Column

Chip and PIN adoption serves lesson for U.S. payment industry

Eric Ogren

    Requires Free Membership to View

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

First Data Corp. and RSA, the security division of EMC Corp., are the latest major companies working together to encrypt credit card data at the point-of-sale device. This early encryption approach, also offered by other vendors, including ProPay Inc. and Merchant Warehouse, can lower the technical costs of Payment Card Industry Data Security Standard (PCI DSS) compliance, as well as the legal risk of disclosure notifications and the risk of mass information loss. It is a proactive approach that retailers should be evaluating.

But while U.S.-based payment processors focus on end-to-end encryption, the UK, France and other European countries are finding some success in reducing fraud by deploying chip and PIN technology. There are initial costs. The process focuses on replacing traditional credit card terminals with smartcard technology. Banks must reissue credit cards with embedded chips that authenticate using a PIN. The process helps verify a card as authentic by checking the PIN a customer enters against the PIN stored on the card.

Chip and PIN technology:
How secure is the Chip and PIN card system? In this SearchSecurity.com Q&A, identity management and access control expert Joel Dubin discusses the Chip and PIN card system.

Cybersecurity hearing highlights inadequacy of PCI DSS: Lawmakers call the PCI standard lacking and seek significant improvements to the payment processing infrastructure to enhance security. 

Security expert's PCI analysis misguided, says PCI Council GM: The PCI Council asserts that everyone in the payment chain should play a role to keep payment information secure, says Bob Russo, general manager of the PCI SSC. 

Last month I had harsh words for the effectiveness of the PCI standard's efforts. My major issue with PCI DSS is that it imposes a wide range of security technology and process requirements on the retailer, credit card processor, and bank supply chain without regard to the unique needs of each business, and without the credit card industry recommending commensurate changes for an insecure business process. Considering, institutions are taking initiatives with pilot security programs, particularly leveraging European experiences with early encryption.

Chip and PIN represents one such area of innovation that uses the application of cryptography at the card swipe as a possible solution to data loss at retail sites. If the remote site does not have sensitive data in clear text, its security burden is dramatically lessened. As we have seen from the Gonzalez indictment, retail outlets create a massive attack surface for payment cards and are easily accessible by hackers.

Fraud data compiled from the UK Payments Administration based on chip and PIN credit card technology introduced in 2004 suggests success with credit card theft at the point of sale, with implications that could map to potential compensating controls approaches in the US. The figures compiled by the organization show the costs associated with lost or stolen card fraud dropping from about $185 million in 2004 to about $88.1 million in 2008.

Banks deploying chip and PIN card technology have made mistakes that could be corrected before point-of-sale encryption takes off in North America. For one, applying password guidelines to PINs would make it more difficult to use a stolen card number. It is surprising that the credit card folks would be non-compliant with their own PCI DSS standard by allowing four-digit PINs. If an attacker tried the last four digits of the persons telephone number, they would probably be right half the time. But I digress. The data does indicate that encrypting data at the swipe has a positive impact on credit card security.

PCI DSS compliance targets businesses that have large databases of credit card information, such as card processors and large merchants. However, PCI DSS is not a total panacea for credit card fraud and does not address fraud of transactions where a card is not used (e.g. Web and telephone transactions), which is a huge business problem for the credit card industry. Security vendors such as RSA and First Data are to be commended for teaming up to find a more secure process for conducting credit card transactions.


Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to eric@ogrengroup.com.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: