Anyone that has worked in the realm of retail surely knows that Point of Sale (POS) systems have been a hot target for attacks, hacks and other malevolent behavior. After all, the information gathered during the typical retail transaction consists of much more than just dollar amounts and SKU codes.
Today's POS systems gather information about customers, derived from loyalty cards, as well as feed into other systems that analyze shopping patterns, store traffic and countless other pieces of data, much of which offers some value to data thieves looking to steal identities and further compromise systems. Yet, the biggest chink in the armor of data protection lies with the hunk of plastic that most shoppers carry with them: the all too ubiquitous credit card.
Books have been written about scams that have their roots with stolen credit card information, where account numbers, expiration dates and other pieces of information have been gleaned by card skimmers. These are hidden in plain sight, right in front of a legitimate card reader, leaving victims none the wiser. There-in lies the real problems with shopping with plastic, ease of use has trumped security time and time again.
According to the Nilson Report from Statista, credit card fraud in the US reached some $7.5 Billion in losses, a number that has more than doubled since 2010, which had estimated losses of $3.6 Billion. Those numbers have prompted action, action that has taken the form of new legislative requirements, such as the continually PCI (Payment Card Industry) compliance regulations that many US firms must meet, or risk audits and significant fines.
None the less, the growing scourge of credit card fraud has led to technological innovations, which seek to prevent fraud, keep costs down and place concerned consumers at ease. However, those technologies can be misunderstood and are often observed as an unnecessary nuisance, a belief that must be changed if anti-fraud technologies are ever to take hold.
Case in point is the rise of credit cards equipped with security chips and require either a signature, or use of a PIN with every transaction. Referred to as EMV (an acronym derived from Europay, MasterCard and Visa, the three companies that originally developed the standard) cards, those chip enabled pieces of plastic eschew the unsecure magnetic stripe common on credit cards, in favor of a two factor authentication process that uses an integrated chip to transmit the card information into a card reader, and then requires either the entry of a PIN or a signature to be inputted on the card reader signature pad.
At first blush, that may seem like an additional burden for both consumers and those responsible for POS system security. After all, new card readers will have to be installed (which, in most cases has already been done as part of PCI requirements), while consumers will have to go through some additional steps when checking out. Although the federal government isn't forcing EMV upon retailers just yet, the technology should go a long way towards reducing fraud and further protect customers from unscrupulous transactions on their credit cards.
Prior to EMV, all of the card data was stored on the magnetic stripe on the back side of the card, without any encryption or other protective measures. Cards with stripes were swiped during checkout and the checkout terminal would read the data from the magnetic stripe. That data remained static (meaning it never changed, no matter how often you used your card) and made it relatively easy for fraudsters to break into the terminal or the network, steal the card number, and use it elsewhere.
EMV cards are equipped with an embedded microprocessor chip, which makes it difficult to steal information when the card is used to make an in person transaction. The microprocessor chip in the EMV card generates a unique code for every transaction, effectively making the information obtained useless for any future transactions. Even if someone intercepts the data, that data would prove useless, because it won't work a second time. What's more, the captured data can never be used to be traced back to the actual credit card number.
Simply put, EMV chips obfuscate the basic information, which would normally be stored on the magnetic stripe, making interception and reuse practically impossible.