Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/17/2016
11:00 AM
Chet Wisniewski
Chet Wisniewski
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Today's New Payment Card Security In A Nutshell

Businesses taking their time rolling out EMV card-compatible terminals are putting their data security and financial well-being at risk.

Credit card fraud is a serious issue. According to the 2016 Identity Fraud Study released earlier this month by Javelin Strategy & Research, the number of identity fraud victims increased by three percent (13.1 million consumers) in the US last year, and the total amount stolen was $15 billion. Thieves have stolen more than $112 billion in the past six years.

One way financial institutions are fighting back is by issuing EMV (Europay, Mastercard and Visa) or “chip” cards, which feature an embedded chip to provide a higher degree of fraud protection than older cards that only utilize magnetic stripes. Every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again.

This will not prevent data breaches on the scale we’ve seen over the past two years, but it will better protect personal information. If a hacker steals chip information from one specific point of sale, the standard practice of duplicating the card will not work because the stolen transaction number created in that instance cannot be re-used.

Merchants -- not banks -- now liable for payment card fraud

The primary driver for the issuance of cards with cryptographic chips is to reduce point of sale fraud using stolen card numbers. Card processing companies such as MasterCard, Visa, and American Express, set an Oct. 1, 2015, deadline for businesses to install payment terminals that are able to accept smart card payments. That deadline has passed, so now it’s the merchants that face financial liability unless they upgrade to EMV-compliant payment terminals.

While those businesses that have not installed EMV card-compatible terminals risk being held liable for fraud, they’re not breaking any laws or facing any financial penalties for non-compliance. So the pace at which EMV cards are rolling out to consumers and being accepted at businesses has been slow.

The PULSE 2015 Debit Issuer Survey found that while 90% of financial institutions have begun issuing EMV debit cards or will do so by the end of the year, only 25% of US debit cards (about 71 million cards) will be chip-equipped by the end of this year. The number is expected to rise to 73% by the end of 2016 and 96% by the end of 2017, according to CreditCards.com.

Nevertheless, this forced adoption of cards in the US has rekindled the debate over their efficacy in combatting fraud, finger pointing over liability, and the resistance of card issuers in the US to adopt a PIN rather than stick with the signature verification method in use since the introduction of credit cards in the 1950s.

A brief history of PIN versus signatures

A standard credit card has your name, expiration date, and PAN (Personal Account Number) embossed on the front and a CVV/CVC (Card Verification Value/Card Verification Code) printed on the back. It also contains a magnetic stripe with all of that information except the visible CVV/CVC. Instead, there the stripe contains a separate secret CVV/CVC that can only be read from the stripe.

Early fraudsters only needed the card holder's name and PAN to make a bogus purchase over the telephone or through mail order. The CVV in the stripe was added to make it more difficult to copy a card with only what is visible, and the CVV2 (the one printed on it) made it more difficult to steal the magnetic stripe information and commit CNP (Card Not Present -- like Internet and telephone shopping) crimes.

The cheap price and ubiquity of modern electronics has made both of these security features irrelevant, prompting the card industry to move forward with the modern EMV standard in an attempt at reducing card fraud with minimal inconvenience. Both “chip” cards and tap-and-pay cards comply with specifications defined by EMV.

Implications for the enterprise

So, yes, smart cards are more secure than the traditional magnetic stripe-only cards. If you are responsible for information security at your company, your first order of business should be to install point-of-sale terminals that can accept both chip and tap-and-pay cards, as well as mobile devices such as smartphones and smartwatches that include similar Near Field Communications (NFC) technology.

Even with these new terminals installed, you have not eliminated the risk of fraud. For signature transactions, instruct employees to continue to verify customers’ photo ID. You must also be ready for an increase in online fraud as thieves, discouraged by an inability to use physical cards in stores, will turn to using stolen card numbers on your e-commerce sites. The Aite Group found that in the United Kingdom, online fraud -- known in the industry as "card not present," or CNP, fraud -- rose 79 percent in the first three years after the country switched to to chip cards, and it more than doubled in Australia and Canada.

What will not change is hackers’ resolve to steal financial information, or the fact that they grow more sophisticated and insidious every year. Despite the cost involved in upgrading PoS systems and replacing magnetic stripe cards, the improvement in data security and reduction in liability will be dramatic.

More on this topic:

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Chester "Chet" Wisniewski is a senior security advisor at Sophos with more than 15 years of experience in the security industry. In his current role, Chester conducts research into computer security and online privacy with the goal of making security information more ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/23/2016 | 1:22:55 PM
hampering
Of course, a lot of businesses are purposely being late to fully adopt -- and even slowing down or hampering -- the use of EMV, as Brian Krebs recently reported.  Dipping the chip takes longer to swipe the stripe -- and even longer still when you have to ask card users if they have a chip card, remind them to use the chip, and/or instruct them how to use it.  That slows down lines and thereby hampers transactions -- leading to many retailers, preferring to let consumers learn how to use the chips on someone else's time (and dime) -- to block off the EMV capabilities and keep having their customers swipe the good ol' stripe.
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4428
PUBLISHED: 2019-12-09
IBM Watson Assistant for IBM Cloud Pak for Data 1.0.0 through 1.3.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session....
CVE-2019-4611
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 168519.
CVE-2019-4612
PUBLISHED: 2019-12-09
IBM Planning Analytics 2.0 is vulnerable to malicious file upload in the My Account Portal. Attackers can make use of this weakness and upload malicious executable files into the system and it can be sent to victim for performing further attacks. IBM X-Force ID: 168523.
CVE-2019-4621
PUBLISHED: 2019-12-09
IBM DataPower Gateway 7.6.0.0-7 throug 6.0.14 and 2018.4.1.0 through 2018.4.1.5 have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC. IBM X-Force ID: 168883.
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.