Chip-And-PIN Is Not A Free Pass On PCI
Written by Walter ConwayA 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
Reports of the latest successful attack on chip cards based on the EMV standard should remind all of us once again that there is no such thing as absolute security. Retailers and consumers worldwide–especially those in Canada who are currently implementing chip-and-PIN–need to understand this fact and not count on any single technology to remain secure. That is why PCI remains relevant even in a chip-and-PIN environment.
From a security perspective, retail CIOs should understand a few things about these chip cards or smart cards (i.e., payment cards with an embedded integrated circuit or microchip). Chip cards can reduce fraud losses, but chip-and-PIN zealots can overstate the benefits. While card-present fraud decreases significantly, the bad guys simply shift to card-not-present (e.g., mail, phone or E-Commerce, where the chip has little value) and international fraud (to countries where magnetic stripe technology is used). For example, after the U.K. introduced smart cards, losses from both these sources increased dramatically. Remember that smart cards still have a magnetic stripe (and embossing and signature panels and holograms and every other piece of anti-fraud baggage ever devised).
Retailers should also understand that EMV (Eurocard MasterCard Visa) is a set of generic requirements that allows for the interoperability of cards. Implementation can be card-specific, and issuers still depend greatly on their own internal authorization procedures. Although these procedures are based on EMV, they can vary. For example, it appears the issuers in the recent U.K. case were not checking to see whether a PIN entry was attempted. When you think about chip-and-PIN security, you need to look at the entire authorization process.
One thing that is particularly disturbing about the recent attack is that the printed receipts stated “Verified by PIN” even though they were not. The Cambridge University team managed to convince the smart card that it had a chip-and-signature transaction while simultaneously convincing the POS terminal that it was a chip-and-PIN transaction. As a result, the receipts printed by the terminal indicated that a valid PIN was entered each time. That means defrauded consumers are in the unenviable position of having to convince their issuers that they did not make the transaction. In a particularly ominous quote, Professor Ross Anderson, the lead Cambridge researcher, said: “Over the past five years, thousands of cardholders have had stolen chip-and-PIN cards used by criminals. The banks often tell customers that their PIN was used and so it’s their fault.” Does this mean the bad guys have already used this fraud, or have consumers been lying?
Chip-and-PIN does not give the retailer a free pass on PCI. Sales clerks will continue to process some smart card transactions as chip-and-signature, and some of your people will be willing or unwilling participants in fraud. (Hint: Don’t use chip cards as an excuse to get rid of your internal fraud and staff monitoring systems.) Your call centers will not see much change, nor will your E-Commerce site. And until the entire planet converts to chip cards (and the U.S. market is a long way away from that happening), you will still see cards that have only a magnetic stripe.
-Marc
February 18th, 2010 at 1:24 pm
I don’t understand where the false assumption that EMV addresses security comes from? (well, I do understand, but I’ll keep my mouth shut) EMV attempts to address fraudulent card usage, not security. To me EMV and the Magnasafe technology that Magtek developed (swipe fingerprint) address the same thing in different was, but Magtek never promoted their technology as a security protocol.
October 4th, 2010 at 7:25 am
More mis-direction: it just does not follow that because EMV does not solve ALL fraud problems, that PCI remains relevant.
We hear lots of talk about chip and PIN zealots supporting what appears to be a near useless enhancement on the magstripe card. Truth is that chip and PIN displaces some fraud as the crims move into other areas – any security geezers worth their titles know this, so why is such an issue? It was expected and it can be addressed. Bottom line is that you can’t copy a card!!!!!!!
You can implement all the PCI ludite nonsense you like, the problem is not going to go away – because you may or may not have noticed, but the card data is still there on the card, and I can still copy it, and then use it. Which part of the PCI standard is going to EVER address that one? You’ll be telling us we need QSAs for crims next …
Also, if you understand EMV you’ll know that whilst the Prof’s scam does work, it isn’t particularly useful, because he still needs the physical card (because it won’t work with a copy), and the issuers can spot it.
Bottom line is that card data is not inherently sensitive – this is certainly the case in EMV-land. In magstripe-land, the story is different, and you choose to transact with stoneage technology. Fine by me – if you want to “secure” it with PCI, off you go; just don’t expect us to do it as well.
Last bit isn’t worth much comment – fallback to signature will result in a decline, unless there is a valid technical reason. More mis-direction. It’s got to stop!