NCCoE Explores the Challenges of Card-Not-Present Fraud and Consumer Data Security at TRANSACT 16

As part of our outreach efforts, this week the National Cybersecurity Center of Excellence (NCCoE) attended the Electronic Transaction Association annual conference, TRANSACT 16, to engage the retail and commercial payment ecosystem as we scope out new projects at the NCCoE, focused on the consumer-facing/retail sector.

This conference reinforced many of the cybersecurity concerns that we have heard from retailers across the country: with the move to EMV technology that protects credit cards and credit card data, fraud will move from card-present transactions to card-not-present (e.g. online) transactions. This concern, coupled with the ever-increasing use of mobile payments, was discussed at multiple mobile payment and cybersecurity-focused tracks during the conference. Statistics from Forrester Research shared during one track at TRANSACT 16 noted that one third of consumers do not feel comfortable storing their credit card information with retailers they purchase from regularly.

Beyond this pressing topic, panelists and experts also discussed an issue that highlights a second project under consideration at the NCCoE: helping consumer-facing and retail organizations improve security for non-credit card, sensitive consumer data that gets collected, stored, transmitted, and used legitimately for various business purposes. Other statistics from Forrester Research push on the value of an NCCoE project by highlighting that 41% of consumers surveyed are very concerned with personal data privacy and security with regard to mobile payments, while only 11% said they were not concerned.

Personal data privacy and security also came up in the session, “Pioneering Protection Beyond PCI,” moderated by Brad Corrion (Intel Corporation) and featuring panelists David Gosman (HP), Dr. Robert Martin (Ingenico), George Rice (Hewlett-Packard Enterprise), and Tiffany Trent-Abram (Transact Network Services). Panelists discussed the abundance of sensitive and personally identifiable information (PII) about consumers that is collected and used for various business purposes by consumer-facing and retail organizations and their affiliates and partners.

However, among this large set of data, only a small subset of “cardholder data” – data related to credit card accounts, such as account numbers, cardholder name, expiration date and/or service code, as defined by the Payment Card Industry Data Security Standards (PCI DSS) – is regulated. Because many organizations are strongly motivated to achieve and maintain compliance in their industries, additional security measures are sometimes not prioritized and implemented.

In the case of consumer-facing and retail organizations, this could result in sensitive consumer data being left at risk, potentially resulting in identity theft and fraud, which can be time-consuming and expensive to remediate as well as damaging for a retailer’s reputation and relationship with consumers. The panelists also described protecting non-credit card, sensitive consumer data in the U.S. as a potential market differentiator for retailers, their affiliates and partners, noting that improved security in this area could help an organization get ahead of the likely inevitable regulations in the U.S. that will require stronger protection of non-credit card PII in the retail and commercial payment ecosystem.

Though TRANSACT 16 is now over, we at the NCCoE enjoyed the discussions and are excited at the new connections that were made. As part of the NCCoE’s collaborative process, this conference provided a great space to engage a critical group of stakeholders within the retail sector.

We’ll be heading to the R-CISC Cyber Summit on Monday, April 25 to share our latest consumer-facing/retail project developments, and we hope to unveil some exciting new work focused on the two cybersecurity concerns noted above.

If you’re a member of R-CISC, join us at our breakout session at 10:40 a.m. on Monday, April 25.

If you’re not a member but interested in collaborating on these cybersecurity concerns, join our community of interest. Email us at consumer-nccoe@nist.gov to join.