Why The Push For EMV Adoption In The United States?

Have you noticed all of the press lately regarding the Europay, MasterCard and Visa (EMV) card coming out of Visa?  It has been very hard to miss.  As a result, I started wondering about the purpose of this full court press for EMV.

Before getting into my post, I need to be clear that EMV only refers to the chip in the EMV card.  In the past I have gotten a lot of feedback from Visa when I referred to EMV as “chip and PIN” even though the world almost universally refers to EMV as “chip and PIN.”

With that disclaimer, since last August, Visa USA has been making a concerted effort to get merchants to adopt EMV.  Just a week or so ago, there was another push by Visa USA to entice merchants to support EMV.  So what is the driver behind this push?  That is the $64,000 question and the more you talk to processors and merchants, the more confusing it gets.

Merchants are just as puzzled as I am regarding Visa USA’s EMV push.  In the case of a number of large merchants I have spoken with, they do not get it as they refreshed their card terminals and POS equipment over the last three years and there is no way they are going to swap all of that new gear for EMV-capable equipment.  These merchants are not even looking at contactless terminals.  Such an equipment swap this soon would not be cost effective.

But merchants question what EMV would do for them.  EMV was developed in response to the fall of the Iron Curtain when fraud ran rampant in Europe.  Credit cards were being cloned at an obscene rate and card present fraud was huge.  When EMV was fully implemented, card present fraud in Europe went to levels close to or a little lower than in the United States and EMV card present fraud has remained around those rates since.  Given where card present fraud rates are currently in the United States, introducing EMV would have a limited effect on card present fraud and that would not be enough to offset the costs of implementing EMV or contactless terminals.

So if it is not card present fraud, it must be card not present fraud that Visa USA wants to address right?  Card not present fraud, particularly on eCommerce Web sites is running almost out of control.  I would like to say that this increasing fraud rate that is the reason for Visa USA’s push.  However, EMV does nothing to address the rapidly rising rates of card not present fraud.  The reason is that in order for EMV to address card not present fraud, there would have to be some sort of interface written that would produce codes, single use transaction numbers or similar that could be used by the consumer online.  But no such solution exists, so card not present fraud cannot be the driver either.

Back in August Visa USA announced that merchants using EMV or contactless could avoid filing a PCI Report On Compliance (ROC) with Visa USA, so that must be the reason for the push.  At this year’s PCI Community Meeting in Phoenix, Arizona, PCI SSC General Manager Bob Russo made it very clear that regardless of what Visa USA was saying about filing a ROC; all merchants were still required to prove that they are in compliance with the PCI DSS.  Other card brands also reinforced this statement by reaffirming that they still required the merchant’s ROC and/or AOC as proof of compliance.  As a result, merchants save themselves very little by not having to file a ROC/AOC with only Visa USA.

What about EMV being more secure?  While that is typically true for small and mid-sized merchants, large merchants that switch their own credit card transactions would still likely have card data in their switch systems if not elsewhere in their computer systems.  So claims by some, including at times Visa USA, that PCI compliance is easier with EMV are not totally true.  Large merchants in Europe will back this up.

So after 15 years of EMV, what is Visa USA trying to prove with this push of EMV?  Apparently only Visa USA can tell us because, for the rest of us, there are no business cases we can construct to justify the switch to EMV.  Obviously, Visa USA knows something that the rest of us do not.  Or do they?  I have consistently said that without any card not present fraud solution; EMV is just a solution looking for a problem.

But wait, maybe there is something here that we have been missing.  Is it possible that Google Wallet and similar current and future applications make Visa USA feel threatened?  There may be some factual basis in that statement.

At the PCI Community Meeting last fall, I spoke with a number of processors that seemed to have an idea of why Visa USA was finally pushing EMV.  These processors indicated that the EMV push was being driven by Visa USA to get EMV into the United States market before Google Wallet and similar applications could take the advantages of EMV away.  After all, the United States is the largest credit card transaction market in the world and if EMV was not in the United States, there is no driver to get worldwide adoption pushed.

When I quizzed these processors about the supposed “advantages” of EMV, they said that was the real problem.  With the advent of smartphones and applications such as Google Wallet, EMV has no advantages.  As a result, merchants and banks have no incentive to implement EMV with these new technologies just on the horizon.

When I went back and talked to a couple of key merchants, they all said that they are waiting out the technology race to see what wins from a smartphone perspective.  If Google Wallet and the contactless approach win, then that is where they will head.  However, a lot of merchants are betting on one-time use transaction codes displayed as bar codes to win out as they do not typically require any technology changes at their POS.  American Express went down the one-time use transaction code (15 digit number that appears like a credit card number) around five years ago, but only had limited success with it for online transactions.  However, maybe the time has come for another try.

In the end, it is the consensus of merchants and processors that Visa USA has missed the window for EMV in the United States.  Most organizations believe that if Visa USA wanted EMV in the United States, they should have pushed it long ago.

UPDATE:  American Banker and PaymentsSource are holding a Webinar entitled “The End Of The MagStripe?” on Tuesday, March 6, 2012, at 3PM EST.  Unfortunately, it is not free, it costs $99.  This Webinar purports to answer some of the questions I have posed here as well as some other interesting insights into Visa and MasterCard’s thoughts on EMV.

The (EMV/Contactless) World According To Visa

Based on discussions this week with a variety of large merchants at the PCI Community Meeting in Phoenix, there is a lot of confusion as to what Visa is trying to accomplish with their new Technology Innovation Program (TIP) to promote adoption of EMV and contactless cards.  I wrote about this program earlier and after the Community Meeting, it seems that my opinion of this program is shared by most merchants and QSAs.

The big clarification from discussions with Visa was related to the first criteria which is:

“At least 75% of the merchant’s transactions must originate from dual interface EMV chip-enabled terminals“

The big question merchants had was if it was strictly just terminals, or did it also require EMV or contactless cards?  Visa clarified this on Thursday morning stating that it was just to install and use EMV or contactless terminals.  However, in clarifying these criteria, they created a new question.  Visa claims that they will know through analysis of transactions if a merchant truly meets the 75% rule.  While Visa could now what types of cards are used and how they are used through transaction logs, we were all stumped as to how Visa would know the type of terminal used to conduct the transaction since EMV cards are not yet available in the United States and contactless cards do not always appear as contactless if they are swiped.

The next big clarification came from the PCI SSC regarding the implication of this program and PCI compliance.  The PCI SSC stated that while Visa is not requiring merchants to file a ROC or AOC, the merchant still has to ensure that it is PCI DSS compliant.  This means that the merchant still must go through the PCI compliance assessment process of a ROC or respective SAQ to ensure that their controls are functioning properly.

Visa representatives were pushing this aspect of the program very heavily at the Community Meeting and their wording regarding this aspect of the program was very carefully crafted.  On first blush, what they seemed to say was that a merchant meeting the program criteria did not have to meet the requirements of the PCI DSS.  However, when you went back and reviewed their statements and comments, Visa really was not contradicting the PCI SSC’s comment.  My concern is that some merchants will not do that re-review and will think that they are off the hook for complying with the PCI DSS.

In talking to the other card brands at the meeting, they are not buying this aspect of the program.  Since around 99% of merchants that accept Visa also accept MasterCard, going through an assessment and filing an AOC is still going to be required by them.  So, unless Visa can get the other card brands on board, this benefit will not create an advantage for any large merchants.

It is not that the other card brands do not want EMV.  It is that they are not agreeing with how Visa is trying to approach the problem of getting EMV adoption started in the United States.  The fear expressed by one of the other card brand representatives was that such a program opened the door to going back to pre-ROC times and not knowing if merchants really were securing cardholder data or not.  All of the other card brands stated that they were assessing the Visa initiative, but for the time being, were sticking with their existing compliance requirements.  I have to admit, after having the interaction with Visa on Thursday morning, I too am concerned that this is what Visa is inadvertently promoting by their new TIP program.

The point that really got the table roaring was when one of the merchants used the term “Chip and PIN” when the Visa representative used the term EMV.

In response to the use of “Chip and PIN,” the Visa person said very loudly and matter of fact, “There is no PIN involved, only the chip.”

At which point, one of the QSAs at the table said to the Visa representative, “So, what’s the point of having EMV without the PIN?”

There was no Visa response which drew laughter all around the table.

And that is the point.  There is no driver for any large merchant to adopt new terminals just because Visa will allow them to not have to file an AOC and ROC.  And the way the Visa announcement was worded gave most merchants the impression that the program would get merchants out of the PCI compliance process, which was patently not true.  And when the PCI SSC made that clear, most merchants I spoke with did not understand the point of Visa’s program.

One of the processors I ran into at the Community Meeting brought up a very interesting perspective on this whole topic.

He stated, “With eWallets just around the corner, what is the point of trying to drive EMV?”

He went on to explain, that with eWallets, bar codes can be generated that can be scanned thus avoiding the need for new terminals.  As a result, he said a lot of merchants are just biding their time, waiting until the whole mobile payment, eWallet technology is fleshed out.

The bottom line is Visa is attempting to use its 800 pound gorilla status to drive EMV and contactless into the United States.  The problem is that large merchants are not buying it and that appears to be frustrating to Visa since they have a vested interest in EMV and contactless technologies.

As I stated in my earlier post, if Visa were to work with a consortium of e-Commerce merchants, payment processors and other relevant entities to produce a common API for using EMV and contactless cards with PIN online, that would likely drive the adoption of more secure cards in the United States because there would be a business reason for adoption.  Without such a driver, EMV and contactless are still a solution looking for a problem.

Visa Is Upset

It seems that I ruffled some feathers at Visa Inc. with my post regarding their program to incentivize adoption of EMV in the United States.  Since I irritated another vendor today, I thought why not make the day complete and irritate another vendor?

As a result of my “A Carrot for Chip and PIN” post, I was contacted by Visa’s public relations firm requesting that I correct my post to properly characterize the program.

“My client, Visa Inc., requests a correction to a factual error on your PCI Guru blog: “A Carrot for Chip and PIN” (http://pciguru.wordpress.com/2011/08/13/a-carrot-for-chip-and-pin/).
While the initiative is certainly aimed at promoting the use of EMV chip, it is not aimed at promoting PIN, per se.  Hopefully, the following post on the Visa corporate website will provide clarification, but please feel free to contact me if you have questions: http://blog.visa.com/2011/08/26/pin-largely-unaffected-in-u-s-migration-to-emv-chip-2/
Many thanks in advance for correcting the story!”

As requested, I went and read the Visa blog entry.  This blog entry is regarding the fact that PIN usage was not being affected or required by the new program.  Apparently a major industry media outlet had implied that Visa was pushing for not using PINs which is not the case.  However, if you read my posting, I do not reference anything regarding PIN usage.  As a result, I asked the PR person to clarify what the problem was with the post.

“I guess I’m a bit confused about your request for a correction
EMV is known as “Chip and PIN” everywhere around the world.  My post does not discuss PIN usage only that Visa is promoting “Chip and PIN” as a card format as well as the RFID contactless card.
I’m always willing to make corrections, but is what Visa is requesting is that I not use the terminology “Chip and PIN” and refer to it only as EMV?”

To which, I received the following reply.

“Yes, it would be correct if you just removed the references to PIN. While signature is the most common form of authentication uses with chip around the world, some regions such as the UK have so popularized the term chip and PIN that it has virtually become one word.
So yes, it can correctly be referred to as a move to “EMV chip” or just “chip” if you prefer.
Many thanks!”

At first blush, this seems to be a very petty argument as to why I need to change my blog post.

But whoa!  Signature is the most common form of authentication with EMV cards around the world?  So, what is the point of having EMV if signature verification is still used?  I have always been told that the whole point of EMV was the coupling of the chip technology with the personal identification number (PIN).  The only reason signature is the most common authentication method is because, outside of Europe, Ireland and the UK, no one has the infrastructure on a large enough scale to process EMV with a PIN.  That is the whole reason Visa is trying to push EMV and contactless is to broaden its use.

Basically, from my interpretation of this response, I was accurate in my original post when I stated that Visa thinks that removing the PCI ROC requirement is enough to drive merchants to implement EMV or contactless terminals.  How could that be when it would take most merchants 10, 20 or even more years of ROC cost to equal the cost of replacing terminals?  Just how does an organization justify such an expense?  Particularly since the other card brands have not agreed to support this program.

But the other thing that disturbs me about this response is that Visa is upset with the use of the term Chip and PIN.  Never mind the fact that Visa uses the term Chip and PIN on their own Web sites around the world as a reference to EMV.  As well as the fact that Chip and PIN is essentially being synonymous with EMV.

So I respond to the PR person.

“I have reviewed my post (http://pciguru.wordpress.com/2011/08/13/a-carrot-for-chip-and-pin/) against the post on Visa USA’s Web site (http://blog.visa.com/2011/08/26/pin-largely-unaffected-in-u-s-migration-to-emv-chip-2/) and I fail to see why any correction is necessary.
The post from the Visa blog references the fact the [media outlet] stated that the PIN was being dropped in the move announced in http://usa.visa.com/download/merchants/bulletin-us-adopt-dynamic-authentication-080911.pdf.  The Visa blog post goes on to further clarify and define the fact that PINs will still be used.
My blog post says nothing about the PIN being used or not used.  My blog post is about business reasons why such a program are not going to be a reason for US banks or US merchants to move to EMV.  As I reread my post, other than the fact that I used the term “Chip and PIN” in the title and then as a “aka” reference for EMV in the first paragraph, the remainder of the entry refers to the card by EMV or the dual chip terminal.  As a result, I fail to see the need to make any changes to the post as the post has no relevance to the Visa USA blog post other than they both reference the aforementioned Visa program to promote EMV in the US.
If Visa USA does not like the use of the term “Chip and PIN” then I suggest that Visa USA take that matter up with the UK and Irish banks that created it more than a decade ago.  The fact that EMV and “Chip and PIN” are now synonymous with each other is also an issue that I am not responsible for nor will making any change to my blog entry effect.
If there is anything else I can assist you with, please let me know.”

The PR person responds.

“EMV is not synonymous with chip and PIN. The EMV standard specifies a number of cardholder verification methods including signature, offline PIN, online PIN, and no verification. Also, while you may possibly be most familiar with chip and PIN implementations in the UK and Ireland, in fact the majority of global implementations of EMV chip have been with signature. Citing chip and PIN in the headline implies that every chip transaction would be verified with a PIN (as they are in the UK and Ireland), which in the U.S. is incorrect, and I know you want to avoid factual errors.
Thanks again for your consideration of this request. Please consider me a helpful resource on future security matters in which Visa Inc. may be a good fit for your story.”

While I understand the PR person’s point, let us face facts.  Google Chip and PIN or EMV and the other term comes up in the results.  If that is not the definition of synonymous, I do not know what is.  Visa’s beef with my post really is the implied connotation by using the term ‘Chip and PIN’ in the title that a PIN would be required.  Whereas, all I was trying to do was to provide an easily Google-able term for people interested in EMV since EMV is usually referred to as Chip and PIN.  Such a complaint is laughable if it were not so sad.

Then to bring up offline PIN entry when it has been repeatedly shown to be the biggest reason why EMV and contactless with PIN can result in card present fraud is amazing and just shows the limited knowledge this individual has regarding their client’s products and services.  But to add insult to injury, they then bring up the wonderful fact that EMV and contactless can also be used with no authentication.  Not that I think anyone would actually do this, but it is an option.

However, the issue of not using the PIN along with the chip truly comes through in this response.  In my very humble opinion, the fact that Visa actually believes that pushing EMV without the PIN is just hysterical.  What is the point?  And this response actually confirms that I was correct in what I stated in my original post and is why I wrote the original post in the first place.  Given the current state of affairs, there is no business reason for EMV or contactless if PIN is not part of the equation.

But this incentive program does nothing to address the even larger issue that merchants and banks face which is the one of card not present fraud.  Card not present fraud is growing at a 20% to 35% clip depending on the survey you read from wherever in the world and comprises more than 50% of total card fraud.  If Visa really wanted to make a difference and give merchants and banks a reason to push for EMV and contactless adoption in the United States, they would gather the various stakeholders together in e-Commerce and come up with a common API that would allow EMV and contactless work online.  That would rein in card not present fraud and would truly create a business reason for investing in EMV and contactless capability.

As it is now, EMV and contactless are solutions looking for a problem.

A Carrot for Chip and PIN

On August 9, 2011, Visa USA announced an interesting program to give merchants a carrot to drive them to adopt dual-interface chip technology terminals that will accept EMV (aka Chip and PIN) as well as mobile payments using near field communication (NFC) also known as contactless cards and devices that can transmit card information via NFC.

The carrot Visa USA is offering merchants is a waiver on annual PCI compliance if merchants implement dual-interface chip technology terminals.  The criteria merchants must meet in order to obtain the waiver is:

• At least 75% of the merchant’s transactions must originate from dual interface EMV chip-enabled terminals;

• The merchant validated their compliance with the PCI DSS within the last 12 months with the merchant’s acquiring bank or the merchant filed a defined remediation plan with the merchant’s acquiring bank;
• The merchant must have confirmed that they do not store sensitive information (i.e., track data, PIN, CVV) after completion of any transaction; and
• Not involved in a breach situation.

The first requirement certainly drives the swap out of old terminals.  However, until banks start issuing the EMV and/or contactless cards in bulk, the investment by merchants in the dual-interface chip technology terminals is not going to happen.  What I am sure Visa USA is hoping is to get a large merchant like Wal-Mart, Best Buy or Target to buy into the program and therefore drive the issuers and banks to get on board.  Without a big box merchant, this program is pretty much dead on arrival.

The next two points are pretty much the same thing.  In order to be compliant with the PCI DSS, a merchant must prove that it is not storing sensitive credit card information.  The only reason I can see for the third point is, I am sure, to cover the “defined remediation plan” of the second point in the event that the gap found was related to storage of sensitive information.

The fourth and final point just makes complete sense.  If a merchant has been breached, they must have shown that they are PCI compliant before being allowed to be waived from a PCI assessment.

Is it a good idea to waive the annual PCI assessment for merchants all in the name of getting them to adopt a new technology? Particularly technologies that do not entirely solve the fraud issue with credit cards.  Yes, you heard me right.  EMV and contactless technologies do not entirely solve the fraud problem.  While they minimize fraud in the case of card present transactions, they do not even address fraud in card not present transactions.  And it is in card not present transactions where fraud is most prevalent.

So why the push for EMV and contactless cards?  That is a good question.  The proponents of EMV will tell you it is to curb fraudulent purchases.  However according the latest information I could find, while EMV is expected to drop card present fraud by 35% this year in Canada (the first full year they have EMV); card not present fraud is continuing to go up.  Based on statistics from a variety of sources, card not present fraud ranges anywhere from 40% to more than 60% of the total card fraud committed.

So, if EMV and contactless do little or nothing for the majority of fraud being committed, why the push for them?  That is a really good question.  And to tell you the truth, I have no idea why Visa USA is pushing this other than to make things consistent worldwide.  And from a standpoint of curtailing card present fraud, at less than 5% in 2009 (the last year statistics are available); there is certainly no ROI for EMV.  This is why EMV has not been rolled out in the US.  There is no payback if banks and merchants invest in EMV.

But then you have contactless cards.  Contactless cards rely on near field communications (NFC).  NFC is made possible by radio frequency identification (RFID).  Like the magnetic stripe, the RFID in a contactless card only has the PIN block encrypted.  Numerous proofs of concept attacks have been documented against these contactless cards.  The bad news for cardholders is that unlike EMV and regular credit cards, a contactless card can be skimmed without their knowledge or even suspicion.  The only way the consumer knows their contactless card has been skimmed is when they get their statement and see the fraudulent charges.

But the really stupid thing about EMV and contactless cards is that until every merchant has the ability to process them, they will continue to have to have a magnetic stripe.  This is particularly true for automated teller machines (ATM).  Even in Europe where EMV is the only type of card available, ATMs still require a magnetic stripe.  This would hold true for the US as well since even the major banks cannot afford to change out the card readers in all of their ATMs to support EMV and contactless.  As a result, any transition to these new cards will be a very long time coming.

That is not to say that EMV or even contactless could not take a significant bite out of card not present fraud.  While the hardware for the cards exists for PCs, the problem is that such a solution would require a standard application program interface (API) which the card brands, banks, payment processors and merchants have done nothing to create.  Over the years there have been a number solutions proposed by banks and card brands, but nothing that was adopted by everyone.  As a result, instead of fixing the problem, everyone just accepts it.

The bottom line appears to be that Visa USA is pushing high technology as a solution for card present fraud that just does not address the real problem.  However, I guess it is better to appear like you are doing something rather than not doing anything.

Relevant reading:

Chip And PIN

The Chip And PIN Debate – Part 1

 PCI SSC Nixes PA-DSS Certification For Mobile Payments Applications For A While

More On Mobile Payments

As I have found out, the definition of “mobile payment” is defined by to whom you are talking.  For consumers, mobile payment means using their smartphone to pay for goods and services.  For merchants it includes the consumer definition as well as using smartphones or similar mobile devices to process payments.

Last year I wrote a post regarding mobile payments and the use of smartphones, primarily the iPhone, for use as credit card terminals.  When I wrote that first post, Apple was running an advertisement for the iPhone that showed it being used to process a credit card payment with the ubiquitous tag line, “There’s an app for that.”  Shortly after that post, the advertisement dropped the iPhone as a credit card terminal.  I am not aware that the PCI SSC or any of the card brands complained about that advertisement, but I found it interesting that those images of it processing a credit card were removed particularly given that a number of security and privacy issues that were and still are being discussed regarding the iPhone.

That is not to say that iPhone credit card adapters have not continued to be developed.  It is just that they are nothing like the one shown in that original Apple advertisement.  The first one that I came into contact with was Verifone’s PAYware Mobile solution and the fact that it is PA-DSS certified.  Whoa!  In my previous post I talked about all of the issues with the iPhone that make it almost impossible to be PCI certified.  How did Verifone create a PA-DSS certified application on the iPhone?  What Verifone did was to create a digital back to the iPhone.  All of the operations that need to comply with the various PCI standards are done through the digital back, not the iPhone.  The iPhone is just used as a display.  In the event that a credit card will not swipe through the digital back, the customer must go to a standard register.  I have also been privy to a number of similar iPhone applications.  All of them avoid the iOS interfaces as iOS is the problem in achieving PCI compliance.

While iPhone is the “Big Kahuna” of smartphones, it does not mean that Android and Windows Phone devices are not also used for credit card payments.  Unfortunately like the iPhone, Android and Windows Phone devices have similar issues that make them difficult, if not impossible; to have PA-DSS certified applications.  So from a merchant perspective, iPhone, Android and Windows Phone all have to be treated very carefully when they are used to process credit card payments.

But security concerns have not stopped merchants from rolling out mobile payments.  Starbucks recently introduced an iPhone and Android application that allows the customer to put their Starbucks cash card on their phone.  The application creates a 2D bar code with the cash card’s number.  The Starbucks POS system reads the bar code and automatically deducts the purchase from the account’s balance.  Within a week of releasing the application, it was determined that if you take a picture of the screen containing the bar code, anyone with the bar code can use the account until it cannot pay for a purchase.  So much for secure mobile payments.

If we expect to secure payments, the traditional credit card is just not going to get the job done.  EMV, aka Chip and PIN, is a short term technological fix but also a back up payment method for where I think we are really headed.  I truly believe that the future in payments is smartphones and other mobile devices with software that generate one-time transaction codes for paying for goods and services.  Whether those codes are displayed as a 15/16-digit number or bar code on a screen or transmitted via Wi-Fi, Bluetooth or RFID, a consumer will not need a traditional credit card.  A 15 or 16 digit number will be necessary to use so that POS systems do not have to be re-engineered to support the new payment method.  Scanners are already capable of reading bar codes from smartphone screens, so that much of the solution is already in place.  Wi-Fi, Bluetooth and RFID technology is coming as we speak so it is only a short matter of time before the infrastructure is in place to support such a solution.  All that is needed is the software.

Such an approach not only will secure card present transactions, but would also tackle the security issues we face with card not present transactions.  If done right, mobile payments can become the solution to our PCI compliance problem.

There Are No ‘Silver Bullets’

For the last time, there are no single ‘silver bullet’ solutions to perfectly securing cardholder data and their related transaction flows.  As my blog shows, I get comments from all sorts of people saying otherwise.  However, whether you are talking about Chip and PIN, end-to-end encryption, data encryption or tokenization, none of these technologies offer the complete solution to stopping credit card fraud.

Chip and PIN

Chip and PIN was developed to address the problem of face-to-face transaction fraud.  It does not solve the problem of cardholder data being breached in back office systems where most breaches take place.  The attackers know that somewhere in the transaction flow process, someone has to have the cardholder data.  Chip and PIN does not address the back office and never will.  It is not that Chip and PIN is a bad idea, it is the fact that implementing Chip and PIN does not, in and of itself, solve the issues faced with breaches.

End-To-End Encryption

End-to-end encryption requires that each end uses the same encryption process.  So the first problem is that each acquiring bank or service provider will likely have their own particular implementation of end-to-end encryption meaning that interoperability will not exist.  So those merchants with multiple processors will likely have problems with end-to-end encryption unless they use separate systems.  However, that is minor compared to the next issue.  The other problem is that there are a lot of ISOs and service providers in the transaction flow that require access to the transaction making end-to-end encryption not quite as easy as one might think.  However, the biggest problem with end-to-end encryption is that it only protects the cardholder data from one endpoint to the other endpoint.  It does nothing about protecting the endpoints themselves or the environment outside of the endpoints.  As a result, the endpoints and the environments outside the endpoints become the targets.  While the endpoint at the processor or acquiring bank is likely fairly well protected, the endpoint at the merchant is probably the weak link and therefore the merchant is still the target.  The most likely target here is doctoring the card terminals or POS software so that the attacker can gain access to the cardholder data before it hits the encryption process.  End-to-end encryption does nothing to prevent the tampering of the endpoints.  As with Chip and PIN, end-to-end encryption only addresses a part of the problem.

Data Encryption

Data encryption is great for protecting the data when it is stored as well as when it is in transit.  However, unlike end-to-end encryption, under data encryption when data is in transit there are multiple points where the data is decrypted and encrypted as it moves through the authorization and payment processes.  Any one of these points could be compromised and the data encryption defeated.  Cardholder data that is stored encrypted still has the threat of being compromised either at the point it is encrypted or if the encryption key be compromised.  If data is only encrypted during transmission or if it is only encrypted when stored, the data is susceptible to compromise wherever it is not protected.  As with end-to-end encryption, data encryption can solve a portion of the problem, but not the entire problem.

Tokenization

Tokenization is the act of creating a value, the ‘token’, and using the token as a way to reference the actual cardholder data.  Tokenization is great for merchants because it allows them to keep their old systems running unmodified by having the system believe it is getting back the PAN when in fact it is just a token.  However, the cardholder data still has to be transmitted in order for a token to be generated, so the merchant is still not out of scope.  Worse yet, if the transmission is not protected, then the data stream is susceptible to compromise.  As with all of our other solutions, tokenization is also not a complete solution.

The bottom line is that none of these technologies individually is the answer to our security issues with cardholder data.  However, if they are used together, they can provide a formidable defense against compromise.  But why is that?  As with all good security solutions, it involves defense in depth.  Since there is no single, ‘silver bullet’ that can solve the problem, we have to look at multiple solutions that, when put together, create a defense in depth approach to provide as much security as possible.

By using Chip and PIN in conjunction with end-to-end encryption, data encryption and tokenization, we create a gauntlet of protection.  However, as I always like to remind people, security is not perfect and even this solution is not a ‘silver bullet’.  There are controls and monitoring required ensuring that endpoints remain secure, encryption keys are protected and that endpoints are not tampered with.  However, such an approach would go a long way to minimizing the threat of compromises.

What Happens Once Merchants Get Rid Of Cardholder Data?

I started thinking about this a couple of months ago.  I think this is one of the problems we have in our industry as well as society as a whole.  We do not take the time to think about what our actions might result in.  If we did, we might not continue to end up with ever larger problems.

There appears to be this belief that once merchants get rid of cardholder data, life will be so much better and safer.  But is that really what will happen?  What does happen once merchants get rid of cardholder data?  Do the clouds part?  Is there sunshine forever?

Granted this is all my suppositions, but I think it probably fairly portrays what will happen once cardholder data is out of merchants’ systems.

Merchants have been led to believe that attackers will have to move their target to where the data will have moved which would be service providers, processors and acquiring banks.  But merchants are not out of the woods once they no longer store cardholder data.  In their efforts to get to the service providers, processors and acquiring banks, the attackers will take whatever route they have to in order to achieve their objective.  Merchants may no longer store cardholder data, but they will transmit it and possibly still process it.

Merchants have to connect to service providers, processors and/or acquiring banks, so they are still part of the transmission of cardholder data.  As security professionals like to say, “Security is only as good as its weakest link.”  Where is the weakest link?  Unfortunately, it will be merchants.  Even though they no longer store cardholder data, they are still a target and will need to continue investing in security so that they protect their business partners.  If you think it was tough selling merchants on securing cardholder data, imagine selling them on securing their business partners after they stop storing cardholder data.

Since merchants will still come in contact with credit cards in order to obtain payment, they will need something like end-to-end encryption or other security measures so that when a customer pays with their credit card, the connection between the card and the processor is secured.  That now makes the credit card terminal or the integrated POS workstation the prime target to intercept cardholder data.  Therefore, criminals will move their focus to supplying merchants or their equipment suppliers with doctored terminals or integrated POS software to intercept cardholder data.  There have already been documented incidents of this happening, so one has to assume that these sorts of incidents will just increase in occurrence.

Chip and PIN can resolve some of this, but as some security researchers recently showed, Chip and PIN can also bring a new set of problems.  Everyone looked at this exploit as too difficult to pull off.  However, if you truly read the researchers’ report, you see that it would only take the doctoring of a terminal to execute.  But the PCI SSC says that terminals are “dumb.”  Yet a lot of the terminals being used these days have the processing capability of a netbook.

To exacerbate the situation with the terminal, you have the problem of what to do when the terminal cannot connect to the service provider, processor or acquiring bank.  Even in this age of high network availability, there will always be the occasional incidence of the knocked over utility pole or network failure.  In these instances there has to be a way to conduct the transaction as merchants are not going to deny sales because the network is down.  There are a couple of ways to deal with this situation.  The first is to fall back to the good old “knuckle-buster” and paper forms.  You then need to deal with the security of the forms, but that can usually be handled the same as how a merchant secures their cash.

The second option is to put a form of intelligence in the terminal or integrated POS solution to conduct the transaction without the network.  However, this involves the temporary storage of the cardholder data in the device until the network is available.  Where this typically goes wrong is that the device does not properly clear the data once it has been transmitted.  Most people would say, “So what?  The attackers would have to know when the network was down.”  True.  But what if the attackers doctored the terminal or POS software and periodically just didn’t allow a certain number of transactions process?  Do you think people would notice?  They would probably write it off as the technology just acting up.

In the end, merchants are only a little better off than when they stored cardholder data.  Until a new system is developed, we need to mitigate the risks of the existing system.  That is what the PCI standards are all about.  They were developed to mitigate the risks presented by the current credit card processing system.  They are not perfect, but they do reduce the risks to an acceptable level if they are followed.

The Chip And PIN Debate – Part 3

In my last post I discussed the statistics surrounding the adoption of Chip and PIN.  In this post I want to go back and discuss the issues from my old post regarding security risks regarding Chip and PIN.

In my original post I discussed a number of shortcomings regarding EMV.  A lot of those issues were taken from old sources as well as some that were questionable.  I apologize for the misleading information in some cases.  However, the reason I included a number of these old issues was that they still can be an issue to the EMV card as not every financial institution has necessarily converted their entire card base to newer EMV standards.  I know this to be true because one of my clients manufactures EMV cards and they continue to produce cards to older standards.

EMV, like any other security method, is not perfect.  So what are the viable issues?  Here is my take on the security issues for EMV.

Man-In-The-Middle Attack
At the IEEE conference in February 2010 a number of researchers from the University of Cambridge presented a paper on a man-in-the-middle attack where they used somewhat expensive equipment to build hardware and software that essentially intercepted the communications between the EMV card and the terminal to fool both into believing that a transaction has been properly completed.  After this paper was presented there was a flurry of newspaper articles about the problem hyping it as the reason why EMV is a “false prophet.”  A few days later, a number of articles came out dismissing the research as bunk because of the expense and complexity of the equipment.

However, the flaw that these researchers found is more exploitable than most people think.  Terminals are more sophisticated that most people give them credit.  Today’s terminals are not the “dumb” devices of yesteryear.  Today’s terminals are like netbooks in disguise and run embedded Linux or Windows.  Vendors provide software development kits with these new generation terminals for the development of sophisticated solutions for processing credit cards, giving loyalty rewards and other merchant friendly purposes.  And after four years, it appears that the PCI SSC has recognized the threat from these new terminals and is modifying the PA-DSS to include them in the certification process.

I have personally been involved with a client that had their terminals tampered with by a gang to store cardholder data on USB drives embedded in the terminals.  These terminals were swapped for legitimate terminals by gang members posing as the night cleaning or the stock crew.  Then there is the Hannaford breach.  While we know that it was malware installed on the POS servers at each store, there has never been an official explanation given as to how the malware got on those servers.  Most people just assumed that the hackers somehow compromised Hannaford’s network and placed it on all of their servers.  But the rumor I heard was that the Hannaford breach was the result of tampering with their master ghost image for their POS server.  Hannaford had updated their POS hardware and software as part of their PCI remediation efforts (how is that for a real piece of irony) and had hired a third party to provide the additional resources necessary to ghost the new servers.

The bottom line is that there is ample evidence that data gathering at the source is a real threat.  Given the sophistication of terminals these days and the likelihood that they and POS software can readily be tampered with, the ability for a successful man-in-the-middle attack is higher than most people believe or want to believe.  As a result, it is not too farfetched that tampered with terminals or POS software could be created and distributed to unsuspecting merchants by unwitting or unscrupulous vendors and/or resellers.

Card Cloning
In May 2010, Lloyds-TSB admitted that a number of their customers had been the victims of card cloning.  Apparently, this is not your run-of-the-mill amateur cloning operation, as these cloners are cloning everything and determining the cards’ PIN.

It is not difficult to skim the magnetic stripe on an EMV card as most of them have a stripe so that they can be used in non-EMV situations.  Now a lot of you are probably wondering how the bad guys got the cards’ PINs.  It is just a simple use of a rainbow table to break the encrypted PIN block.  The problem with the current PIN block encryption specification is that it is published.  And though you might think that PIN encryption would be tough to beat, banks usually only change their private keys annually so if you have a card from a target bank, you can figure out the private key by using the information from a known card.  As a result, it is not difficult to generate the necessary rainbow table(s) to quickly crack PIN blocks.

Once cloned, the cards are used at ATMs around the world to obtain the victims cash.  Why ATMs?  Turns out that almost all ATMs, even those in Europe, still rely on a card’s magnetic stripe to conduct withdrawals not the chip.  To add insult to injury, it turns out that Lloyds-TSB’s and most other banks’ fraud detection systems ignore ATM withdrawals.  And because ATM transactions from foreign ATMs took anywhere from a week to a month to show up on customers’ statements, it usually was quite a while before the customer contacted the bank to dispute the transactions.

So until EMV is the configuration all over the world, the magnetic stripe is the weak link in the chain.

Card Theft

This is still a problem even with EMV.  The bad guys have taken a tip from the long distance telephone scammers of the late 1980s playbook.  It was that brief time before today’s truly portable cell phones and people relied on long distance calling cards.  I can personally remember at Newark Airport, the terminal had scammers shoulder surfing people as they made calls writing down the calling card numbers as they keyed them into the phones.

What today’s EMV scammer does is electronically shoulder surf at ATMs and merchants and then lifts the victims’ wallet or purse.  They then quickly conduct as many fraudulent transactions as possible before the victim can notify their bank of the stolen card.

Granted, this is not a great way to make a living, but properly done, one can make a living.  With the new PCI PTS standard, even electronic shoulder surfing the PIN should be more difficult, but not necessarily impossible.  And with the prevalence of video monitoring everywhere these days, the chance of obtaining footage containing recordings of people entering their PINs is even greater.  So your new targets of hackers may be the DVRs that contain that footage.

Reverse Engineering Attack

This attack is a prime example of why some things should never be published on the Internet for everyone to see.

This is an attack that is developed by a person using their own credit cards as testing devices.  Even in today’s economy, banks issue credit cards to almost anyone that applies as long as their credit score is good.  Therefore it is not impossible to believe that someone would use their existing credit cards to reverse engineer keys.

First and foremost, all of the documentation is available on-line for anyone to see so the attacker has a readily available instruction manual for reverse engineering the standards.  All of the hardware and software development kits are readily available and in some cases can be obtained for little or no cost from vendors or through eBay.  If you think this is farfetched, remember that at this year’s Black Hat a guy explained how he learned to hack ATMs by buying them through eBay and other sources.  As I discussed earlier, what makes these attacks possible is that the private keys the banks use in their encryption do not change very often.  At most they change once per year, possibly even less than that.  As a result, anyone that desires can use off-the-shelf software to monitor the network and capture the traffic when the card authenticates.  From that traffic, the private key can be determined and then any card from a particular bank can then be easily cloned.

I am sure there are other attack vectors waiting to be discovered by some ingenious attacker.  I only wish I had the free time to look into this topic further, but that is for the attackers who have such free time.  But this is not to say that EMV would not bring something to the security table.  However, the bottom line is that there are risks with EMV and it is not the panacea that its proponents like to portray.  It has known and unknown flaws just like any other piece of technology.  So, let us all admit that fact and move forward.

UPDATE:  Here are some more links to other information regarding issues with Chip and PIN and explanations of the above threats.

http://blog.itsecurityexpert.co.uk/2010/02/chip-pin-weakness-smoke-screen-for-real.html

http://blogs.techrepublic.com.com/security/?p=3153

The Chip And PIN Debate – Part 2

In this post I would like to discuss from a statistical perspective why EMV is not making the impact on fraud that people are led to believe.  The following is the analysis I went through to prove this hypothesis.

So, let us compare a year of card present fraud in the UK to that in the US.  Unfortunately, I could only get statistics for 2008 for such a comparison.  However, for 2009, card present fraud amounted to around 16% of all fraud and that is 0.43% of the total charged on credit cards in the UK.  For comparison, the best I could come up with was 2008 for the US from the American Bankers Association which indicated that there was $788 million dollars in card present fraud which amounted to 1.6% of the total amount charged.

According to the UK Cards Association, in 2005 the last year before the rollout of EMV, card present fraud amounted to just over 30% of the total fraud incurred from credit cards.  I could not find the total amount charged in the UK that year, so I have no idea of how that amount of fraud related to the total charged.  However, given that card present fraud has remained steady at 16% of total fraud under EMV, I would assume that was the same with non-EMV cards so I would estimate that card present fraud amounted to around 0.86% of total fraud in 2005.

So a 1% card present fraud rate drove UK bankers to invent EMV?  At the time UK bankers began to discuss EMV back in the early 1990s, it was my understanding that card present fraud rates were at least double or even triple those in the US, which would put the total percentage of card present fraud at somewhere around 3% to 4.5% of total charges since card present fraud rates are relatively stable.  Unfortunately, I do not have access to figures to support that.  However, using just double that would mean that at 30% of all fraud in 2005, something must have been done to bring down the fraud rate before EMV was introduced.  I base this on the fact that card present fraud has remained static after the introduction of EMV which would mean that in 2005, card present fraud was around 0.86% of total charges.  Could it be that enforcing better procedures at the merchant level which is what the banks mandated before EMV was introduced drove down card present fraud to around 1% of the total charged?  It does appear that way.

EMV will save US banks and merchants a total of around $394 million dollars annually.  Given the estimated ten billion it will cost to convert totally to EMV, is it any wonder why banks and merchants have no incentive to convert?  The ROI is just not there.

So what are the conclusions we can draw from this exercise?  Introducing EMV into the US would cut card present fraud by 50%.  However, since bankers and merchants believe card present fraud is already at a manageable level, there is no incentive to convert.  But the more telling conclusion is that EMV does not eliminate card present fraud like it is perceived by the public.  And that is something that the public deserves to know.

UPDATE: See this post from the FDR Atlanta.

http://portalsandrails.frbatlanta.org/2010/07/can-chip-and-pin-technology-address-payment-card-fraud-in-us.html

The Chip And PIN Debate – Part 1

Based on the comments posted to my blog lately, my Chip and PIN post has really hit a nerve.  As a result, I thought I should go back and re-examine that post as well as provide some additional information and analysis based on the comments left here.

First, I want to clarify that the PCI DSS and the rest of the PCI standards have nothing to do with the type of credit cards used by customers.  Yes, the PCI PTS indirectly deals with the card because it is all about terminals that read the card, but the PTS does not issue standards regarding the card itself.  So, whether we are talking about a traditional credit card with a magnetic stripe or the latest version of EMV (aka Chip and PIN), the PCI standards do not care.  And I challenge anyone to show me any PCI requirement that specifies anything regarding the security of the physical credit card.  Such a requirement does not exist and that, in and of itself, should be very telling.  The PCI standards do not discuss the type of credit card because, at the end of the day, the credit card is not the problem the PCI is meant to address; it is the data contained on those credit cards that get processed, stored or transmitted through applications and networks that the PCI standards are concerned.

Next, I want to reiterate that EMV was developed to address an immediate problem that was occurring in Europe in the late 1980s and early 1990s.  You see, EMV pre-dates the Internet, in fact, the original standard, v3.2, was issued just as the Internet was getting off the ground.  The problem EMV was developed to address was high rates of fraud with card present transactions.  This was just after the fall of the Iron Curtain and face-to-face transaction fraud was rampant by bankers’ standards.  However, let us be clear, it is not that EMV cannot be used to address issues with on-line transactions, but that is not what EMV was originally intended to address.

Has EMV been successful in addressing the original problem of card present fraud?  No doubt.  Europe’s card present fraud rates have dramatically dropped.  However, why has the discussion about bringing EMV to the masses of the world stalled?  It is because there is no driver for the banks to incur the costs related to such a conversion.  Why?  It all comes down to numbers.  According to The Nilson Report released in July 2010, while card fraud grew 7% in 2009, losses related to fraud as measured against total amounts charged actually dropped 0.1% to 4.7%.  And if you think bankers are interested in making changes when their approval ratings are sitting around that of used car salesmen, think again.

As I stated earlier, the only way banks can do such a conversion is to absorb the cost of the conversion, and that just is not going to happen at this time.  In addition, even with Wal*Mart’s chest thumping about EMV, the cost of converting all of the terminals in their stores to support true EMV is mind boggling.  But you say, “When Wal*Mart made their announcement they said their POS was EMV enabled.”  Sure, Wal*Mart’s POS is EMV enabled because all EMV cards come with the requisite magnetic stripe to be compatible with non-EMV terminals and their POS already supports PIN entry, so they are good to go.  What people did not hear from Wal*Mart is that they would still take about 5 to 8 years to convert all of their terminals to pure EMV starting with their major metropolitan stores and then throughout the remainder.  “And that,” as Paul Harvey used to say, “is the rest of the story.”

What I think confuses people is that the dollar amounts we are discussing are huge, some would argue obscenely huge.  In the immortal words of US Senator Everett Dirksen, “A billion here, a billion there, and pretty soon you’re talking about real money.”  And that is exactly what is going on with the dollar amounts behind these percentages.  The total amount of charges made in 2009 totaled a staggering $16.6 trillion US dollars.  Yes, that is trillion with its 12 trailing zeroes.  Fraud for all of 2009 amounted to $7 billion dollars which is a pittance when compared to the total.  Yes, these are all very, very large amounts of money.  But in an analysis, the size of numbers does not matter; it is all about the relationships between those numbers.

When a banker looks at the fraud losses, they see two numbers; the monetary loss and the percentage that loss represents.  At 4.7%, fraud losses are considered manageable and can be appropriately compensated for by interchange and exchange fees as well as chargeback fees.  That may be a cold way of looking at things, but that is how business is done.