We wanted to update you on an item we ran last week, wherein California’s State Senate was on the verge of issuing its own mandates for a switch over to EMV standards in card transactions, setting April 1, 2016 as the date.
However, according to a report in Computerworld, “the full Senate missed the voting deadline of May 30, ending its chances of passage until a new legislative session begins.”
So the law isn’t exactly dead — but questions remain about whether it will be enacted the closer it gets to the push for EMV that card issuers are already making: “Under the current timetable set by the credit card companies, U.S. retailers are required to support EMV by October 2015 or face increased liability exposure in the event of a data breach.”
While the proposed law appeared to have a lot of political backing — though letting it “expire” could be a low-cost way, politically speaking, to vote “against” it — there were parties opposing it, among them the San Francisco Chamber of Commerce, which said the legislation “sets back a more comprehensive national plan for issuing, accepting, and processing chip-imbedded credit and debit cards by creating a 'California only' technology mandate.”
While it’s not entirely clear how a later state deadline — though one more hard and fast — would “set back” a rollout seen as happening anyway, the Chamber made another interesting comment, saying the bill “would needlessly tie businesses to one method of preventing hacker attacks while stifling efforts to find other new ways of countering fraud.”
What’s interesting is that Chamber doesn’t specify what these other non-EMV methods might be, how EMV would preclude using them, or whether this infers there is greater reluctance among businesses to adopt the new standards.
And some kind of “new standards” will definitely be needed. The Trustwave Global Security Report for 2014 is out, and yes, breaches are up — and not only the “spectacular” ones, like Target (or more recently, eBay!). Of these, “85 percent of the breaches made use of vulnerabilities in third-party tools, among them Java, Flash, and Adobe.”
One thing the report suggests is to simply make sure all the apps you use on personal, and company, computers are up-to-date. Additionally, “researchers found that weak passwords were a factor in 31 percent of the breaches under investigation.”
Further, according to a summary in PC Mag, “Point-of-sale breaches, like last year's Target fiasco, accounted for 33 percent of the total. As for where the breaches occurred, the U.S. is number one both in victim organizations and perpetrator location."
That would be the same U.S. still struggling to adopt EMV standards. Or not.
After all, something needs to be done, sooner rather than later, since it’s doubtful that next year’s Trustwave report will report a sudden, precipitous decline in breaches and fraud.