Protecting Consumers from E-Skimming Attacks this Holiday Season

As Americans take to stores and the internet this holiday season to buy gifts for loved ones, questions linger in the back of their minds as to whether their personal information is at risk when they reach for their credit cards or click “purchase now.” Given that the FBI issued a warning just last month on e-skimming attacks targeted specifically to small- and medium-sized businesses, it is understandable why consumers are cautious during checkout. 

With skimming fraud, criminals attach unnoticeable devices to credit card readers at any bank or nonbank location such as an ATM or gas pump. A simple swipe can lead to devastating consequences for compromised information once a scammer gains control of sensitive payment data. In fact, the number of payment cards compromised at U.S. ATMs and merchants monitored rose 70 percent in 2016. The newest skimming techniques even utilize Bluetooth and mobile phone signals to move your personal information via text message, allowing criminals to do their work from anywhere.

Unfortunately, credit card information theft caused by skimming isn’t just a problem abroad, but is also on the rise in the United States. In fact, U.S. retailers experience the most data breaches, largely because they are spending their cybersecurity money on ineffective security measures. It is surprising, yet true, that too many retailers continue to rely on outdated technologies that are vulnerable to practices like skimming. For example, some retailers still use obsolete card readers that are not chip-enabled and instead rely on 1960s PIN technology. PINs, however, can be stolen through card readers which thieves then use to access a consumer’s account, similar to what recently happened at a Walmart in Fredericksburg, Virginia. Many gas stations have also failed to install updated technology in a timely manner, pushing deadlines despite growing safety concerns. Accordingly, these problems have motivated the Senate to increase funding to ensure that the right security measures are taken to thwart threats, and to keep the sensitive information of Americans safe.

The time to invest in appropriate countermeasures is now. EMV chip technology, now widely available due to the efforts of banks and card networks, makes fraud extremely difficult and has helped to lower cases of counterfeiting by 87 percent in retail stores that have chosen to utilize the technology. Unfortunately, while these chips are found on most credit and debit cards, too many retailers continue to stay with obsolete technology, which leaves their customers exposed to thieves looking to take advantage of inadequate safeguards. 

While retailers are slow to address gaps in privacy protection, banks and card networks, on the other hand, have invested billions to boost security for shoppers – developing innovative measures such as artificial intelligence, biometrics and tokenization, along with EMV chip technology.

Together, Visa and Mastercard are implementing tokenization technology that uses unique identifiers, or digital tokens, in place of sensitive card information during transactions. When used with both a cryptogram and domain restrictions, these tokens become useless if breached by a hacker, and keep sensitive information safe. These banks and card networks have even created processes that utilize the new EMV Secure Remote Commerce standard to safeguard purchases made when a card is not present, such as internet shopping or transactions made over the phone.

All of the countless security advancements being made by financial institutions will mean little, however, if the retail establishments consumers shop at day-to-day opt out of utilizing them for security. The technology is available to effectively prevent this type of fraud, but it’s now a matter of whether retailers want to play their part in payment safety. 

For retailers to stick with old security methods in a constantly shifting data landscape is both irresponsible and short-sighted. In order to keep pace with the times, retailers need to join banks and card networks in utilizing a host of modern authentication technologies, including EMV, tokenization, and end-to-end encryption. 

Banks have done, and will continue to do, their part to protect American consumers from fraud and privacy breaches. At the same time, retailers should be held to the same high standard so that consumers can trust that the most up-to-date technologies are in place to safeguard their information during the holiday shopping season and beyond.

Jeff Tassey is the chairman of the board of the Electronic Payments Coalition.

Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.