Why didn’t EMV prevent the Arby’s breach?

Why didn’t EMV prevent the Arby’s breach?
Posted: Apr 19, 2017
Comments: 0
Author: Lou Grilli

The breach involved malware placed on payment systems inside Arby’s stores

Very recently another major breach of payment card data was made public, this time by Arby’s. The breach compromised more than 355,000 credit and debit cards at Arby’s 1100 corporate-owned stores nationwide.  The breach, which is estimated to have occurred between Oct. 25, 2016 and January 19, 2017, involved malware placed on payment systems inside Arby’s stores. And this comes at a time when many credit unions are still recovering from the losses and costs associated with the recent Wendy’s breach, which was also large-scale, as well as massive breaches at Target and Home Depot and several others over the last two years.

Many credit unions have been raising legitimate questions regarding the benefit of EMV in light of these breaches, namely:

  • “Why doesn’t EMV (chip cards) prevent this kind of fraud?”
  • “If a credit union has previously issued chip cards, how can a card still be compromised?”
  • "If a credit union has not issued chip cards yet, is this a reason to?”

EMV was intended to prevent counterfeit cards from being used at a POS. U.S. credit unions and banks saw about $4.5 billion in counterfeit card fraud before chip cards started being issued, which accounted for about 72% of all card fraud world-wide, since we were the last developed nation to adopt chip cards. Since then, merchants that have upgraded to chip enabled terminals have seen a 43%-54% decrease in counterfeit fraud. That number should be greater except for the many mag stripe only cards still in use.

While EMV works perfectly at preventing a counterfeit card from being used at a chip-enabled terminal, it cannot prevent a hacker from downloading malware to a terminal and stealing payment credentials as it is being read by the terminal. And once the card data is stolen, EMV cannot prevent that card from being used at an ecommerce site (that doesn’t validate CVV2) to purchase an e-gift card, prepaid phone card or other easily convertible item which is why it is still advisable for a credit union to re-issue a compromised chip card after a breach. But EMV does prevent that card data from being burned onto a mag stripe of a counterfeit card and being used at any chip-enabled POS, greatly limiting any further losses from fraud exposure.

If a non-chip card has been compromised in a breach, that card is wide open to fraudulent use. That card data can be copied and distributed quickly to multiple fraud rings across the country to create counterfeit cards to purchase high-end electronic goods from Walmart and Best Buy, and gift cards from grocery stores, all carried out within a few days or even a few hours of the card data being obtained by the hackers, posted to the “dark web”, and sold to the counterfeiters. And as long as there are mag stripe cards still in use, fraudsters will continue to cause massive breaches like the Arby’s example, to obtain mag-stripe card data.

Hopefully this is a wakeup call to look for, pay attention to, and act quickly on Visa CAMS alerts and MasterCard ADC alerts; be quick to shut down compromised cards, and consider moving up the schedule for re-issue of chip cards. And for those credit unions who have not begun to issue chip cards, hopefully this and other breaches will inspire action.

Rate this article:
Lou Grilli

Lou GrilliLou Grilli

Lou is the AVP of Product Development & Thought Leadership at Trellance. In this role, he is responsible for managing the organization’s product portfolio, as well as providing leadership on industry trends related to data analytics and payments.

Other posts by Lou Grilli

Full biography , Contact author

Please login or register to post comments.


Featured Stories