News Stay informed about the latest enterprise technology news and product updates.

Will Chip and PIN technology boost payment card transaction security?

Visa and MasterCard are putting pressure on merchants to implement Chip and PIN technology, and while it will improve transaction security, it won't make PCI compliance any easier.

Chip and PIN technology (also known as EMV) may be poised for a breakout year in 2015, thanks to surging interest...

from retailers and an impending deadline that will thrust new liability on merchants that don't implement the technology soon.

SearchSecurity recently spoke with Avivah Litan, vice president and distinguished analyst with Stamford, Conn.-based research firm Gartner Inc., about her recent research on the security and compliance ramifications of Chip and PIN technology.

On EMV, give our readers the background on the upcoming October 2015 fraud-liability deadline. What does that deadline mean, and how is it affecting EMV implementations?

I don't understand why the U.S. isn't moving to Chip-and-PIN, but EMV transactions are clearly much more secure than mag-stripe.
Avivah Litanvice president and distinguished analyst, Gartner Inc.

Avivah Litan: Basically the EMV liability-shift deadline, which takes place Oct. 1, 2015, is an indirect incentive from the card brands for merchants and banks to get on the EMV chip bandwagon. In some countries there were mandates, but with the U.S. market and most other markets, it's a liability shift. What that means is whoever has the least amount of security after that date -- the card issuer, the acquiring bank, the transaction processor, and potentially the merchant -- bears the liability should a fraudulent transaction take place. So if someone walks into a retailer with a chip-enabled card and the merchant doesn't have a point-of-sale system to accept the chip, the merchant may be responsible for any fraud that occurs as a result of that transaction.

Similarly, if the merchant has Chip-and-PIN-compatible terminals and the consumer doesn't have a chip-enabled card, then the bank that issued the card has to eat the cost of any fraud that occurs as a result of the mag-stripe transaction. So it's an indirect incentive for banks and merchants to implement Chip-and-PIN-based systems.

The EMV Migration Forum, a smart card advocacy group, estimates that by the end of next year there will be 9 million EMV-enabled payment terminals, and as many as 900 million chip cards. First, do you accept those projections, and how will EMV technology ultimately affect merchants' ability to keep payment data secure?

Litan: I don't have projections of my own, but just look at what's happened around the world. If you go to the EMVCo site, it says less than 30% of transactions are EMV-enabled today, and less than 40% of the payment terminals are EMV-enabled, so it's been a pretty slow haul. Obviously the impending adoption in the U.S. will change the equation quite a bit, but in other countries it's not like it's all hunky dory with EMV chip transactions either. It takes a while for these systems to roll out.

I'd say it'll be another 5 to 7 years until we see 85% of transactions that are "chip on chip," that is a Chip and PIN card on a chip-enabled terminal. Until we get to that point, merchants still have to secure their systems the way they do today. It'll still be mag-stripes being processed, merchants still have to accept those cards, and a lot of criminals will benefit from it. So nothing's really changing in the short term.

An ongoing topic of debate is whether EMV transactions involving cards that aren't PIN-enabled are any more secure than mag-stripe transactions. What's your take, and in the long term do you think the banks will stave off broad implementation of PIN-based credit cards?

Litan: I think EMV without PINs is much more secure than mag-stripe, but EMV with PINs is even more secure. Based on data from the Federal Reserve Board [in a 2013 report], there is a 700% percent reduction in fraud with PIN-based transactions vs. signature-based ones. That's a huge benefit. I don't understand why the U.S. isn't moving to Chip and PIN, but EMV transactions are clearly much more secure than mag-stripe.

So it seems the reduction in transaction fraud represents an obvious incentive for banks to support Chip-and-PIN. Why are they dragging their feet?

Litan: I have two views about it. One, they don't want to disrupt the customer experience. They're afraid that because customers aren't used to PINs on credit cards, they won't remember them, they'll have to reset them, etc. I don't really agree with those arguments. In Canada, the banks there didn't want to support Chip and PIN because they had the same concerns, but they eventually did and consumers had no problems using them and remembering their PINs.

The other issue is that if there are PINs in play, the banks fear those PINs will be stolen and used to commit ATM fraud. The banks worry most about that because they can't reverse ATM fraud to any merchant; the ATM is the bank, it's bank money, so they would have to reimburse consumers for those losses. So because PINs can be stolen in many different ways -- skimming, shoulder surfing, etc. -- I don't think the banks want the ATM fraud liability that widespread use of Chip and PIN technology might bring.

That brings me to your recent research note, in which you mention that attackers have taken advantage of poor implementations of EMV chip-based payment applications, committing extensive fraud that defeats EMV controls. What in particular concerns you?

Litan: EMV itself is a very strong protocol from a security standpoint, but it boils down to the way it's implemented; you're only as strong as your weakest link. There are cases where the banks aren't validating the EMV transaction data coming through to them. They assume it's OK, so they aren't validating the cryptograms and one-time counters, and the criminals are taking advantage of that. They're rewiring the transaction systems and sending dummy, fraudulent transactions.

On the merchant side, it's not possible to "turn off" mag-stripe transaction support until everyone is on board with EMV. In turn, the criminals have created malware that prompts the user, when they attempt a Chip and PIN transaction, to enter their mag-stripe data first, and then prompts the user to put in their PIN.

Keep in mind this malware has nothing to do with "breaking" EMV; it's just breaking the payment applications by exploiting the way they're implemented, compromising them to get them to do what the criminals want them to do, namely steal customers' payment data. Those are just two specific examples, and there are probably going to be more.

What effect does EMV technology have on merchants' PCI DSS compliance efforts? Is there any benefit?

Litan: There's definitely a benefit with EMV when it comes to payment card data security. When there are enough EMV transactions taking place out there, it'll be harder for criminals to find mag-stripe data to create counterfeit cards with. It doesn't do anything to alleviate PCI compliance burdens in short term, but long term it will. Hopefully someday there won't be any more mag-stripe data to protect. Instead there will be EMV data to protect, and that'll be simpler.

In the short term, liability issues aside, for merchants considering additional technology investments to prevent payment card data breaches, does EMV make sense?

Litan: Yes, EMV makes sense for Visa and MasterCard cards. It is a much stronger protocol from a security angle than the protocol used on magnetic stripe cards.

Separately, I have to ask you about Apple Pay. Do you think it's the game-changer for payment data security that some believe it is?

Litan: I don't think it's a game-changer because it just perpetuates the Visa/MasterCard payment ecosystem, but it is a major incremental improvement over mag-stripe cards. The payments are significantly more secure and easy for consumers to use.

Finally what PCI DSS trends are you most closely watching this year?

Litan: In addition to the way criminals have taken advantage of poor implementations of EMV chip payment applications, there are a few other trends I'm watching. EMV tokens, as first implemented by Apple Pay and the payment card networks, are based on different protocols than the tokenization systems merchants use to limit the scope of PCI audits, leading to potentially conflicting token implementations. I hope to see more momentum around development of a tokenization standard that works equally well for merchants, card issuers and all payment ecosystem players. I also hope to see more transparency for merchants regarding EMV token protocols and their BIN ranges, as well as a viable method for identifying unique customers so merchants don't have to rely on card numbers.

Next Steps

Learn why experts say Chip and PIN security is no panacea against payment card fraud.

Dig Deeper on PCI Data Security Standard

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

7 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How will the rollout of Chip and PIN technology affect payment card security?
Cancel
There has been much discussion of implementing "Chip and Signature" as opposed to Chip & PIN here in the US. The Associations appear to be in favor of this, whereas there is some opposition from the retailers.  I suspect a retailer implementing Chip and Signature will not assume liability for fraud in October.
Cancel
Thanks for the comment Rod. My understanding, based on the Visa guidance (http://usa.visa.com/download/merchants/visa-merchant-chip-acceptance-readiness-guide.pdf), is that the liability deadline is about replacing mag-stripe transactions with chip-enabled transactions. The second factor in the transaction (be it a signature or a PIN) is of some concern, and obviously a PIN would be more secure, but the goal of the shift is to get away from unencrypted payment data ever being processed at the point of sale. As we've seen with Target, Home Depot, and other large-scale breach incidents, that's the single point of failure that POS malware continues to exploit. 
Cancel
Yes, I agree. As I understand it the Target breach occurred as a result of malware (introduced into the POs terminal via the server) capturing  input to the POS terminal before it was encrypted. I hope the POS terminal manufacturers are addressing this issue, irrespective of whether the 2nd factor is PIN or signature.

I am not sure whether the PIN is a more secure 2nd factor than a secure authentic signature, captured at POS, which can be used after the fact to satisfy requests for copy. 

Cancel
Chip and PIN technology has been in use now for many years in Europe yet has been slow to catch up here in North America. For our credit card payments the Chip and PIN technology will greatly enhance the security of our system. With this increased security comes reduced loss do to fraudulent purchase, hacking for personal information of the customers and the ability to offer credit cards transaction using the most secure system available.
Cancel
I found this article to be an informative analysis of the security differences between Chip and PIN and Chip and Signature.
Cancel
It'll most definitely provide a security boost, but there's no such thing as an unbreakable security protocol, especially if it becomes widely adopted.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close