January 12, 2016 technology

Data Breaches: Who’s Minding Your Data?

By Angela Foster

High-profile data breaches are an increasingly common incident. As a result of numerous large-scale data breaches and increasing rates of counterfeit card fraud, U.S. card issuers are switching to new technology to protect consumers and reduce the costs of fraud. Credit card companies set an October 1, 2015, deadline to the switch to chip-enabled cards, which have embedded computer chips that make them more difficult to hack.

So how did we get here? During the peak of the 2013 holiday season, a data breach compromised 40 million customers' credit and debit card information from people who shopped in Target stores. The breach of Target's computer systems also compromised the personal information of as many as 70 million people. Although the exact amount of fraud that resulted from the Target breach is unknown, the breach cost Target at least $148 million in legal, consulting, and credit monitoring services. The hackers have not been identified.

In September 2014, Home Depot reported 56 million cards comprised in a five-month attack on its terminals. Home Depot warned investors that the data breach cost $43 million and resulted in dozens of lawsuits and a number of government investigations that could adversely affect the company's business operations.

Additionally, a 2014 study found that data breach incidents increased by 29 percent from 2013 to 2014, with one billion personal and sensitive records compromised in 2014. These incidents and studies have pushed banks, retailers, and card companies to quickly incorporate microchips in U.S. credit and debit cards. Card issuers Europay, MasterCard, and Visa (EMV) created a global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions. As a result, after October 1, 2015, liability for credit card fraud will shift to the party in the least EMV compliance.

Chip Card Technology

Traditional credit and debit cards possess magnetic stripes that contain personal information about the cardholder. This information is used to authenticate the card at the point-of-sale terminal before the purchase is authorized. Because the cardholder's data does not change, if someone copies the magnetic stripe, they can easily replicate that data and gain access to sensitive card and cardholder information necessary to make purchases. This makes traditional cards prime targets to counterfeiters who convert stolen card data into cash.

The new EMV cards possess a small metallic square that contains a computer chip. EMV transactions at chip point-of-sale terminals provide more security of consumers' personal data than magnetic stripe point-of-sale transactions. Unlike magnetic stripe cards, every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again. EMV card transactions transmit data between the merchant and the issuing bank with a special code that is unique to each individual transaction. This provides the cardholder greater security and makes the EMV card less vulnerable to criminal activity while the data is transmitted from the chip enabled point-of-sale to the issuing bank.

Interestingly, the United States is the last major market still using the magnetic stripe card system. To combat high fraud rates, many European countries moved to EMV technology years ago.

Just like magnetic stripe cards, EMV cards are processed for payment in two steps: card reading and transaction verification. However, EMV chip cards are read in a different way. Instead of swiping your card, you insert (dip) your card into a terminal slot and wait for it to process. When an EMV card is dipped, data flows between the card chip and the issuing financial institution to verify the card's legitimacy and create the unique transaction data.

EMV also contemplates a contactless card reading system called "near field communication." Instead of dipping or swiping, the near field communication equipped cards are tapped against a terminal scanner that picks up the card data from the embedded computer chip.

Issuers will be able to verify the user's identity with cards equipped with a personal identification number (PIN), which is known only to the cardholder and the issuing financial institution. Chip-and-PIN cards operate just like the checking account debit card you have been using for years. Entering a PIN connects the payment terminal to the payment processor for real-time transaction verification and approval. As with a magnetic stripe credit card, you can sign on the point-of-sale terminal to take responsibility for the payment when making a chip-and-signature card transaction.

To assist in the transition to chip cards, the first round of EMV cards will include both chip and magnetic stripe functions so consumers' use is not disrupted and merchants can adjust. If chip card readers are not in place at a merchant, the EMV card can be read with a swipe like a traditional magnetic stripe card.

The FBI emphasizes that although EMV cards provide greater security than traditional magnetic stripe cards, an EMV chip does not stop lost and stolen cards from being used in stores or for online or telephone purchases when the chip is not physically provided to the merchant (also referred to as a card-not-present transaction). Additionally, the data on the magnetic stripe of an EMV card can still be stolen if the merchant has not upgraded to an EMV terminal and it becomes infected with data-capturing malware. Consumers are urged to use the EMV feature of their new card wherever merchants accept it to limit the exposure of their sensitive payment data.

Fraud Liability Shifts

Currently, if an in-store transaction uses a counterfeit, stolen, or otherwise compromised card, consumer losses from that transaction fall back on the payment processor or issuing bank, depending on the card's terms and conditions. After October 1, 2015, the liability will shift to whichever party is the least EMV compliant in a fraudulent transaction. For example, if a financial institution issues a chip card used at a merchant that has not changed its system to accept chip technology, the cost of a fraud will fall on the merchant. Automated fueling dispensers will have until 2017 to make the shift to EMV. Until then, they will follow existing fraud liability rulings.

So who is liable for what and when under the liability shifts? As of October 1, 2015, liability for fraudulent transactions will shift to the acquirer/merchant in certain cases if they do not use EMV chip-enabled devices and applications to process payment transactions. The impact of these October 2015 liability shifts to the acquirer/merchant depends on whether EMV chip cards are used and EMV-chip-enabled payment acceptance devices/applications are deployed.

Beginning in October 2015, card issuers and the acquirer/merchant may also be liable for a chargeback resulting from lost or stolen cards that were not copied or counterfeited. One scenario is when a PIN-preferring (either online or offline PIN) chip card that has been stolen is presented at a magnetic stripe-only device/application, and the stolen chip card is processed as a magnetic stripe transaction. Another scenario is when a PIN-preferring (either online or offline PIN) chip card that has been stolen is presented at a chip-enabled merchant device/application that does not support either online or offline PIN, and the stolen chip card is processed as a signature chip transaction.

Potential Litigation Issues

Large merchants appear ready for a switch to chip-reading terminals while small businesses do not. Presumably, the cost of these new terminals may make the change cost prohibitive; however, they run the risk of being held liable for fraudulent charges made on traditional cards. Some small merchants who have never experienced a fraud or breach are willing to take this risk. This is faulty thinking on the merchant's part. Oftentimes, the credit card issuer deals directly with the cardholder and may not have involved the merchant. Additionally, we may see a trend where hackers begin to target small businesses who have not switched to the chip card.

On October 13, 2015, the FBI released a public statement warning consumers that the new chip does not prevent online fraud or point-of-sale compromises of the type experienced in the Target breach. The warning emphasizes the weakness of chip and signature-based systems rather than the chip and PIN and instructs merchants to require a PIN number in place of a signature whenever possible.

With the increase in data breaches and potential lawsuits, it is imperative that businesses take a proactive approach to protecting their data and have a plan in place in case a data breach does occur. Grounded in state and federal laws, businesses must take reasonable and appropriate security measures to protect the security of its consumer data. A reasonable and appropriate determination is contingent on the context of a merchant's data collection and security practices. Merchants should develop internal policies and protocols that include breach notification requirements and security measures. The FBI encourages merchants to handle the EMV card and its data with the same security precautions they use for standard credit cards.

Merchants handling sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions. At a minimum, merchants should use secure servers and payment links for all Internet transactions with credit and debit cards, and information should be encrypted, if possible, to avert hackers from compromising card information provided by consumers. Credit card information taken over the telephone or through online means should be protected by the retailer to include encrypting digital information and securely disposing written credit card information.

Considering the complexity of the chip card conversion and concerns about liability shifting, lawsuits are inevitable. Further, because the chip card transition only began October 1, 2015, the practical consequences of the chip card are unsettled, and only time will reveal its impact.

 

Angela Foster is an associate editor for Litigation News.


Keywords: data breach, credit card fraud, chip card technology, EMV card

Related Resources


Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).