Today's New Payment Card Security In A Nutshell

Businesses taking their time rolling out EMV card-compatible terminals are putting their data security and financial well-being at risk.

Chet Wisniewski, Senior Security Analyst, Sophos

February 17, 2016

5 Min Read
By Petr Kratochvil [CC0], via Wikimedia Commons

Credit card fraud is a serious issue. According to the 2016 Identity Fraud Study released earlier this month by Javelin Strategy & Research, the number of identity fraud victims increased by three percent (13.1 million consumers) in the US last year, and the total amount stolen was $15 billion. Thieves have stolen more than $112 billion in the past six years.

One way financial institutions are fighting back is by issuing EMV (Europay, Mastercard and Visa) or “chip” cards, which feature an embedded chip to provide a higher degree of fraud protection than older cards that only utilize magnetic stripes. Every time an EMV card is used for payment, the card chip creates a unique transaction code that cannot be used again.

This will not prevent data breaches on the scale we’ve seen over the past two years, but it will better protect personal information. If a hacker steals chip information from one specific point of sale, the standard practice of duplicating the card will not work because the stolen transaction number created in that instance cannot be re-used.

Merchants -- not banks -- now liable for payment card fraud

The primary driver for the issuance of cards with cryptographic chips is to reduce point of sale fraud using stolen card numbers. Card processing companies such as MasterCard, Visa, and American Express, set an Oct. 1, 2015, deadline for businesses to install payment terminals that are able to accept smart card payments. That deadline has passed, so now it’s the merchants that face financial liability unless they upgrade to EMV-compliant payment terminals.

While those businesses that have not installed EMV card-compatible terminals risk being held liable for fraud, they’re not breaking any laws or facing any financial penalties for non-compliance. So the pace at which EMV cards are rolling out to consumers and being accepted at businesses has been slow.

The PULSE 2015 Debit Issuer Survey found that while 90% of financial institutions have begun issuing EMV debit cards or will do so by the end of the year, only 25% of US debit cards (about 71 million cards) will be chip-equipped by the end of this year. The number is expected to rise to 73% by the end of 2016 and 96% by the end of 2017, according to CreditCards.com.

Nevertheless, this forced adoption of cards in the US has rekindled the debate over their efficacy in combatting fraud, finger pointing over liability, and the resistance of card issuers in the US to adopt a PIN rather than stick with the signature verification method in use since the introduction of credit cards in the 1950s.

A brief history of PIN versus signatures

A standard credit card has your name, expiration date, and PAN (Personal Account Number) embossed on the front and a CVV/CVC (Card Verification Value/Card Verification Code) printed on the back. It also contains a magnetic stripe with all of that information except the visible CVV/CVC. Instead, there the stripe contains a separate secret CVV/CVC that can only be read from the stripe.

Early fraudsters only needed the card holder's name and PAN to make a bogus purchase over the telephone or through mail order. The CVV in the stripe was added to make it more difficult to copy a card with only what is visible, and the CVV2 (the one printed on it) made it more difficult to steal the magnetic stripe information and commit CNP (Card Not Present -- like Internet and telephone shopping) crimes.

The cheap price and ubiquity of modern electronics has made both of these security features irrelevant, prompting the card industry to move forward with the modern EMV standard in an attempt at reducing card fraud with minimal inconvenience. Both “chip” cards and tap-and-pay cards comply with specifications defined by EMV.

Implications for the enterprise

So, yes, smart cards are more secure than the traditional magnetic stripe-only cards. If you are responsible for information security at your company, your first order of business should be to install point-of-sale terminals that can accept both chip and tap-and-pay cards, as well as mobile devices such as smartphones and smartwatches that include similar Near Field Communications (NFC) technology.

Even with these new terminals installed, you have not eliminated the risk of fraud. For signature transactions, instruct employees to continue to verify customers’ photo ID. You must also be ready for an increase in online fraud as thieves, discouraged by an inability to use physical cards in stores, will turn to using stolen card numbers on your e-commerce sites. The Aite Group found that in the United Kingdom, online fraud -- known in the industry as "card not present," or CNP, fraud -- rose 79 percent in the first three years after the country switched to to chip cards, and it more than doubled in Australia and Canada.

What will not change is hackers’ resolve to steal financial information, or the fact that they grow more sophisticated and insidious every year. Despite the cost involved in upgrading PoS systems and replacing magnetic stripe cards, the improvement in data security and reduction in liability will be dramatic.

More on this topic:

Interop 2016 Las Vegas

Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

About the Author

Chet Wisniewski

Senior Security Analyst, Sophos

Chester "Chet" Wisniewski is a senior security advisor at Sophos with more than 15 years of experience in the security industry. In his current role, Chester conducts research into computer security and online privacy with the goal of making security information more accessible to the public, the media and IT professionals. Chester frequently writes articles for the award-winning Naked Security blog produces the weekly podcast "Sophos Security Chet Chat" and is a frequent speaker at conferences and in the press.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights