Wednesday Jan 22, 2014

Will EMV Protect Retailers?

Will EMV protect retailers?  About as well as PCI certification does today.  I used to work with the Europay/Mastercard/Visa standard when I developed software for smartcards, and the technology is certainly better than the ancient magstripe cards we use today.  But it was created before e-commerce really took off, and the US implementation of EMV isn't very secure.  Let's imagine for a moment that Target was ahead of the 2015 deadline and already had smartcard readers in its stores (like they did back in 2001).  Would they have been protected?

Since the smartcard has a tiny microprocessor embedded, it can do calculations like encryption.  When the card is inserted, it authenticates the POS, and the POS authenticates the card using a shared secret (typically an encryption key).  But in the case of Target, the POS was legit so they would have trusted each other anyway.

The typical Chip & PIN implementation in Europe requires the cardholder to enter a PIN to unlock the card, but in the US the PIN is optional and usually not required.  Do you know the PIN number for your credit card?  No one does because the banks think it would be inconvenient.

Since trust has been established, the smartcard sends over the account number and other associated data.  Its in the clear for a brief moment before its encrypted and sent to the bank.  This is the same situation as with the magstripe.  Until the banks establish the ability to support end-to-end encryption and/or tokenization, we've still got the same issue.

There is one area where EMV helps a little.  The thieves still get the creditcard data but they won't be able to create fake smartcards.  Those chips need to be programmed with the right data and keys, which are only available at the issuing bank.  So even though they managed to get the data, they can't create forged cards. Except for one little issue -- they can just use the card data online.  No need to create cards at all.

Just as PCI didn't really make retailers safe from fraud, neither will EMV.  Its a step in the right direction, but far from perfect.

Thursday Mar 29, 2012

Hello PCI Council, are you listening?

Mention "PCI" to any retailer and you'll instantly see them take a deep breath and start looking for the nearest exit.  Nobody wants to be insecure, but few actually believe that PCI does anything more than focus blame directly on retailers.  I applaud PCI for making retailers more aware of the importance of security, but did you have to make them PAINFULLY aware?  POS vendors aren't immune to this pain either as we have to undergo lengthy third-party audits in addition to the internal secure programming programs.  There's got to be a better way.

There's a timely article over at StorefrontBacktalk that discusses the inequity of PCI's rules, and also mentions that the PCI Council is accepting comments until April 15th.

As a vendor, my biggest issue with PCI is that they require vendors to disclose the details of any breaches, in effect "ratting out" customers.  I don't think its a vendor's place to do this.  I'd rather have the trust of my customers so we can jointly solve the problem.

Mary Ann Davidson, Oracle's Chief Security Officer, has an interesting blog posting on this very topic.  Its a bit of a long read, but I found it very entertaining and thought-provoking.  Here's an excerpt:

...heading up the list of “you must be joking” regulations are recent disturbing developments in the Payment Card Industry (PCI) world. I’d like to give [the] PCI kahunas the benefit of the doubt about their intentions, except that efforts by Oracle among others to make them aware of “unfortunate side effects of your requirements” – which is as tactful I can be for reasons that I believe will become obvious below - have gone, to-date, unanswered and more importantly, unchanged.

I encourage you to read the entire posting, Pain Comes Instantly, and then provide feedback to the PCI Council.


News and ideas about the retail industry with a focus on customers, innovation, trends and emerging technologies.

Oracle Industry Connect 2016

Stay Connect with Oracle Retail


« May 2016