Isn't it About Time to Get Moving on Chip and PIN?

Published: 2014-02-10. Last Updated: 2014-02-10 17:50:07 UTC
by Rob VandenBrink (Version: 1)
20 comment(s)

I got to thinking about the 3 "big story" breaches that we've all been discussing over the last month or so.  Just adding things up, we're at a count of over 100 million cards and personal information disclosed.

Just thinking about it over the weekend, I realized two things:
1/ All these breaches affect the only region still using card-swipe only credit cards - the United States.
2/ The count of cards compromised is right around 1/3 the population of the United States

With this many cards compromised and needing replacement, isn't it time that the industry wakes up and smells the coffee? Everyone (yes everyone) else in the world has moved to Chip and PIN technology, which makes theft of credit cards much more difficult (though not impossible, looking at recent events in the UK).  These breaches illustrate (again) that the US staying on this old technology for cards has the effect of making theft of cards much easier in the US, focusing the attention of criminals on US cards.

If we're replacing that many cards, wouldn't RIGHT NOW be a really good time to issue 110 million bright, shiny new Chip and PIN credit cards for the folks who are the victims of these breaches?  I know that this would complicate things on the logistics side, but it's not new technology - this could certainly be arranged.  Even if the Chip / PIN technology isn't actually used (there are a boatload of machines that need replacing for one thing), it at least gets things moving in the right direction.

Please, share your thoughts on this in our comment form - am I off base?

===============
Rob VandenBrink
Metafore

Keywords: CHIP and PIN
20 comment(s)

Comments

First, EMV has been planned for US deployment for a number of years dating back to 2011 with announcements from the major processors regarding support roadmaps. The US banks haven't been asleep, they just made a calculated decision to not fast-track Chip and PIN. The post at https://www.cs.columbia.edu/~smb/blog/2014-02/2014-02-05.html is a good primer on the topic.

If you want Chip and PIN to happen quickly, you need to create incentives. PCI-DSS isn't good enough and you can't throw the Target C-levels in jail or fine them for non-compliance to a standard that doesn't exist. As consumers it stinks that major breaches happened, but Chip and PIN is coming. The real question to ask is how to fix Chip and PIN's security flaws.
Off base, no, however smart-chips that use mechanical contacts to pull the data have a greater failure rate. Every time you run the card into the machine, it scratches the chip, which in-turn removes contact material. Additionally, if the chip gets wet or static hits it failure rate increases.

The WMS equipment using the Symbol/Motorola scanners could be fixed much easier and cheaper by implementing 3D barcode scanning. The card would be much cheaper to replace and is not affected by mechanical abrasion, electrical/static or water.

However, the most secure would be RFID & PIN like some cards have, no abrasion and wrapped safely in plastic. Just another thought.
I have a story today on ZDNet (http://www.zdnet.com/windows-xp-lives-on-in-atms-crisis-7000026106/) that discusses this in the context of ATMs, but I also talk about EMV. Over the next 2 years, maybe even within a year, you'll see widespread EMV coming out because VISA and Mastercard are going to require it. Acquirers who don't support it will be on the line for fraudulent transactions.
I wanted to say something similar.

The push cannot come from banks or retailers because that stuff costs money and the consumers are largely ignorant that it even exists.

The push must come from the payment card industry or from the government.

I have also read that the Visa and Master Card are going to start putting banks and retailers on the hook for fraudulent charges from non Chip-and-PIN cards as early as next year. If that doesn't light a fire under some execs, nothing will.

Lord knows we have enough regulation as it is and the more specific it gets the easier it is to "just so" everything so that you comply but are actually less secure. Having a more flexible industry "suggestion" makes much more sense.
Lots of moving parts to this. A cynical viewpoint suggests the cost of fraud has not exceeded the cost to migrate to EMV in the US, leading to the non-adoption of the technology. A more cynical viewpoint further suggests recent events may actually be affecting the bottom line of the very members of the PCI Council--this poll [1] shows that a third of respondents have used cash rather than cards in January in reaction to security concerns. And anybody else notice those big, full page ads by the card brands proclaiming zero liability in case of badness? Yes, the cynic in me thinks that perhaps the bottom line is being threatened a bit...

In October 2015, Visa has a liability shift scheduled--if a fraud could have been prevented by EMV, then the merchant is liable. The biggest expense to migrate is borne by merchants--those little EMV terminals are not cheap and there has been a lot of pushback on that date. I suspect the good that will come out of these recent large breaches is that the date will stick after all. "Right Now" is not likely to happen. But perhaps "As Scheduled" might.

And yes, the whole world but the US converted, long, long ago. Wet chips, scratched chips, all seem to be quite manageable. But open track data with open transactions is not.

[1] http://ap-gfkpoll.com/featured/ap-gfk-poll-breaches-not-changing-peoples-habits
The cost is not the new cards, it barely costs more than postage for a new card to upgrade a card to EMV. The cost is upgrading every POS terminal to accept them. That is huge, and perhaps almost neck and neck with with current cost of fraud.

You can get EMV cards in the US from most card providers if you ask.
I can make a couple of points here. First of all, upgrading is far more than replacing cards. All point-of-sale terminals need replacement. I have seen cost estimates of 10bn$ for the entire U.S. Merchants and banks didn't want to bear the cost, and each wanted the other to pay for it. And it isn't just replacing the terminals - lots of backoffice things need to be upgraded to be able to handle EMV transactions, and there is tons of testing and verification that needs to happen. But it sounds like merchants are suddenly finding religion on this - they realize that there can be huge stains to their reputation in addition to legal liabilities if their POS terminals become infected.

The banks in the U.S. who do issue EMV cards tend to issue chip-and-signature instead of chip-and-pin. Which works just fine in Europe - the handheld devices they use over there can deal with either one. The problem you might face is at an unattended kiosk of some sort (say you want to rent a "Boris-bike" bicycle in London, you apparently need a c&p card. Didn't try when I was there, so I don't know if that's a real problem). The card I have came from BofA, but I had to call and ask for it. Not all flavors of cards from BofA suppoprt EMV yet. I also called Amex, and they said it was not yet available for the flavor of the card I have (Delta skymiles).

There is also a little retraining of both customers and clerks. EMV transactions work a little differently - you don't just swipe the card through. You stick the card in the machine, and it needs to stay there for 10-15 seconds until the transaction is complete.

As tempting as it is to advocate EMV cards, I would say that it is necessary but not sufficient. Clearly there are other problems at some of these merchants which allow the bad guys to get in. Using EMV might make it impossible for the crooks to get credit card info from your point of sale terminals, but if the bad guys are in your network they will look for something else that they can monetize. I would say that in *addition* to EMV, that additional measures need to become both routine and required to ensure that unauthorized people cannot gain access to the network. Two-factor authentication comes to mind as one thing that should be mandatory, but I think there were other flaws at Target which contributed to the mess there. They haven't been very forthcoming about what really went on, so we can only sort of guess what types of flaws enabled this attack to happen.

I should add that EMV cards are ISO 7816 compliant, meaning that the contact patterns and electrical specs on the credit cards match the specs on a smartcard that can be used for Windows logon. I stuck my credit card in the smartcard slot on my laptop and was able to read off some amount of the data that is stored there in the EMV chip.
Oddly enough, everyone here is more concerned about a card that one chooses to get, instead of the one we must get. Look how much "security" your "paper card" with 9 digits has on it. Start there and all the other children will fall into place.

[quote]I should add that EMV cards are ISO 7816 compliant, meaning that the contact patterns and electrical specs on the credit cards match the specs on a smartcard that can be used for Windows logon. I stuck my credit card in the smartcard slot on my laptop and was able to read off some amount of the data that is stored there in the EMV chip.[/quote]

Exactly!!! For those that have actually worked with ISO 7816 technology, it is not a "utopian" solution. Move to RFID or laser scanning.. Have not heard of many "3D" postage stamps being hijacked.
I have a chip and signature card, and every time a merchant has a terminal with an appropriate slot, I try to use it. So far, it has not worked once because the cashier doesn't understand or the cash register software doesn't support it. At the grocery store, I was told to just swipe it because "that slot's for WIC." I suspect the level of WIC fraud in Texas is much, much lower than the incidence of credit card fraud. At Office Depot, they want the card ID for my Amex, but their register doesn't support chip and signature (although the terminals do have the slot).

I suspect that the biggest part of the issue will not be replacing the terminals, but replacing the POS software and retraining the employees.
From above: "however smart-chips that use mechanical contacts to pull the data have a greater failure rate."

Um, not so. We've been using Chip and PIN credit cards in Canada for at least half a dozen years now.

I use my credit card at least 100 times a month, and I've yet to have had any failure in reading the chip. (No, I refuse to use the RFID feature of the card - so I can have verifiable deniability.) The gold plating is a little worn/polished, but no worse than the plastic surface of the card. Bonus: you're not leaving valid sample of your signature everywhere.

Really, I'm astonished that you'all in the 'States aren't already using this.

Diary Archives