Will EMV protect merchants from data theft?
Through a special arrangement, presented here for discussion is an excerpt of a current article from Commerce Anywhere Blog.
Will the EMV (Europay/Mastercard/Visa) standard protect retailers? About as well as PCI certification does today. I used to work with the EMV when I developed software for smartcards and the technology is certainly better than the ancient magstripe cards we use today. But it was created before e-commerce really took off, and the U.S. implementation of EMV isn’t very secure. Let’s imagine for a moment that Target was ahead of the 2015 deadline and already had smartcard readers in its stores (like they did back in 2001). Would they have been protected?
Since the smartcard has a tiny microprocessor embedded, it can do calculations like encryption. When the card is inserted, it authenticates the POS, and the POS authenticates the card using a shared secret (typically an encryption key). But in the case of Target, the POS was legit so they would have trusted each other anyway.
The typical Chip & PIN implementation in Europe requires the cardholder to enter a PIN to unlock the card, but in the U.S. the PIN is optional and usually not required. Do you know the PIN number for your credit card? No one does because the banks think it would be inconvenient.
Since trust has been established, the smartcard sends over the account number and other associated data. It’s in the clear for a brief moment before it’s encrypted and sent to the bank. This is the same situation as with the magstripe. Until the banks establish the ability to support end-to-end encryption and/or tokenization, we’ve still got the same issue.
There is one area where EMV helps a little. The thieves still get the credit card data but they won’t be able to create fake smartcards. Those chips need to be programmed with the right data and keys, which are only available at the issuing bank. So even though they managed to get the data, they can’t create forged cards. Except for one little issue — they can just use the card data online. No need to create cards at all.
Just as PCI didn’t really make retailers safe from fraud, neither will EMV. It’s a step in the right direction, but far from perfect.
Discussion Questions
Do you expect the arrival of EMV to do much to stop data breaches? What steps will likely have to be further taken to protect retailers from fraud?
It will be a constant struggle. More breaches will happen. But the recent breaches certainly have shed a new light on the importance of moving toward the implementation of EMV technology.
Well, I think it’s a little disingenuous to say that EMV doesn’t protect retailers from fraud. It doesn’t protect retailers from ONLINE fraud, but it does a lot to help in the arena of card-present transactions.
However, I agree that it’s worth a heads up to US retailers – when EMV gets implemented, fraud will shift from store-based to online. There are a multitude of studies that show this is exactly what happened in Europe and in Canada. The big difference is, that shift happened when online was not nearly the scale that it is today in the US. So US retailers have a lot more at stake.
The real solution is to find a way to turn the online card not present transaction into a card present transaction, with all of the security benefits that EMV provides to stores. But, call me a cynic if you will, I see that being a huge struggle. Banks can’t charge as much for card present transactions as they can for card not present, so they don’t have a whole lot of incentive to make that happen.
I agree with David 1000% and for better or worse, I’ve done a lot of research on this topic since the Target breach.
The biggest problem with PCI is that because they spent so much money on it, retailers presumed they were safe. Interestingly, this was reinforced by the TJ Maxx breach, since the retailer was NOT PCI compliant.
Most high profile data thefts since that time were on PCI compliant companies.
My motto has been the same since the introduction of PCI: “You cannot expect a static standard to solve your problem in an ever-evolving world.”
As an industry we must come together around data security the same way we have come together around ORC (Organized Retail Crime). In fact, I would argue it is a more important issue…as it’s immediately effecting our customers, not just our wallets. This is a process, not a point in time problem. And the solution is a process as well.
It may have a nominal impact on consumer confidence. The chip and badging on the card will make consumers feel safer (at least until there is a major breach after EMV is implemented).
We also have better fraud screening on card not present transactions, so taking away a thief’s ability to monetize stolen credit card data in-store is moderately helpful.
As David points out, since it’s not end-to-end encryption, EMV doesn’t do much for a Target style POS breach, and obviously doesn’t help at all with the CRM breach.
We are headed for a future in which all accounts will be required to be protected by two factor authentication, and where we are generating unique credit card account aliases to use with each merchant. That way when a merchant is breached, it will be easy to de-authorize that account number without disrupting the underlying credit account.
As new security measures become available, new threats will come into the market. There is enough of a revenue and profit opportunity in the threat business to continue to feed it. I believe any and all measures should be considered not just in the U.S., but in all markets globally.
Retailers have known for years that there is no security silver bullet. What’s required is end-to-end encryption + tokenization + EMV with PIN. Cost prohibitive many say, but given magnitude of recent breaches, retailers must implement these “best available” security measures despite the cost.
Maximum security for the consumer will be achieved when all payment stakeholders (card brands, banks, retailers, etc.) work together, as recently called for by the NRF.
EMV would not have stopped the hack attack at Target; it might have made the stolen data less valuable, since credit and debit card information would not have been as valuable. Remember, the Target breach also included e-mails address and customer profiles which would have been unaffected by EMV.
Systems can be made a lot more secure, but that would be expensive and retailers are fighting banks and payment networks over who should bear that cost and retailers are on the defensive at this point in time. Data security is a little like shoplifting: how much can the industry live with before inconveniencing customers to a higher degree than they are with current measures.
The problem with security is that there is always more that you can do, so most retailers do “the minimum possible” (it’s expensive). Any standard, PCI and EMV, really helps to set that “minimum bar.” Without it, retailers would make even fewer investments in security. The bar should go up year over year and PCI and EMV type standards should get more stringent every year. It’s the best hope we have for security.
The recent breach of trust shared by several sizable retailers that compromised the account and personal information of about 100 million individuals and businesses was the sole fault of the retailers. This will be clearly demonstrated in the subsequent lawsuits of the near future.
Retail has been taken to school in these recent events and the lesson learned is about the open architecture in their stores and how dangerous this is for the consumer. Decade old technologies have no protection in today’s market and are a waste of precious time when looking for a way to close off the flood of information being stolen as we speak. Smart businesses might consider shutting down the systems’ wireless communications until third party or in-house security enhancements are installed, tested and monitored on a continuing basis.
EMV will probably slow fraud down for a while, but those creative types will just look at it as a challenge to beat, which they will. A fully digital mobile stored card can have rotating codes and may be the ultimate solution. You have to wonder if retailers shouldn’t just skip EMV which will be at least 10 years old or more when it hits mass adoption, and head for something else.
End-to-end encryption and tokenization along with EMV readiness is already here, and very effective. In fact, since Heartland embraced this approach several years back after its major breach at the time, so have many acquirers and retailers in the US with excellent results in reducing risk and compliance costs.
In the last ten years, breakthroughs in cryptography and security have made it far simpler to protect data from the instant it is read in a secure mag-stripe/chip reader upstream of the POS without the need to re-architect retail IT systems, database schemas, and payment protocols to the host: the legacy infrastructure which is expensive to change, mission critical, yet vulnerable to compromise. In fact, these techniques are so well established in industry, they are being incorporated into standards at NIST (SP800-38G) and ANSI (X9.124, X9.119) which form the heart of the credit/debit payments security frameworks in the US.
The result is a card data security approach which has little disruption and fast time to success, while delivering strong end-to-end protection of the data without decryption or live data exposures in the POS/Checkout, Retail Switch, Gateway or other vulnerable system it touches on its way to the acquirer. If the data is compromised along this journey, it’s already neutralized and useless to the attacker, yet still usable by the payment applications.
So while EMV has its value, it’s necessary to look at mitigating threats to data that EMV unfortunately doesn’t protect. The good news is it is already here, proven, and cost effective whether in the enterprise, in retail stores, or in the merchant acquirers.
No. We need to move to a more advanced system that uses higher-level encryption and better protections, like retinal scans.