In Russia alone, stolen payment card information is a $680 million-per-year industry, according to Moscow-based security company Group IB. With that much money to be made, it’s no wonder why cyber-attacks are so common. And who are Russian hackers’ biggest target? The United States. Researchers analyzed just one of many sophisticated underground data-swapping sites and found that data from five million of the seven million cards offered up originally came from Americans.
While it would appear that these hackers are the digital equivalent of smash-and-grab burglars out to sell your personal information for a quick buck, there are signs of more sinister forces at work. Russian hackers with apparent government connections are thought to have been responsible for the J.P. Morgan cyber-attack. It has even been speculated that the attack could be in retaliation for U.S.-led sanctions against Russia.
But it goes further. In May, the U.S. Department of Justice charged five members of the Chinese People’s Liberation Army’s “Unit 61398” – a division of elite military hackers based in Shanghai – with attempting to infiltrate the networks of several U.S. corporations. Cyber-attacks are not merely the concern of companies and individuals affected – they are a national economic and security threat.
Recognizing this, the U.S. government has taken laudable action. The New York Times has reported that President Obama and his national security team have been regularly briefed on the J.P. Morgan attack, viewing it as a top priority. On Friday, Obama went further, signing an executive order aimed at addressing cyber threats to consumers. Specifically, the president set a new policy that requires newly issued and existing government credit and debit cards be enabled with the Chip-and-PIN (Personal Identification Number) technology that retailers have long sought.
Chip-and-PIN cards are already the standard in Canada and much of Europe. Chip-and-PIN cards dramatically enhance card security and reduce cyber threats by rendering the basic card information, which today is contained on a magnetic stripe developed in the 1960s, useless to thieves. The Chip is enabled with a dynamic security feature that generates a unique security code for each transaction, ensuring that the card being used is not counterfeit. The requirement that the cardholder use a PIN ensures that the card is in possession of the rightful person. This two-factor authentication technology is in place in nearly every other G-20 country today and the reduction in fraud has been substantial. According to the Federal Reserve, PINs on debit cards make them 700 percent more secure than transactions authorized by signature.
We have seen how successful Chip-and-PIN has been in other countries: payment card fraud in the United Kingdom was cut by nearly 50 percent between 2008 and 2011. Starting this year, many U.S. retailers are ready to implement Chip-and-PIN technology to increase security for our customers and it will be more widely available next year.
Use of payment cards brings together many stakeholders, including merchants, the card networks, the issuing banks, and credit unions. To effectively fight sophisticated and evolving cyber criminals the entire payments ecosystem must work together to deploy the best security technology available today and develop next-generation payment card technology. RILA is proud to co-chair the Merchant/Financial Services Cybersecurity Partnership. I believe deeply that today’s news regarding Chip-and–PIN, and the positive dialogue within the Partnership, present a great opportunity for card security innovation and collaboration in the U.S.
When defending against cyber attacks, there are no silver bullets. Instead, strong defenses rely on layers of protections. Widespread migration to Chip-and-PIN is one of those very important layers. Working across the payments ecosystem with merchants, card networks, banks and credit unions, we hope to achieve that goal and build for a more secure future for our shared customer, the American consumer.
Kennedy is president of the Retail Industry Leaders Association (RILA).