Digital Transactions Authoritative, insightful and timely information for payments professionals
The huge data breach at Target Corp. and now one at upscale department store Neiman Marcus Group and possibly other retailers has introduced many Americans to the term “EMV” and the possibility that more secure Europay-MasterCard-Visa chip cards will replace vulnerable magnetic-stripe credit and debit cards in the United States. But some security and merchant-acquiring executives caution that EMV cards and compatible point-of-sale terminals alone would not have prevented a Target-style breach and that point-to-point data encryption is the answer. Chip card supporters, however, claim encryption alone ignores EMV’s biggest security benefits.
Security experts say data still can be transmitted unencrypted, or in plain text, during an EMV transaction. Much of the data is the same information fraudsters intercept from mag-stripe cards, including the primary account number (PAN), card expiration date, and cardholder name. But EMV proponents say any such data would be useless to hackers.
EMV was designed in Europe about 20 years ago as a standard for the chip card and the terminal to authenticate themselves to each other. At the time, most European card transactions were offline, or not authorized in real time as most are in the U.S. via telecommunications links connecting the merchant’s terminal, via processors and the card networks, to the card issuer’s computers.
“The whole thing EMV is attempting to cut out is the ability to make a new card,” says Bob Lowe, vice president of business development at Shift4 Corp., a Las Vegas-based gateway provider.
But connect any POS terminal—mag-stripe or EMV—to the Internet and you introduce the possibility of hackers capturing card data unless the information is encrypted immediately upon swipe (or tap or “dip” with chip cards) and not decrypted until arriving at a secure place outside the merchant environment. Although the links in the payment-processing chain where data move unencrypted have shrunk over the years, vulnerable plain-text points remain, say Lowe and others.
“The same controls that would keep the data safe in an EMV world would also keep the data safe in a non-EMV world,” said Branden R. Williams, executive vice president of strategy in the U.S. office of Dublin, Ireland-based security-technology provider Sysnet Global Solutions, in a recent blog post. “So, the stock answer is no, EMV by itself would not have prevented the Target breach.”
“It’s not a security panacea,” adds Mike English, executive director of product development at merchant acquirer Heartland Payment Systems Inc., Princeton, N.J. “As the mag stripe does, it needs encryption at the earliest possible point, and tokenization.”
Heartland should know. The data breach it reported in January 2009 remains the biggest ever, with 130 million cards compromised. As part of its recovery strategy, Heartland developed its own line of end-to-end encrypting terminals and peripherals called E3. More than 50,000 Heartland merchants use E3 equipment, says English. Heartland will cover an E3 merchant’s full costs should it sustain a data breach. The tokens included in Heartland’s system provide merchants with one-time-use data strings that stand in for real card information during chargebacks or sale reversals, and multi-use tokens for recurring payments and loyalty programs, says English.
Where and why some data still move in plain text is complicated. The terminal may need to decrypt card information in order to pass it to a store’s POS controller or workstation, the next link in the chain, in a format the workstation can read, according to Lowe. Most formats are non-encrypted, he says. Farther down, encrypted data might be decrypted for submission into the switch linking the merchant to its processor. For true security, “the point is that decryption is not done in the merchant environment,” says Lowe.
But Randy Vanderhoof, executive director of the Princeton Junction, N.J.-based Smart Card Alliance trade group and director of the EMV Migration Forum, says by email that “EMV data is not the same data that fraudsters intercept from mag-stripe cards.” He says mag stripes contain a static card-verification value (CVV, also known as a card-verification code, or CVC), while the EMV card replaces those codes with a dynamic (changing) security code known as the iCVV. “If this information were copied and cloned onto a counterfeit card, it would not clear the online authorization process,” says Vanderhoof. “Once the majority of merchant transactions at a retailer are EMV, there will be little value to be gained by such a data breach because the data would have little value to criminals.”
Encryption at the point of sale adds some security against stolen payment data being used in card-not-present channels where retailers aren't using additional security controls such as the CVV2 code printed on the card, which is different from the one on the mag stripe, and the card networks’ address-verification services, says Vanderhoof. But he continues: “Encryption adds no security benefit to prevent counterfeit fraud. It is another security feature, but it comes with added cost and complexity for retailers. It is not a substitute for EMV.”
n
n
Minneapolis-based Target on Monday took out full-page advertisements in major newspapers apologizing for its breach that now might affect up to 110 million consumers. In the ad, Target said it would “accelerate the conversation—among customers, retailers, the financial community, regulators and others—on adopting new, more secure technologies that protect consumers.”
Card issuers are increasing the pressure on merchants for better security. The Credit Union National Association (CUNA) trade group said in a statement that it contacted leaders of the U.S. Senate’s Banking Committee and the House Financial Services Committee to encourage them to “fully examine the chronic issue of merchant data breaches, their impact on consumers and financial institutions.”
