Thwarting Card Fraud at RetailersFirst Data's Kleinschnitz Outlines Vital Steps
Advanced payments technologies, such as chip cards, tokenization and end-to-end encryption, are quite effective at stopping card fraud at retailers, but only if they're used as part of a comprehensive threat-mitigation plan, says Paul Kleinschnitz, general manager of payment processor First Data's cybersecurity solutions team.
Many U.S. merchants don't fully understand or appreciate today's cyberthreats, and therefore are not adequately prepared to take the steps needed to mitigate their risks, he says in an interview with Information Security Media Group (transcript below).
"It's not really about finding new technology or a solution," Kleinschnitz says. "It's really about educating our clients about the threats," and collaborating more with industry partners about how to address those threats.
During this interview, Kleinschnitz discusses:
- Programs First Data is launching to educate merchants about emerging risks and threats;
- How industry collaboration is strengthening the payments chain; and
- How recent retail breaches have spurred more interest in EMV and other advanced technologies.
Kleinschnitz's team oversees integrated technologies that help merchants and financial institutions manage cybersecurity and fraud. He is responsible for guiding First Data's cybersecurity initiatives and equipping clients with defenses. Before joining First Data in 2013, Kleinschnitz worked for RSA, The Security Division of EMC, as a data and payments security leader for the Americas. He has more than 15 years of experience as a threat management professional, with a career spanning security solutions, product development and consulting.
TRACY KITTEN: What are some of the key areas that First Data is focusing on between now and the end of the year to address emerging fraud risks?
PAUL KLEINSCHNITZ: This is something that First Data is taking very seriously and has invested quite a bit in. The way we look at cyberthreats, and how we're focused this year and beyond, really is in four major categories. The first is visibility. We continue to invest in technologies, processes and resources that will give us a greater visibility into adversaries, their motives, trends and threats, not only for our own security, but so that we can pass on that knowledge to our clients and build solutions around that.
Second is around education and awareness for our clients. We have a unique position: We have a highly skilled, highly funded team, and we know that our clients don't necessarily have that luxury. We distill information to our clients so they can be better educated and aware of the threat landscapes. These are changing on a regular monthly, and sometimes, daily basis.
Third is adoption. ... There are best practices that we want to make sure our clients are aware of and adopting. We're doing that by providing solutions that are as easy as possible for our clients to deploy. Lastly, we provide best-in-class technology that is the right size for our clients. We have over 2.5 million merchants, for example, most of which are considered small merchants; and they don't have access to the technologies that larger merchants do. We're working very hard to provide solutions so they can actually leverage some of the same technologies.
Large Scale Breach Response
KITTEN: How have merchants responded, from a data-security standpoint, to large-scale breaches?
KLEINSCHNITZ: The recent and very public events highlight what's really happening at the core of this criminal activity. Just to put some data on this; every 18 seconds there is a cyber-victim. What's probably the most interesting thing is that cybercrime has become the most profitable organized crime, surpassing even the illegal drug trade, in the world today. Motivations for criminals are very strong; their business is good. So yes, merchants are definitely taking a closer look. They are rethinking their approach. They're rethinking solutions and who they partner with, and what solutions they should be deploying, as they should be. The good news is there are entities like First Data that have been tracking this for a while and have solutions ready to support these clients.
KITTEN: Can you give us some background about First Data's deal with Visa for EMV debit transaction-routing and processing?
KLEINSCHNITZ: First Data's STAR Network is going to be using PIN as well as First Data's common AID, or application identifier, to facilitate different types of debit transactions on our network. Those transactions include PIN and PINless signature cardholder verification methods. This AID will facilitate U.S. debit transactions from any debit network that licenses the Visa Common AID Solution. So this is really about us reaching out and being a grand collaborator with other large entities in the space to help the adoption and speed to market, if you will, for solutions that we know our clients need to adopt.
KITTEN: What are the next steps from First Data's perspective for a successful and timely migration to EMV on the US debit side?
KLEINSCHNITZ: Our clients really need to be looking to their partners, whether it be their issuers and or their processors, to understand the steps necessary to either issue new cards, certify new platforms, or adopt new technologies. First Data is uniquely prepared to support all three of these aspects through our partnerships and preparations we have made in and to our systems.
Tokenization Used With EMV
KITTEN: How effective would you say tokenization is, and how might it be used in conjunction with EMV?
KLEINSCHNITZ: One of the inhibitors to adoption in this space has been, in my opinion, a lack of knowledge or awareness of how these technologies work together versus compete, as an "or" versus an "and." What I mean by that is that it's important to understand how these technologies are deployed and what threat vectors they are addressing. For example, EMV's purpose is authentication; authenticating that card to the cardholder and the threat vector that it's solving is counterfeit cards. It does a phenomenal job at that, but that's it. That is what EMV does. That is what it is designed for. As you continue through a payment or transaction process, you need to be concerned about securing the rest of that transaction. So, in other words, end-to-end encryption is a best practice for data in use and data in flight. First Data has a TransArmor Solution, which is encryption and tokenization. We encrypt that cardholder information at the point-of-swipe, and while it's being transported from the merchant to us, traversing whatever network and means it needs to, it stays encrypted to the point where we decrypt it within our data center.
At that point, we address another threat vector, which is data at rest. We take that PIN and translate it to a token, and return that token to the merchant. If you think about this from a criminal's perspective, they think of it like water; they find the path of least resistance. We believe that a layered security approach that is best in practice starts with EMV, continues with encryption and finishes that with tokenization. Our strategy behind this, and why tokenization, specifically, is so effective, is that we know if the data is not there, then there is nothing to steal. In other words, when you convert a PIN to a token, you are removing the value that a criminal goes after in the event there is a breach and data is exfiltrated.
KITTEN: How long has First Data been offering encryption and tokenization solutions?
KLEINSCHNITZ: Our TransArmor Solution, which is our encryption and tokenization product, has been in the market for over four years. In fact, we have over 600,000 merchants using this technology. We have secured over a billion transactions to date and are on track to secure another billion this year. By the end of 2014, we'll have 2 billion transactions secured and well over three quarters of a million merchants leveraging the technology.
KITTEN: Has interest in TransArmor grown in recent months?
KLEINSCHNITZ: Absolutely. And our biggest focus is around the awareness - making sure our clients understand each of these technologies, and that there is not one silver bullet.
KITTEN: What is First Data doing to help merchants ensure PCI compliance on an ongoing basis?
KLEINSCHNITZ: We know that PCI compliance doesn't equal security, but it is absolutely the first and right step. The PCI Data Security Standard is a set of very relevant and real guidelines that every merchant not only is required to but should go through. We have solutions specifically for our Level 4 merchants, our small- to medium-sized merchants. We make this process very easy on them.
KITTEN: What more needs to happen?
KLEINSCHNITZ: Adoption, awareness and education. First Data has had technologies in its platform and environments for a number of years. It's really not about finding new technology and solutions. It's about educating our clients and industry about the threats and how to solve for them. Lastly, we need to, as an industry, do a better job of collaborating among ourselves against our adversaries, because they do a really good job of collaborating against us.