We all know about Target’s breach and the problems it caused the banks and the credit card industry. Everyone said that we have to do something different with our credit card systems. Target announced that they were going to accelerate their roll out of Chip-and-PIN technology. Then Home Depot gets hit and even more credit cards numbers are compromised. On September 18th they announced that the Malware that was used in the breach had been eliminated from their networks and they would be rolling out more encryption over credit card numbers that would help protect customers and they were accelerating their roll out of the Chip-and-PIN technology. The Canadian stores already have this technology and it will be deployed to all US stores by the end of this year, well ahead of the 2015 deadline.
The current problem is that your credit card information resides on a magnetic stripe that uses the same technology that has been used for 40 years. It contains the information needed to transact a purchase and is very easy to clone. The new Chip-and-PIN cards use a small microprocessor chip that encrypts the data in a different way each time so it is much harder and more expensive to clone than the magnetic stripe. While this is new for us, the technology in these “smart cards” is over 10 years old and has been being used in Europe and elsewhere for many years.
The retail industry is racing to roll out the EMV standard, which includes the Chip-and-PIN technology is part. Chip-and-PIN is one piece of the EMV (Europay, MasterCard, and Visa) standard. This standard defines how smart cards interoperate with point-of-sale terminals and ATMs. It includes the Chip-and-PIN that we hear so much about as well as Chip-and-Sign which seems more likely to get rolled out in the US.
Banks and credit card companies are pushing the EMV standards to be in place by October 2015. There is an extension of this time for gas pumps and ATMs but the main reason they are pushing for this is the liability shift. Today, the bank or card brand assumes the responsibility for most fraud losses. Once the deadline passes the liability for fraud losses will be transferred to the merchant if they do not accept EMV. This shift of liability took place in Europe in 2005 (as well as in Latin American, the Caribbean, New Zealand, and South Africa for some many credit card companies) so once again we are lagging behind on this technology and how liability is handled.
The biggest weakness is the consumers themselves. Many believe that US customers will not accept the Chip-and-PIN technology and will opt for the Chip-and-Sign technology which means we haven’t really changed that much from where we already are. If someone steals your credit card and uses it as Chip-and-Sign they can still use the card and forge the signature. They don’t need to know the associated PIN to that card.
There have also been vulnerabilities identified in this technology over the last couple years. In 2010 a group of researchers at Cambridge demonstrated a ‘Man-in-the-Middle’ flaw where a stolen card could be connected to an electronic circuit and then to a fake card which was inserted into a terminal. Then any 4 digits could be typed in and accepted as a valid PIN. There were also other demonstrations of PIN harvesting and other techniques to circumvent the controls in this technology.
We will be getting new technology on our credit cards over the next year but there will still be risks. If we don’t opt for the Chip-and-PIN we may still need to worry about our card being stolen. And of course, the bad guys will always be out there trying to outwit the newest technology.
You will notice that I have not mentioned online transactions. The main reason is that there is little in this new standard that impacts CNP (Card Not Present) transactions. Some experts predict some type of near-field communication will be used, either as an attached device or built into PCs that will allow the card to be used for online transactions. But that would be seen once again as an inconvenience and may not catch on. Besides, if we are using the safer Chip-and-PIN card we will be typing in the PIN to the website and now we have something else the hackers will want.
For the near future most experts predict that online fraud will be increasing as stolen card information will be harder to clone and use. In an age where people seem to be ordering more on line, it seems counter-intuitive that we would be racing to fix point-of-sale issues while making the online transactions that much more attractive to thieves. It seems we are focusing on the problems that the news media are paying attention to; even though the number of cards affected was huge, Target and Home Depot had POS data stolen so we are focused on POS transactions now. While the move to EMV predates these events, it seems like companies are accelerating this initiative while more and more sales are being made online.