This is page 2 of:
Chip-And-PIN Is Not A Free Pass On PCI
Cardholder data and magnetic stripe data from smart cards will continue be used in E-Commerce and ATM fraud. A French friend of mine had his EMV card compromised, and he found out the hard way that a lot of ATMs still rely on the magnetic stripe even in markets that have converted to chip cards. Therefore, retailers still need to secure their systems and networks to protect themselves and their customers and to comply with all of PCI.
On top of all this, can the cloning of a chip card really be all that far behind?
The dismissive reaction from the U.K. Cards Association to this story so far has been disappointing. They claim there are simpler, easier to execute threats than that used by the Cambridge team. Furthermore, they contend that cardholders only have to report their cards stolen to defeat the attack. One supposes that, compared to the Cambridge attack, it could indeed be easier to do a little shoulder surfing to get the PIN, thump the cardholder on the head in the parking lot, take their card and return to the store. But if that is what the issuers are suggesting, their subsequent argument–which rests on reporting the card stolen–rates a FAIL.
The Association also stated that the issuers’ systems are able to detect this fraud. That may indeed be the case in theory. But, unfortunately for each card used–and there was more than one issuer–the issuers’ systems failed to detect the fraud in each case. Oops.
Wouldn’t it be great if the card and bank associations could accept that EMV was compromised, that issuers need to improve their systems and that, while the protocol may be fine, its implementation has to be secure and carefully thought out, too? Then we all could move on.
Smart cards are a technical innovation that can reduce issuers’ fraud losses. But implementing chip-and-PIN is expensive for all parties, not just issuers who need to replace their existing cards. Retailers of all sizes have to spend significant sums to upgrade their POS equipment and retrain staff. Even consumers have to learn a new procedure to use their payment cards. Hopefully, the reduced losses (and increased merchant investment) are reflected in lower interchange reimbursement fees for merchants. This was the case 20 years ago, when incentive interchange rates (anyone else remember TIIF?) paved the way for near universal electronic authorizations.
Smart cards are not a magic wand that will make either fraud or PCI compliance disappear. Merchant and processor systems will still store, process and transmit cardholder data. The bad guys will continue to search for ways around any technology so long as there are economic incentives to do so. That means PCI is just as relevant for chip-and-PIN cards as it is for magnetic stripe cards.
What is your experience with chip cards? What will it take for the U.S. to move to chip-and-PIN? What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
February 18th, 2010 at 1:24 pm
I don’t understand where the false assumption that EMV addresses security comes from? (well, I do understand, but I’ll keep my mouth shut) EMV attempts to address fraudulent card usage, not security. To me EMV and the Magnasafe technology that Magtek developed (swipe fingerprint) address the same thing in different was, but Magtek never promoted their technology as a security protocol.
October 4th, 2010 at 7:25 am
More mis-direction: it just does not follow that because EMV does not solve ALL fraud problems, that PCI remains relevant.
We hear lots of talk about chip and PIN zealots supporting what appears to be a near useless enhancement on the magstripe card. Truth is that chip and PIN displaces some fraud as the crims move into other areas – any security geezers worth their titles know this, so why is such an issue? It was expected and it can be addressed. Bottom line is that you can’t copy a card!!!!!!!
You can implement all the PCI ludite nonsense you like, the problem is not going to go away – because you may or may not have noticed, but the card data is still there on the card, and I can still copy it, and then use it. Which part of the PCI standard is going to EVER address that one? You’ll be telling us we need QSAs for crims next …
Also, if you understand EMV you’ll know that whilst the Prof’s scam does work, it isn’t particularly useful, because he still needs the physical card (because it won’t work with a copy), and the issuers can spot it.
Bottom line is that card data is not inherently sensitive – this is certainly the case in EMV-land. In magstripe-land, the story is different, and you choose to transact with stoneage technology. Fine by me – if you want to “secure” it with PCI, off you go; just don’t expect us to do it as well.
Last bit isn’t worth much comment – fallback to signature will result in a decline, unless there is a valid technical reason. More mis-direction. It’s got to stop!