TJX Exec Backs Chip-and-PIN, Encryption Through Private Networks
Written by Evan SchumanA TJX senior executive is apparently trying to push chip-and-PIN, arguing that cyberthieves are focused on the United States partly because we haven’t adopted it.
"Criminals, I believe, are focusing on the countries that haven’t added that higher level of security," TJX Vice Chairman Donald G. Campbell said, according to this Boston Globe story.
The exec at the chain that has become—fairly or not—the poster child for bad data security procedures also endorsed the approach suggested by former Hannaford CIO Bill Homa, namely that payment data should be encrypted as it’s transmitted to banks, regardless of whether the company uses a public or a private network.
This is an interesting debate. There’s little question that both moves would improve security, but the cost and change required will also make them almost impossible to deploy. As TJX execs know better than anyone, market forces to push such change are essentially non-existent. Even Visa has said that the money could be spent better in fraud alerts and early detection.
The problem is that the Visa approach is reactive, and it reflects that the company has already surrendered, conceding that the thieves will successfully penetrate. Sadly, that’s probably not an unwarranted assumption.
Campbell also defended TJX’s role in the credit card industry’s worst-ever data breach, saying that it’s security wasn’t much worse than other similarly-sized retailers and that it was likely better than a lot of smaller merchants. Although true, that’s hardly something to crow about.
The federal charges had only one of the retailers even detecting any of the repeated large-scale intrusions and none was able to stop any. If that was my record and I was a security guard company, I think I’d avoid using it as a case study.
-Marc
September 4th, 2008 at 4:24 am
“….but the cost and change required will also make them impossible to deploy…”
Well, this was deployed across the whole of Europe in about a 12 month period, and while there were moans and groans from some retailers and customers, adoption is ubiquitous now, with the elimination of personal checks and a faster turn-around at the POS.
This has also been deployed beyond retail – every time you use a card in Europe you use the PIN, so to say that the cost and change required would make this impossible to deploy is simply not true.
Contrary to your statement on there being no market forces to push this and Visa saying it is not effective – Visa are one of the backers of the EMV standard. The initiative is driven by the market forces of the banks and their drive to reduce fraud losses, through pushing the liability of the transaction back to the retailer.
I think you will find that once they are liable for fraudulent transactions, that this provides more than enough incentive for the retailer to implement chip and pin.
September 4th, 2008 at 7:25 am
Editor’s Note: You make a very fair point. What we had intended to say is that the industry/political realities in the States make this quite unlikely. No one–including Visa–has been pushing this hard in the U.S.. This would have huge potential, but it would need the backing from quite a few players and I haven’t seen any hint of this yet.
September 4th, 2008 at 9:30 am
The problem with Chip-and-PIN is that it doesn’t go quite far enough to fully protect retailers. Retailers are still responsible for providing secure PIN-entry terminals, and criminals in Europe have already started placing counterfeit terminals in stores. Thus retailers are still handling secure data, and still remain in the loop for fraudulent card use.
If smart credit and debit cards were used in conjunction with a customer-owned handheld PIN keyboard (such as the Digipass system) then all security would rest in the hands of issuers, and the retailers would be freed of the security burdens surrounding credit. PCI DSS wouldn’t be necessary. PCI PED wouldn’t be necessary. And the extra cost for replacing terminals to work with Chip-and-PIN wouldn’t be necessary, either.
Of course, that’s not likely to happen until retailers examine and understand the costs, and then organize their efforts to move the PCI in that direction.
September 4th, 2008 at 3:28 pm
Editor’s Note: A Reader is absolutely correct (As A Reader tends to be). In short, this is part of the overall argument that retailers are good at doing a lot of things, but security isn’t one of them. Getting the banks and consumers to take over data responsibility is the ideal.
Which, of course, means that it will never happen. Too many powerful players that don’t want it to happen.
September 5th, 2008 at 8:51 am
One doesn’t need to deploy chip-n-PIN to make payments much, much more secure—the PCI SSC simply needs to require end-to-end encryption for all payment data starting at the PED, regardless of whether the underlying network is considered “public” or “private”. This is what already occurs with PIN data today. To be sure, there are many, many significant deployment issues that would need to be overcome to make this happen—but I can’t help but believe that this requirement will become part of PCI DSS at some point in the next five years.
September 8th, 2008 at 2:00 pm
Most that you’ve said is correct. But encryting from end-to-end isn’t a solution too. You can grab card information before, it gets encripted. I saw a lot of violated terminals, where the data were stolen prior getting encripted. It was possible getting the PIN, by mapping the keyboard matrix. It’s a hardware “hacking”. Even PCI PED, doens’t look at all design failures on the terminals. It’s possible to put a bug in every terminal in the market. I’ve seem a lot, on Verifone and Ingenico terminals (just to name a few vendors)
Even if you use Chip, it’s possible to cheat the authorization system (based on the deployment). I saw a lot of frauds involving chip-and-pin approach. I’m not saying that the chip was broken (at least yet, but the criminals are studing the “how-to”), but there are several ways to cheat with the authorization systems.