (ATM) in the 1960s, and a patent for PIN was filed in 1966 by a British engineer named James Goodfellow. Since then, the use of the PIN for authentication has crossed over to the physical point of sale with the introduction of debit cards. The use of PIN grew further in markets, such as Europe, where significant and growing fraud from counterfeit, lost and stolen cards was one of the key drivers for chip cards to be deployed using PIN verification.
The value of PIN in combating fraud is that it puts the cardholder in possession of both a physical asset (the card) and a piece of information (the PIN), creating a two-factor authentication model in which criminals must penetrate two layers to access cash. In addition to stealing or counterfeiting a payment card, the criminal must also obtain the PIN. With this security advantage, PIN allows merchants to offer cardholders further convenience via a cash-back option at the POS, minimizing the need for the cardholder to visit ATMs for cash.
Not all merchants have seized this opportunity, however. Only about a quarter of the 8 million merchant outlets in the United States have chosen to accept PIN debit transactions today. This group reports relatively low fraud rates from PIN-authenticated transactions, but one must look at PIN fraud more holistically. Does it follow that the future of security should include more widespread deployment of this authentication tool? Because data theft and fraud trends are interconnected, the question is not as simple as it looks. However, recent experience suggests that the answer is “no.”
As criminal attacks have evolved and PIN terminals have become more common, the PIN itself has become a target. As is so often the case in security matters, today’s solution is tomorrow’s problem. Fraud that doesn’t occur on “PIN networks” at the point of sale doesn’t disappear. It simply migrates to other channels, including the ATM. While ATM fraud is often not reported to payment networks like Visa, we believe it has increased significantly in the last few years. Aite Group recently wrote, “…criminals are increasingly attempting to steal PIN information alongside card data, allowing the simple extraction of funds from a victim’s account via ATM or POS withdrawal.” This reflects the more serious problem with the widespread deployment of PIN. With many millions of PINs now running through POS terminals every day, they are beginning to provide to the criminal set the same convenience they provide to legitimate customers, namely, ready access to cash.
Thus it is that a security solution, the PIN, has led to a costly security challenge – protecting the PIN. The industry has introduced ever-more sophisticated tools, stronger encryption and stringent rules to make PIN data more secure. Large investments by merchants, processors and others have made PINs harder to steal. However, organized criminal networks are striking back. They have modified their tactics and begun to conduct coordinated strikes against selected targets where PINs can be most easily accessed. Having pilfered both magnetic stripe data and PIN, they can avoid cumbersome intermediate steps, such as purchasing merchandise for resale. Instead, they deploy their troops to withdraw cash at the next ATM or at multiple ATMs around the world.
One recent example is the coordinated attack on the ALDI grocery store chain this past summer. The company reported that criminals illegally placed tampered debit card payment terminals in some stores, intercepting card details along with PINs before they could be encrypted. Moreover, hackers have devised clever phishing scams involving e-mails, websites or SMS text messages to yield a harvest of ill-gotten PINs. Another tactic involves “skimming” devices that criminals attach to ATMs or to automated fuel dispensers at gas stations. Skimmers may read and store PINs and track data while allowing a legitimate transaction to occur. The device is typically left in place for several days until the criminal returns to collect the data. In one recent case, two Bulgarian brothers were arrested for reportedly using skimmers and hidden cameras at Chase and Citibank ATMs in the New York area to steal more than $1 million.
These efforts have proved worth the criminals’ time and money, as each breached PIN yields a greater harvest of fraud. In its “ATM & PIN Fraud” report, Javelin Strategy & Research reported that the mean cost per fraud is 91 percent higher for debit card ATM PIN fraud and 70 percent higher for credit card ATM PIN fraud than for non-PIN payment card fraud. Avivah Litan, fraud analyst at Gartner, a research firm, estimates that fraud involving debit cards, PINs and point-of-sale equipment has surged 400 percent over the past five years.
A reliable accounting of the total fraud losses from these types of attacks is difficult to piece together. But the impact to financial institutions likely has been significant and is expected to grow. Moreover, news reports of incidents involving fraudulent ATM withdrawals could ultimately erode cardholder confidence, which is the foundation of the entire payments system.
The Evolution of Payments Security
Given the increased focus and sophistication of criminal attacks on PIN security, it’s clear that payment systems must adapt. As Javelin observed, “It is expected that ATM PIN fraud will increase unless comprehensive layered security is used.”
Part of this layered approach will lie in the continuous improvement of network-based security solutions. Advanced neural network technologies now allow for real-time rating of the likelihood of fraud for each transaction. These systems can in many cases prevent fraud from occurring in the first place. Improved network security can even mean allowing for low-dollar, low-risk transactions to be completed without either signature or PIN. The security comes from the ability to spot fraud patterns rather than through verification tools.
Other layers have become increasingly sophisticated, including the ability to better identify data compromises through “common point of purchase” analysis, enabling more rapid shut down when breaches occur.
These advances will help the industry by preventing fraud when data theft has occurred. But a more fundamental step forward would be to attack the problem at its source by reducing the amount of vulnerable data available for the thieves to steal. The essential vulnerability of the data in our systems today, including PIN, is that they are static and unchanging. The data encoded on the magnetic stripe of payment cards in the market today, as well as the associated PIN, are the same for every transaction. Once stolen, this data can be used to create counterfeit cards and to commit fraud.
It is its static nature that makes payment data and PIN such a tempting target for thieves, which in turn creates a significant and ongoing burden on the industry to secure it. Initially, the costs were borne primarily by financial institutions, processors and payment system operators, who made massive investments to secure their environments. Over the last five years, however, merchants have been shouldering these costs as well. The National Retail Federation estimates that merchants spent more than $1 billion by 2010 to comply with the PCI Data Security Standards, not including PIN-specific security measures, such as the PIN Security Requirements and TDES (triple data encryption standard). These standards have mitigated the frequency and severity of data compromises. But as long as our collective payment system is largely dependent on static data, we are likely to find ourselves in an endless cycle of escalating costs, protecting static data 24 by 7. Seen in this light, our goal as an industry becomes clear: We must eliminate static data from the system in as many places as possible.Thus it is hard to see how the long-term solution to payment security includes the further proliferation of PIN.
While it might seem helpful in the short run, the widespread deployment of static PINs will ultimately create more opportunities for criminal attacks and more costly security burdens on stakeholders. Instead, the solution is to adopt dynamic data authentication technologies: technologies that rely on dynamic data elements which – even if stolen – cannot be used in the next transaction and therefore cannot be used to commit fraud. By introducing dynamic data elements and using technology to authenticate those data elements in real time, we can create point-of-sale environments that contain no information valued by criminals and therefore are no longer the targets of criminal attacks.
While this may sound futuristic, the fact is that a variety of dynamic data solutions exist today and are used to authenticate both cards and cardholders. The EMV chip smart cards used in many parts of the world are only one example. In the card-not-present space, some issuers and merchants are using dynamic passcodes sent to cardholders by SMS text to make each transaction unique. These types of dynamic data solutions can be readily integrated into existing authentication platforms, and while still in their infancy, hold tremendous promise.
Conclusion
The bottom line is that security is evolving, as it must. After all, the fundamental truth of payment security is that it is a constantly moving process. Criminals don’t sit still. They innovate relentlessly. The solutions that worked yesterday may not be effective today, and those that work today are unlikely to be sufficient tomorrow. Flexibility, adaptability and multiple security layers are important tactics in our war against fraud.
Without question, cardholder verification methods of various types – PIN, signature, dynamic or none of the above – will always have a place in our security arsenal. Within this range of solutions, PIN authentication has played a useful role and will continue to play its part for the foreseeable future. But it is no silver bullet, and in the long run, may even increase the vulnerability of the system to fraud.
Merchants, financial institutions and cardholders will continue to make their own choices about whether and when to employ PIN as a solution based on conditions as they evolve. But for the future of payments security, the clear choice for all of us is ultimately to adopt dynamic data solutions for cardholder authentication.