Home Tags EMV
With the expiration of the Oct. 1 deadline for requiring merchants, payment processors and banks to support EMV cards, a number of pieces remain missing. It's perhaps the weirdest war of words ever. Driven by a shift in liability for fraudulent transactions, banks and retail firms have taken to lobbing critical press releases at each other, charging that the other side has not done enough to protect consumer data. At its heart, the debate boils down to whether retailers' forced move to chipped credit cards is enough to protect customers' data or whether additional measures need to be rolled out as well. Retailers, which have rushed the rollout of point-of-sale infrastructure to accept chip cards, argue that banks should require PINs to secure transactions, a proposition that requires financial institutions to roll out expensive infrastructure and pay for costly support. "Retailers have invested billions to implement new chip-enabled card readers in stores nationwide," Brian Dodge, executive vice president of the Retail Industry Leaders Association (RILA), said in a statement. "Now, retailers are asking banks and credit unions to meet that commitment by issuing new chip cards with PINs." Banks have fired back, stating that retailers need to secure their payment infrastructure to protect consumer payment data from hard-to-stop cyber-criminals. "Millions of Americans have had their most sensitive information compromised in retailer data breaches, so it's understandable that consumers are concerned that retailers aren't doing more to prevent future hacking incidents," Doug Johnson, the American Bankers Association's senior vice president of payments and cyber-security policy, said in a recent release. "... Retailers need to join with banks and payment networks to combat fraud and focus on the future by updating their payment security systems and proactively working to address emerging threats head-on." Welcome to the post-liability-shift world. Retailers, payment processors and card issuers rushed to meet an Oct. 1 deadline to implement the Europay-Mastercard-Visa (EMV) standard for payment security, also known as chip-and-PIN security. Most, however, have missed the deadline. The standard requires credit-card issuers to replace mag-stripe credit and debit cards with smart cards capable of encrypting transaction data and requires retailers to upgrade their payment-card readers, resulting in increased costs to the businesses. With Oct. 1 in the rearview mirror, the least-compliant participant in the transaction chain will be responsible for any fraud. The liability shift means that issuers will be held financially responsible for fraudulent transactions, if they have not issued new chip cards to consumers, while the merchants' payment-processing partners will be held liable if a mag-stripe transaction results in fraud, and those fines could be passed onto the retailers. The penalties could be high. Still, retailers have replaced less than a quarter of the 12 million payment terminals, according to financial-market services firm CreditCards.com. Only 40 percent are expected to be upgraded by the end of the year. In addition, fewer than half of consumers have received a chip card to replace an existing mag-stripe credit or debit card, Matt Schulz, senior analyst for the firm, told eWEEK. "The giant retailers are the most likely to have this up and running," he said. "When you get to the mom-and-pop stores, many of them do not even know this is happening." While the complexity of the issue may be to blame for the lack of adoption, some retailers are undoubtedly taking a wait-and-see attitude, because the technology has some practical issues as well. Some consumers and retailers, for example, have complained that processing a transaction via chip cards takes more time, Schulz said. "I've heard from consumers that I've talked to that it takes longer, and people think that it is a little bit inconvenient to take extra time," he said. It boils down to pitting the potential losses due to fraud against the losses due to customer confusion or impatience with the new technology, Richard Peters, director of corporate consultancy Berkeley Research Group, told eWEEK. "It seems as if there were a lot of misses in the Oct. 1 deadline," he said. "It was announced years ahead of time that this was coming, but here we are with the majority of retailers still not changed over." Even when the technology is 100 percent deployed, transactions still will not be totally secure, says Peters. Retailers have a point that chip cards without a PIN are only half of a solution. The chip in the payment card can protect the data on the card, but relying on a signature is a less secure way to authorize the transaction, he said. "The future part of this, a big piece of that is the PIN," Peters said. "With the PIN, you have something you know along with something that you have, and that makes it more secure." The fully implemented technology is not foolproof, either. Recent reports that criminals had circumvented chip-and-PIN in 2011 join prior reports of security vulnerabilities to call into question whether EMV can protect consumers. Moreover, the technology is a solution to only a specific piece of the fraud equation—counterfeit-card fraud. In the United Kingdom, for example, chip-and-PIN has resulted in a drop in counterfeit fraud from $259 million in 2008 to $73 million in 2014, according to Financial Fraud Action UK. Online fraud, however, is not solved by chip-and-PIN technology. The same report found that card-not-present fraud initially declined after 2008, but had recovered to the same level by 2014. "Online fraud is the low-hanging fruit that counterfeiting used to be, so criminals are switching to that tactic," CreditCards.com's Schulz said. "There are a lot of calls in the industry for approaches necessary to address online fraud."
NEWS ANALYSIS: Small businesses testifying before the House Committee on Small Business shared tales of woe and pleaded for chip-and-PIN technology. It's rare for witnesses invited by both political parties at a U.S. Congressional hearing to be in unanimous agreement—so rare that when I settled in to watch the testimony before the U.S. House of Representatives Committee on Small Business, I fully expected to see the committee and its witnesses at loggerheads regarding EMV card adoption. I was wrong. First, as is always the case with the majority party, came the witnesses for the Republicans. There, the witnesses included a series of small-business owners and managers, all of whom bemoaned the lack of information, and in fact, the lack of any communications regarding the adoption of EMV card technology, in which credit and debit cards are outfitted with a chip that eliminates the need for the magnetic stripe technology that until now has been in common use in the United States. While the experiences of the small businesses were different, they all found information wanting. Only one witness, Jami Wade, owner of Capital City CORK, a restaurant and wine store in Jefferson City, Mo., had been able to successfully convert her point-of-sale system over to accept EMV-equipped credit cards. While she was successful, she made it a point to explain to the committee that her credit card processor had an office down the street and was a regular customer in her restaurant. She also said that she took proactive action to make sure she was ready for the liability shift, and ready to accept cards with chips when they started showing up. The other small businesses testified that they had been unable to complete the transition. In one case, gallery owner Keith Lipert, from Washington, D.C., said that, so far, he's not even been able to get his credit card processor to discuss using cards with chips. The other witnesses, including convenience store and gas station owners, had similar stories. They were struggling to get information on accepting cards with chips, but even worse, they were deeply concerned about the rarity of EMV cards with PINs for security. The Democrats' witness, Ed Mierzwinski, consumer program director and senior fellow for the U.S. Public Interest Research Group, said that his research supported the positions of the other witnesses. He added that it appears to him that credit card processors are "slow walking" the process, and taking advantage of only those parts of the EMV conversion that benefited them. This meant that card processors are adopting EMV in its chip-and-signature form, which prevents counterfeit cards from being used, Mierzwinski said. However, the card processors are not adopting the use of PINs, which are more secure and prevent the use of lost or stolen credit cards, because it would reduce their profits, he added. Another witness said that the liability shift was meaningless because card processors were already charging merchants for disputed charges even when their actions were contrary to the law. The liability shift is a practice put into place by the major credit card issuers, effective Oct. 1, that changes the way fraudulent charges are handled. Before Oct. 1, the credit card issuers absorbed bogus charges as long as the merchant followed the rules and met compliance requirements. After the shift, merchants that accept a card with a chip that turns out to be bogus are stuck paying for the charge. The only way they can avoid that is by having, and using, a terminal with a card reader.
Over $680,000 stolen via a clever man-in-the-middle attack.
NEWS ANALYSIS: Despite years of warnings, a large percentage of U.S. businesses aren't ready for the switch to EMV cards, and many don't even know about it. The long-awaited credit card liability shift happens...
NEWS ANALYSIS: A trial of EMV chip cards reveals an unacceptably high rate of failures that could compromise their adoption at U.S. retail outlets. One of the store managers at a Walmart store in Fairfax, Va., stood next to me as we watched a sales transaction fail—again. This was the third time I'd tried to pay for a phone charger using a debit card equipped with an EMV chip, and for the third time it failed. Each time the message on the screen of the point of sale (POS) terminal said the same thing, "Cancelled." Next I slide my American Express card into the EMV slot on the terminal, and the sale went as it should have to complete the purchase of the charger I needed to replace the one that I'd left on a United Airlines 777 a few days before as I returned from Germany. My EMV troubles actually started while on my Germany visit. A few days before my Walmart visit, I had to visit a T-Mobile store in Hannover, Germany, to replace a cell phone that had, in technical terms, "died." My EMV-equipped MasterCard had not been able to complete the purchase, although the error message was different from the one I experienced in my local Walmart (perhaps because it was in German instead of English). Again, I was able to use an alternate card. This turned out to be a harbinger of future behavior as the chip and PIN card the bank had told me so confidently would work in Europe didn't actually work. A second test in Germany came at the Frankfurt airport when my newly acquired EMV-equipped card failed in its critical mission of helping me obtain a particularly interesting single malt Scotch whiskey at the duty-free story. This time instead of saying it was canceled, the POS terminal just said the chip was invalid. Fortunately, I'd taken several chip cards along on the trip to Hannover, so I had a backup that did work. But by the time I'd reached the Walmart to purchase the phone charger, I'd had occasion to try to use six different EMV-equipped cards, of which two failed to function as they should have. Both of the failed cards were of the chip and PIN variety. Once I'd returned to the U.S., I called the banks about the problems with their respective cards, and in both cases the customer service representatives seemed unsurprised. One said that he'd experienced this problem before. "This is what happens when the chip is defective," he'd explained while ordering a replacement card for me. At the other bank, the response was similar when the agent said he'd send the replacement even before I'd finished describing the failure. While I don't have any numbers to prove it since the banks aren't sharing information about failure rates or related problems, it was clear from the response of the support staff that my experience wasn't rare or unusual. During this time I heard from others via social media of similar problems at other stores. A friend of my daughter was having trouble using her chip card anywhere that accepted the card.
NEWS ANALYSIS: The latest news in secure payments is that customers are getting chip cards, but progress in the conversion to chip-enabled cards remains uneven. The good news for companies that accept credit c...
NEWS ANALYSIS: Businesses in the U.S. can expect to start seeing significantly more cards with EMV chips in 2015, but that doesn't mean progress is steady. I was on the phone to a customer service representative...
Microsoft teams with point-of-sale solution providers to help retailers combat payment fraud and avoid getting stung by the upcoming credit card liability shift. Microsoft wants to make large-scale credit card fraud a thing of the past and help retailers to modernize their showrooms and sales floors with mobile and cloud-enabled point-of-sale (POS) systems. The Redmond, Wash.-based software giant has teamed with point-of-sale (POS) systems and solutions providers to help spur adoption of the Europay, MasterCard, and Visa (EMV) standard, also known as chip and PIN, the company announced at the National Retail Federation's Big Show conference in New York City. Compared to traditional magnetic-stripe technology, EMV-compliant cards have embedded microprocessors that thwart counterfeiting. In October 2015, a credit card liability shift will take effect in the United States. Whereas banks have historically been on the hook for fraudulent charges, new credit card processing rules will shift that responsibility to merchants, incentivizing them to beef up their own security. Home Depot and Target, both victims of massive data breaches, have pledged to switch to EMV. Microsoft and its partners are introducing Windows-based POS systems to help other merchants embrace EMV. Panasonic unveiled the Toughpad FZ-R1, a ruggedized Windows 8.1 tablet with a built-in PIN pad and Near Field Communication (NFC) for mobile payment services like Google Wallet and Apple Pay. "A fully integrated EMV solution, the tablet has the ability to accept any sort of digital payment in minutes," said Brendan O'Meara, senior director of Worldwide Retail and Consumer Goods at Microsoft, in a blog post. "It's also a mobile POS device with an optional dock for standard counter service, and can house apps and services to meet many essential customer needs." FreedomPay is leveraging Microsoft Azure to provide both secure transactions and deliver more personalized shopping experiences. The new FreedomPay Commerce Platform is "a secure payment switching technology running on the Microsoft Azure Cloud that works with EMV certified devices, and implements PCI [Payment Card Industry] Validated Point to Point Encryption capabilities that safeguard the sensitive card and customer data," said O'Meara. Security aside, the solution also opens revenue-generating opportunities for retailers. "Using Machine Learning capabilities and Business Intelligence platforms on Azure, merchants can offer the customer real-time purchase recommendations, loyalty programs, coupons, warranties, and the chance to donate to charity," he said. Hewlett-Packard (HP) is supporting the FreedomPay Commerce Platform for its latest mobile POS offering, revealed O'Meara. "HP released a new EMV capable ElitePad Retail Case, a flexible and versatile piece of hardware that enables retailers the ability to switch from a fixed to mobile POS whenever needed, including FreedomPay's Commerce Platform." A flexible docking system—the ElitePad can also be fitted into a fixed location—allows HP's new device to deliver an Apple Store-like experience where the POS system comes to the customer. "This allows store associates to walk around the store with their tablet to help customers, then easily switch it back to a conventional counter check-out service in no time," said O'Meara.
NEWS ANALYSIS: The next major standard for payment security goes into effect on Jan. 1, 2015, but it's missing some critical items. On Jan. 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) version 3.0 formally goes into effect, ushering in a new era of compliance specifications to secure payment card data. The PCI DSS 3.0 specification was approved in December 2013, giving retailers and those who handle payments a year to get ready. The PCI DSS 3.0 specification includes many improvements and process clarifications from the PCI DSS 2.0. With PCI DSS 3.0, there is a clear focus on making security an ongoing process, as opposed to just a once-a-year activity with checkbox items for compliance. Although there are many different requirements in PCI DSS 3.0, some items that are part of secure payment deployments are not part of the specification. One of the most often talked about security improvements for payments, especially in the United States, is the use of chip-and-PIN credit cards, also known as EMV (Eurocard Mastercard Visa). Although EMV is considered by many to be a security improvement over magnetic-stripe-based credit cards, PCI DSS 3.0 does not mandate the use of EMV—and likely never will. "PCI DSS 3.0 is mute on EMV, and the reason [is that] EMV is essentially an anti-fraud mechanism," said Greg Rosenberg, security engineer at Trustwave. "PCI DSS is a mechanism to prevent card data from being stolen," he told eWEEK. Speaking metaphorically, Rosenberg compared PCI DSS and EMV to peanut butter and jelly. He added that there is some degree of collaboration across the standards bodies that govern PCI DSS and EMV, and both groups understand that using the two standards together is powerful for security. "I think that EMV has been mislabeled in terms of its data security potential," Rosenberg said. "It's a great tool that largely focuses on increasing the cost of replicating a card if it is stolen." The EMV specification does not deal with card data security after the card data has been captured by a point-of-sale (POS) device, Rosenberg said. In contrast, that's the area where PCI DSS is strong, helping to provide guidance and best practices for securing the card holder data. "EMV, used properly in the right context will be a great anti-fraud mechanism," Rosenberg said. Nicholas Percoco, vice president of strategic services at Rapid7, noted that PCI DSS has never had an emphasis on the actual types of payment cards that merchants should accept. Payment card technology discussions are held at the card brand and card issuer level, he added. "As new technologies come in like EMV and Apple Pay, PCI DSS will continue to evolve to secure payment card data," Percoco said. "But as far as I know, PCI will not call out the use of EMV; that activity only comes out of direct mandates from the card brands." EMV use in the United States is set to grow in the coming year, with a recent report forecasting that up to 70 percent of U.S. credit cards will have EMV chip-and-PIN technology by the end of 2015. Penetration Testing While the overall PCI DSS 3.0 specifications are effective Jan. 1, not all of the requirements in the new specifications go into effect on that date. Among the delayed PCI DSS 3.0 requirements is one for enhanced penetration testing.
NEWS ANALYSIS: Holiday season shoppers will now be able to buy things more securely as acceptance of cards with EMV chips grows, but real payment card security is still a long way off. I was standing in line at a Walmart store in Fairfax, Va., when I spied the tell-tale slot in the credit card machine. Under the slot was a stylized image of part of a credit card with a chip. So when it was my turn I slipped one of my credit cards with an EMV (Eurocard MasterCard Visa) chip into the slot and waited. The pharmacist and a staffer moved over for a look. A series of prompts appeared on the credit card reader's LCD screen, at which point I punched in my PIN. The transaction took a few more seconds, then a receipt came out of the printer. I'd just done something that's all too rare in the U.S., despite the fact that it's common everywhere else in the world. I'd made a purchase using a chip and PIN card. When I talked to the pharmacist at the register, she told me that only a couple of other customers had attempted to use cards with chips while she was there, but she said that she knew they were starting to appear in Walmart's stores. Part of the reason, she said, was that the company's own branded credit cards were all being replaced by chip and PIN cards. My search continued. I shopped at several Target stores and two Home Depot stores in the Washington, DC, suburbs. The machines with the slots for accepting EMV cards were usually there. Target, which was hit a year ago by a massive data breach, seems to have replaced all of the card reader machines. But they didn't accept EMV cards—you still have to swipe the card so the machine can read the magnetic stripe. At Home Depot, which had an even worse data breach, the implementation of secure card readers seems to be only partially complete. I kept looking. The manager of a Safeway grocery store in Fairfax County, Va., had no idea what an EMV card was, for example. But there were bright spots, as well. I was able to make secure payments using either cards with EMV chips or with Apple Pay at a variety of stores including at the Wegmans grocery chain and at a Subway restaurant. I was able to buy a healthful and nourishing breakfast at McDonalds securely. I took my quest to Sam's Club in the remote city of Lynchburg, Va., and I was able to buy some Diet Coke and a land line phone using my EMV-equipped credit card. I also visited a number of small businesses and whenever I had occasion to use a credit card, I would ask about EMV acceptance.
Home Depot, Target also promised to start using chip-and-pin terminals by Jan 2015.
NEWS ANALYSIS: Home Depot is accelerating the deployment of EMV chip-and-PIN cards, but that's little consolation to holders of 56 million payment cards exposed in a massive cyber-attack. As a result of the massive cyber-attack on its point-of-sale (POS) systems, Home Depot is accelerating its move to EMV chip and PIN cards. The company said all stores will be equipped with such terminals by the end of 2014. The imposition of chip-and-PIN terminals will reduce Home Depot's exposure in the future, but is unlikely to do anything in the short term to protect customers holding the 56 million payment card numbers that were compromised in the cyber-attack. The Home Depot data breach, first disclosed by the retailer in early September, affected purchases at stores in the United States and Canada between April and September 2014. According to Home Depot's announcement, the breach did not affect stores in Mexico, and did not expose PIN numbers. Canadian Home Depot stores are already equipped with EMV card readers. However, cards from those stores were also compromised and could still be used for fraudulent remote purchases. Although counterfeit cards bearing account numbers exposed in the breach now can't be used at Home Depot, they could still be used at stores that haven't upgraded beyond magnetic-strip readers. In addition, those cards would remain vulnerable to "card not present" transactions such as phone and Internet purchases. In its most recent statement, Home Depot said it learned of the breach from law enforcement and banking partners who were able to correlate payment card numbers offered for sale on a Russian cyber-crime site with Home Depot store locations. According to several security researchers reached by eWEEK, such lists of credit and debit cards frequently provide location information so that criminals can use the cards where they will be the least likely to raise suspicion. The company said that the malware that was used to steal the payment card information was custom-written for Home Depot's POS system. According to security blogger Brian Krebs, the malware was apparently installed on self-checkout POS terminals. Krebs reported that the number of compromised cards actually being used was smaller than most banks expect, which may be related to the fact that the malware only existed on those self-service terminals. Perhaps more important, Home Depot has also completed a project that encrypts all card data. "The company's new payment security protection locks down payment data through enhanced encryption, which takes raw payment card information and scrambles it to make it unreadable and effectively useless to hackers. Home Depot's new encryption technology, provided by Voltage Security, has been tested and validated by two independent IT security firms," the company said in its statement. Voltage Security provides a range of enterprise security products and services, including POS encryption.
12Page 1 of 2