Anton Chuvakin

While some payments networks and banking institutions are hopeful advanced chip technology that complies with EMV - the Europay, MasterCard, Visa standard - will eventually be adopted in the U.S., Anton Chuvakin, an analyst with the consultancy Gartner, says it could be too late.

Chuvakin says more advanced payments options trump EMV card transactions, and he questions whether the investment in EMV makes sense.

"I don't see EMV making an impact in 2014, 2015 or 2016," Chuvakin says during this interview with Information Security Media Group [transcript below]. "There are so many other interesting developments, [like] mobile technology and alternative payments schemes. To me, I just don't see EMV sticking."

Chuvakin says expenses associated with hardware upgrades needed to accommodate a shift to chip cards have been a big hindrance for merchants.

"It's hard to imagine that merchants would drop their terminals and magically adopt the terminals to support EMV," he says. "Because of hardware changes needed; because of all the RFID and wireless technology; because of mobile devices and other experiments that companies like PayPal are running; I'm not sure I see the place for EMV in the U.S. anymore."

Chuvakin says it's more likely the U.S. payments infrastructure will simply leap to some yet unforeseen payments scheme within the near future. "At this point, there are so many interesting competing options with minimum market shares, it's hard to imagine what it would be," he says. "But given those options, it's hard to believe that EMV would be one of them."

During this interview, Chuvakin also discusses why:

Many of the fraud and security risks the industry faces in 2014 are the same as they were 20 years ago; The impact mobile technology will have on payments in the U.S.; Vendor management is not a priority for most organizations.

Before Chuvakin joined Gartner, his job responsibilities at other organizations included security product management, research, competitive analysis, PCI-DSS compliance, and SIEM development and implementation. He is the author of two books, "Security Warrior" and "PCI Compliance," and was a contributor to other industry resources, including "Know Your Enemy II" and "Information Security Management Handbook." He has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI-DSS and security management. Chuvakin also has taught classes and presented at security conferences across the world. He has worked on emerging security standards and served on advisory boards of several security start-up companies.

Top Fraud Trends in 2013

TRACY KITTEN: What would you say have been the top three fraud and security risk trends that have defined 2013?

ANTON CHUVAKIN: I wanted to make a slightly contrarian point here. A lot of things have changed, indeed; but a lot of things have stayed the same. I keep joking that not a single security problem has ever been solved, and, in this case, this applies to our questions of financial fraud and risks. The point is that many of the risks that we dealt with in 2012, 2011, 2010, 2004, 1999, and possibly 1989, are still there. I wanted to talk about the new things, but I also wanted to remind the listeners that some of the old stuff - password management, dealing with attackers being able to guess passwords and steal services or money - is still there. Many attacks and exploitation types originated in the '90s, or a long, long time ago in IT industry years.

But some of the new things, like increasing distributed-denial-of-service attacks, increased sophistication of malware and the proliferation of malware for information theft and financial fraud, are striking, too. Even when it comes to traditional malware, many organizations just aren't prepared. Password-guessing attacks that originated in the 1980s - if not earlier - are still discouraging to many organizations, if you believe industry reports. And, finally, configuring and deploying payment terminals in a way that allows physical tampering goes back to before there were even cash registers, and those issues are not solved even now.

Cloud Security