Isn't it About Time to Get Moving on Chip and PIN?
I got to thinking about the 3 "big story" breaches that we've all been discussing over the last month or so. Just adding things up, we're at a count of over 100 million cards and personal information disclosed.
Just thinking about it over the weekend, I realized two things:
1/ All these breaches affect the only region still using card-swipe only credit cards - the United States.
2/ The count of cards compromised is right around 1/3 the population of the United States
With this many cards compromised and needing replacement, isn't it time that the industry wakes up and smells the coffee? Everyone (yes everyone) else in the world has moved to Chip and PIN technology, which makes theft of credit cards much more difficult (though not impossible, looking at recent events in the UK). These breaches illustrate (again) that the US staying on this old technology for cards has the effect of making theft of cards much easier in the US, focusing the attention of criminals on US cards.
If we're replacing that many cards, wouldn't RIGHT NOW be a really good time to issue 110 million bright, shiny new Chip and PIN credit cards for the folks who are the victims of these breaches? I know that this would complicate things on the logistics side, but it's not new technology - this could certainly be arranged. Even if the Chip / PIN technology isn't actually used (there are a boatload of machines that need replacing for one thing), it at least gets things moving in the right direction.
Please, share your thoughts on this in our comment form - am I off base?
===============
Rob VandenBrink
Metafore
Comments
If you want Chip and PIN to happen quickly, you need to create incentives. PCI-DSS isn't good enough and you can't throw the Target C-levels in jail or fine them for non-compliance to a standard that doesn't exist. As consumers it stinks that major breaches happened, but Chip and PIN is coming. The real question to ask is how to fix Chip and PIN's security flaws.
Anonymous
Feb 10th 2014
1 decade ago
The WMS equipment using the Symbol/Motorola scanners could be fixed much easier and cheaper by implementing 3D barcode scanning. The card would be much cheaper to replace and is not affected by mechanical abrasion, electrical/static or water.
However, the most secure would be RFID & PIN like some cards have, no abrasion and wrapped safely in plastic. Just another thought.
Anonymous
Feb 10th 2014
1 decade ago
Anonymous
Feb 10th 2014
1 decade ago
The push cannot come from banks or retailers because that stuff costs money and the consumers are largely ignorant that it even exists.
The push must come from the payment card industry or from the government.
I have also read that the Visa and Master Card are going to start putting banks and retailers on the hook for fraudulent charges from non Chip-and-PIN cards as early as next year. If that doesn't light a fire under some execs, nothing will.
Lord knows we have enough regulation as it is and the more specific it gets the easier it is to "just so" everything so that you comply but are actually less secure. Having a more flexible industry "suggestion" makes much more sense.
Anonymous
Feb 10th 2014
1 decade ago
In October 2015, Visa has a liability shift scheduled--if a fraud could have been prevented by EMV, then the merchant is liable. The biggest expense to migrate is borne by merchants--those little EMV terminals are not cheap and there has been a lot of pushback on that date. I suspect the good that will come out of these recent large breaches is that the date will stick after all. "Right Now" is not likely to happen. But perhaps "As Scheduled" might.
And yes, the whole world but the US converted, long, long ago. Wet chips, scratched chips, all seem to be quite manageable. But open track data with open transactions is not.
[1] http://ap-gfkpoll.com/featured/ap-gfk-poll-breaches-not-changing-peoples-habits
Anonymous
Feb 10th 2014
1 decade ago
You can get EMV cards in the US from most card providers if you ask.
Anonymous
Feb 10th 2014
1 decade ago
The banks in the U.S. who do issue EMV cards tend to issue chip-and-signature instead of chip-and-pin. Which works just fine in Europe - the handheld devices they use over there can deal with either one. The problem you might face is at an unattended kiosk of some sort (say you want to rent a "Boris-bike" bicycle in London, you apparently need a c&p card. Didn't try when I was there, so I don't know if that's a real problem). The card I have came from BofA, but I had to call and ask for it. Not all flavors of cards from BofA suppoprt EMV yet. I also called Amex, and they said it was not yet available for the flavor of the card I have (Delta skymiles).
There is also a little retraining of both customers and clerks. EMV transactions work a little differently - you don't just swipe the card through. You stick the card in the machine, and it needs to stay there for 10-15 seconds until the transaction is complete.
As tempting as it is to advocate EMV cards, I would say that it is necessary but not sufficient. Clearly there are other problems at some of these merchants which allow the bad guys to get in. Using EMV might make it impossible for the crooks to get credit card info from your point of sale terminals, but if the bad guys are in your network they will look for something else that they can monetize. I would say that in *addition* to EMV, that additional measures need to become both routine and required to ensure that unauthorized people cannot gain access to the network. Two-factor authentication comes to mind as one thing that should be mandatory, but I think there were other flaws at Target which contributed to the mess there. They haven't been very forthcoming about what really went on, so we can only sort of guess what types of flaws enabled this attack to happen.
I should add that EMV cards are ISO 7816 compliant, meaning that the contact patterns and electrical specs on the credit cards match the specs on a smartcard that can be used for Windows logon. I stuck my credit card in the smartcard slot on my laptop and was able to read off some amount of the data that is stored there in the EMV chip.
Anonymous
Feb 10th 2014
1 decade ago
[quote]I should add that EMV cards are ISO 7816 compliant, meaning that the contact patterns and electrical specs on the credit cards match the specs on a smartcard that can be used for Windows logon. I stuck my credit card in the smartcard slot on my laptop and was able to read off some amount of the data that is stored there in the EMV chip.[/quote]
Exactly!!! For those that have actually worked with ISO 7816 technology, it is not a "utopian" solution. Move to RFID or laser scanning.. Have not heard of many "3D" postage stamps being hijacked.
Anonymous
Feb 11th 2014
1 decade ago
I suspect that the biggest part of the issue will not be replacing the terminals, but replacing the POS software and retraining the employees.
Anonymous
Feb 11th 2014
1 decade ago
Um, not so. We've been using Chip and PIN credit cards in Canada for at least half a dozen years now.
I use my credit card at least 100 times a month, and I've yet to have had any failure in reading the chip. (No, I refuse to use the RFID feature of the card - so I can have verifiable deniability.) The gold plating is a little worn/polished, but no worse than the plastic surface of the card. Bonus: you're not leaving valid sample of your signature everywhere.
Really, I'm astonished that you'all in the 'States aren't already using this.
Anonymous
Feb 11th 2014
1 decade ago