Chip-And-PIN Is Not A Free Pass On PCI

Written by Walter Conway
February 18th, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Reports of the latest successful attack on chip cards based on the EMV standard should remind all of us once again that there is no such thing as absolute security. Retailers and consumers worldwide–especially those in Canada who are currently implementing chip-and-PIN–need to understand this fact and not count on any single technology to remain secure. That is why PCI remains relevant even in a chip-and-PIN environment.

From a security perspective, retail CIOs should understand a few things about these chip cards or smart cards (i.e., payment cards with an embedded integrated circuit or microchip). Chip cards can reduce fraud losses, but chip-and-PIN zealots can overstate the benefits. While card-present fraud decreases significantly, the bad guys simply shift to card-not-present (e.g., mail, phone or E-Commerce, where the chip has little value) and international fraud (to countries where magnetic stripe technology is used). For example, after the U.K. introduced smart cards, losses from both these sources increased dramatically. Remember that smart cards still have a magnetic stripe (and embossing and signature panels and holograms and every other piece of anti-fraud baggage ever devised).

Retailers should also understand that EMV (Eurocard MasterCard Visa) is a set of generic requirements that allows for the interoperability of cards. Implementation can be card-specific, and issuers still depend greatly on their own internal authorization procedures. Although these procedures are based on EMV, they can vary. For example, it appears the issuers in the recent U.K. case were not checking to see whether a PIN entry was attempted. When you think about chip-and-PIN security, you need to look at the entire authorization process.

One thing that is particularly disturbing about the recent attack is that the printed receipts stated “Verified by PIN” even though they were not. The Cambridge University team managed to convince the smart card that it had a chip-and-signature transaction while simultaneously convincing the POS terminal that it was a chip-and-PIN transaction. As a result, the receipts printed by the terminal indicated that a valid PIN was entered each time. That means defrauded consumers are in the unenviable position of having to convince their issuers that they did not make the transaction. In a particularly ominous quote, Professor Ross Anderson, the lead Cambridge researcher, said: “Over the past five years, thousands of cardholders have had stolen chip-and-PIN cards used by criminals. The banks often tell customers that their PIN was used and so it’s their fault.” Does this mean the bad guys have already used this fraud, or have consumers been lying?

Chip-and-PIN does not give the retailer a free pass on PCI. Sales clerks will continue to process some smart card transactions as chip-and-signature, and some of your people will be willing or unwilling participants in fraud. (Hint: Don’t use chip cards as an excuse to get rid of your internal fraud and staff monitoring systems.) Your call centers will not see much change, nor will your E-Commerce site. And until the entire planet converts to chip cards (and the U.S. market is a long way away from that happening), you will still see cards that have only a magnetic stripe.


2 Comments | Read Chip-And-PIN Is Not A Free Pass On PCI

  1. Steve Sommers Says:

    I don’t understand where the false assumption that EMV addresses security comes from? (well, I do understand, but I’ll keep my mouth shut) EMV attempts to address fraudulent card usage, not security. To me EMV and the Magnasafe technology that Magtek developed (swipe fingerprint) address the same thing in different was, but Magtek never promoted their technology as a security protocol.

  2. David Griffiths Says:

    More mis-direction: it just does not follow that because EMV does not solve ALL fraud problems, that PCI remains relevant.

    We hear lots of talk about chip and PIN zealots supporting what appears to be a near useless enhancement on the magstripe card. Truth is that chip and PIN displaces some fraud as the crims move into other areas – any security geezers worth their titles know this, so why is such an issue? It was expected and it can be addressed. Bottom line is that you can’t copy a card!!!!!!!

    You can implement all the PCI ludite nonsense you like, the problem is not going to go away – because you may or may not have noticed, but the card data is still there on the card, and I can still copy it, and then use it. Which part of the PCI standard is going to EVER address that one? You’ll be telling us we need QSAs for crims next …

    Also, if you understand EMV you’ll know that whilst the Prof’s scam does work, it isn’t particularly useful, because he still needs the physical card (because it won’t work with a copy), and the issuers can spot it.

    Bottom line is that card data is not inherently sensitive – this is certainly the case in EMV-land. In magstripe-land, the story is different, and you choose to transact with stoneage technology. Fine by me – if you want to “secure” it with PCI, off you go; just don’t expect us to do it as well.

    Last bit isn’t worth much comment – fallback to signature will result in a decline, unless there is a valid technical reason. More mis-direction. It’s got to stop!


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.