Despite low current EMV (Europay, MasterCard and Visa) adoption numbers following yesterday's official EMV liability...
shift date, many in the industry maintain a positive attitude.
Visa Inc. found that as of Sept. 15, 2015, 151.8 million Visa chip cards had been issued. While this is a mere 22% of total Visa cards in the market, it is a far cry from the 20 million cards that had been issued as of a year ago. Visa expects this more than 655% increase in a year's time to grow dramatically in the future.
Likewise, Visa said the number of chip-enabled, point-of-sale (POS) terminals increased more than 470% over the past year -- from 55,000 in September 2014 to 314,000 last month. Visa also noted small businesses account for 50% of Visa's chip payment volume.
MasterCard Inc. reported that 40% of its cards were chipped, and 350,000 of its U.S. merchant locations accept chip-card payments. The company also noted it has seen a 446% increase in chip transactions in August 2015 from August 2014.
Randy Vanderhoof, executive director of the Smart Card Alliance and the EMV Migration Forum, said 200 million EMV cards have been issued to date, a number almost equal to the adult population of the United States. Vanderhoof also noted that large payment card issuers have issued cards to their highest transaction and value customers already, so those that use their cards most often will be adequately protected.
Stephanie Ericksen, vice president of global risk products at Visa, based in Foster City, Calif., said 57% of consumers have at least one chip card in their wallet -- if not more -- due to the average person having more than one credit card, a promising stat.
The country, Vanderhoof said, has made "tremendous progress" in EMV adoption, especially as it has one of the most complex, diverse, uniquely challenging and large payment markets in the world.
Current estimates are still low, however, showing only 27% of U.S. merchants are currently able to process chip-enabled cards. Despite the low stat, Ericksen said Visa is "very encouraged by what we have seen at this point in time" and expects "many more" merchants to become EMV-enabled throughout the months of October and November, as the holiday season approaches.
Vanderhoof also called the number of merchant EMV-enabled terminals "encouraging," noting that large retailers have reported a "significant number" of chip-on-chip transactions currently taking place.
Ericksen added that the U.S. has already issued more chipped cards than any other country in the world, essentially going from worst to first.
"We're extremely encouraged by the steady rise in chip cards," Ericksen said. "Every card and merchant terminal that is upgraded to chip in the next few years will be a step closer to better protecting the security of the payments network."
And it's likely that EMV adoption will indeed take years -- but card issuers and organizations are well aware of this fact.
Ericksen said by drawing on other countries' experiences, Visa estimated it would take an additional two to three years for 70% of transactions to be completed by chip cards and terminals, and another couple of years to reach the 90% mark.
Vanderhoof concurred with Visa's assessment.
"We don't consider Oct. 1 to be a significant date, other than that it is a milestone when merchants and issuers were expected to be ready," Vanderhoof said. He anticipates EMV adoption to continue steadily over the next few months and into 2016.
"We see this as a long-term process moving forward towards making the payment process more secure," Vanderhoof said.
The Payments Security Task Force is even more optimistic than Visa and Vanderhoof about EMV adoption; it estimated the number of chip cards in the U.S. to grow to 60% by the end of the year and reach 98% by the end of 2017. It also forecasted the number of EMV-enabled POS terminals to reach 40% by the end of the year.
In other news
- Google Project Zero team member James Forshaw found two new vulnerabilities in driver TrueCrypt installations in Windows, which could potentially allow an attacker to achieve escalated privilege from a limited user access account. While TrueCrypt unexpectedly closed its doors in April 2014, its source code is still widely used by many forks of the cryptographic library, including VeraCrypt, which said it was told about the flaws privately in September. VeraCrypt 1.15, released last week, patched the two issues, which affect the software running on all versions of Windows. The attacks involved abusing drive letter handling and incorrect impersonation token handling. Forshaw, who is not disclosing details until the patch has been released for seven days, said Windows drivers are "complex beasts," and that it is easy to miss local elevation of privilege flaws. He maintains his bugs were not intentionally added, nor are they backdoors. TrueCrypt underwent a two-part audit over the past year, and while no high-severity issues or evidence of intentional backdoors were found, Forshaw said, "No matter how much you audit, bugs can still sneak through."
- Researchers from Worcester Polytechnic Institute in Worcester, Mass., published a paper this week, detailing a proof-of-concept attack in which an Amazon Web Services Elastic Compute Cloud (EC2) instance could recover the entire 2048-bit RSA key used by a separate EC2 instance on the same chip. Titled Seriously, get off my cloud! Cross-VM RSA Key Recovery in a Public Cloud, the report explained how researchers worked off a prior key-recovery attack on colocated VMs from 2009 and were able to "target a recently patched Libgcrypt RSA implementation by mounting cross-VM prime and probe cache attacks in combination with other tests to detect colocation in Amazon EC2." The researchers wanted to demonstrate that "even with advanced isolation techniques, resource sharing still poses a security risk to public cloud customers that do not follow the best security practices." The researchers disclosed the flaw to Amazon in June, and Libgcrypt patched its open source cryptographic library last week to fix the issue. The researcher's side-channel attack, however, requires cooperation from the "victim" EC2, as well as the use of an unpatched cryptographic library. The researchers noted in the report that "the results urge providers of cryptographic libraries to update their code to ensure that cache-based leakages no longer are exploitable," and also hope their work "reaffirms the privacy concerns and underlines the need for deploying stronger isolation techniques in public clouds."
- The number of women in the information security field is holding steady at 10%, according to a new report released Wednesday by (ISC)2 Inc., based in Clearwater, Fla. While the number of women in the industry is indeed growing by volume, the report noted it is only doing so at the rate of industry growth as a whole. "Attracting more women into the infosec profession would lessen the workforce shortfall," the report reads, yet the percentage has remained "stubbornly stagnant" for the past two years, after falling from 11% in 2013. Women in Security: Wisely Position for the Future of InfoSec did report that women are more significantly represented in the GRC role; one in five women works in GRC, while only one in eight men do. Of the 22% of women in leadership roles, however, only 9% hold the position of CEO and only 4% are CIOs. The report also found that 29% of women in infosec are over 50, the average age of a woman is 44.6 years, and 36% of women have 16 or more years in the industry. Twenty-six percent of their male counterparts are over 50, with the average age of 43, and only 28% have more than 16 years in the industry. The survey, which polled 13,930 professionals, also found 58% of women have advanced degrees versus 47% of men.
Is chip and PIN and panacea for payment security? Find out here