Will EMV Protect Retailers?

Will EMV protect retailers?  About as well as PCI certification does today.  I used to work with the Europay/Mastercard/Visa standard when I developed software for smartcards, and the technology is certainly better than the ancient magstripe cards we use today.  But it was created before e-commerce really took off, and the US implementation of EMV isn't very secure.  Let's imagine for a moment that Target was ahead of the 2015 deadline and already had smartcard readers in its stores (like they did back in 2001).  Would they have been protected?

Since the smartcard has a tiny microprocessor embedded, it can do calculations like encryption.  When the card is inserted, it authenticates the POS, and the POS authenticates the card using a shared secret (typically an encryption key).  But in the case of Target, the POS was legit so they would have trusted each other anyway.

The typical Chip & PIN implementation in Europe requires the cardholder to enter a PIN to unlock the card, but in the US the PIN is optional and usually not required.  Do you know the PIN number for your credit card?  No one does because the banks think it would be inconvenient.

Since trust has been established, the smartcard sends over the account number and other associated data.  Its in the clear for a brief moment before its encrypted and sent to the bank.  This is the same situation as with the magstripe.  Until the banks establish the ability to support end-to-end encryption and/or tokenization, we've still got the same issue.

There is one area where EMV helps a little.  The thieves still get the creditcard data but they won't be able to create fake smartcards.  Those chips need to be programmed with the right data and keys, which are only available at the issuing bank.  So even though they managed to get the data, they can't create forged cards. Except for one little issue -- they can just use the card data online.  No need to create cards at all.

Just as PCI didn't really make retailers safe from fraud, neither will EMV.  Its a step in the right direction, but far from perfect.

Comments:

Hi David,

Your example about use online is perfectly valid, except that many (but not all) websites will force the card through 3D Secure (card possession authentication) aka Verified By Visa, Mastercard Securecode, and Amex Securekey (the latter is much less common). It's in the website's interest to do this because in many countries the website operator will lose any chargeback claim/case if they can't provide proof of use of 3DS. It's not very friendly for the customer (which is apparently why Amazon doesn't do 3DS--they just take the chargeback hit).

What is equally problematic with black hats grabbing the card number, start and end date and PIN from an EMV setup (plus some shouldersurfing video) is that the black hats can create a fake magstripe card even if the original card was EMV.

Most ATMs around the world are programmed to "fallback" to the magstripe data if the EMV chip is missing or non-functional on the card. The ATM shouldn't do this, but it often does. And the card would probably work in a lot of retail cases where EMV hardware has not been deployed, too, sometimes even when EMV has been deployed and the card is "foreign". Just as much of a fraud opportunity as online.

There has been reported incidents in Europe of the EMV PIN Entry Devices (PED--card reader and keypad) being compromised by the insertion of snooping hardware into the PED that transmits all the necessary data by mobile phone, with magstripe cards then being created using the snooped data and used abroad to withdraw cash from ATMs. Worryingly, sometimes the PED was compromised in the supply chain to the retailer/store, although sometimes it's a distraction swapout in store or complicit employee looking the other way while the PED (attached to the register) is changed out, or a cleaner doing a swapout out of hours. Less of an issue if the entire payment system is bank supplied and has no or limited connection to the register or billing system.

So, as you say, EMV is not perfect, but it does raise the bar a bit, and a well engineered end to end implementation of EMV significantly reduces the risk of a breach. But better implementation standards for all aspects of card processing are sorely needed (closing down the ATM loophole, for example) and I think PCI-DSS QSAs really need to catch up with the real exploits, including in-memory exposures but also hardware audits (and better POS software that detects/deters PED swapout).

Posted by guest on January 24, 2014 at 06:06 AM CST #

All excellent points.

Posted by David on January 24, 2014 at 07:02 AM CST #

Post a Comment:
Comments are closed for this entry.
About


David Dorf, Sr Director Technology Strategy for Oracle Retail, shares news and ideas about the retail industry with a focus on innovation and emerging technologies.


Industry Connect


Stay Connected
Blogroll

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
8
9
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today