Chip and PIN

Chip and PIN is back in the news and since I am heading to Europe next week on vacation, I thought I would pass this information along.

In a recent interview, Ms. Ellen Richey, Visa’s Chief Enterprise Risk Officer, indicated that Chip and PIN would head to the United States at some point.  As usual, there was an impression given that Chip and PIN is some sort of magic bullet that will cure all ills.  However, as you will see, Chip and PIN is not the “silver bullet” solution.

For those of you that have not traveled to Europe a little background.  Chip and PIN was developed by the British government to implement the Europay, MasterCard and Visa (EMV) standard for credit cards containing a built-in integrated circuit (IC), also known as the ‘Chip’.  The PIN part comes from the fact that you no longer sign a receipt when you make a purchase, you enter your PIN, just like at an ATM.  The purpose of developing Chip and PIN was to reduce the amount of fraud in face-to-face credit card transactions.  Chip and PIN is a worldwide standard that has only been implemented in Europe.  With the exception of Discover Financial, all of the other major card brands (Visa, MasterCard, JCB and American Express) have adopted various forms of the Chip and PIN technology.

Chip and PIN replaces the swiping of the magnetic stripe and receipt-signing common in the United States.  With Chip and PIN technology, the information contained on the magnetic stripe is also recorded on the Chip contained in the card.  The data stored in the chip is encrypted using either the DES, 3DES, RSA or SHA encryption algorithms.  Rather than swiping the magnetic stripe, the card is inserted into the payment terminal where the chip is read and decrypted and the transaction is submitted for authorization.  If authorized, the payment terminal is given to the cardholder and the cardholder enters their PIN into the terminal, a receipt is generated and the transaction is completed.  Most Chip and PIN terminals also have a magnetic stripe readers – you want the tourists to be able to use their “old” cards.  Chip and PIN terminals can operate over wired, dialup, 802.11 wireless or cellular networks.  In all communication environments, the terminals use secure transmission technology to ensure the privacy of cardholder data.

Looks good so far, but as I have said before, security is not perfect.  While Chip and PIN has significantly reduced fraud in face-to-face transactions, there are a number of issues regarding the security of this technology.  Those issues include:

• The EMV specification is open source and available from a number of sources, including EMV Co.  Because of this, any attacker can obtain the specification to build their own hardware and software for creating and processing Chip and PIN cards as well as creating attack methods to compromise the cards.  This has lead to a number of successful attacks resulting in cloned cards as well as obtaining and computing valid PINs.
• The entry of the PIN can be bypassed by the merchant.  If bypassed, the receipt is generated and signed by the cardholder, no different from a transaction performed with a traditional credit card.  While banks have tried to discourage this practice, this option is still available which does not provide any additional protections against fraudulent transactions.
• Theft of physical credit cards has risen since the introduction of Chip and PIN.  Criminals often hold victims hostage and threaten them with bodily harm until they reveal their PIN, which the criminals can confirm with a simple card reader.  Card readers are very easy to come by as banks sent them to all their customers along with their Chip and PIN cards when they were introduced.
• Banks encourage credit and debit card customers to take their card readers along with them.  The readers require the entry of the PIN in order to get information displayed from the card.  Security researchers found that because of frequent use of these readers, the readers had four more heavily worn keys that reduced the likelihood of guessing a card’s PIN from 1 in 3,333 to 1 in 8.
• Chip and PIN cards connected to PCs can generate authentication tokens, but the standards do not specify how these tokens are to be used in an online environment.  In addition, most e-Commerce sites and many banks have not implemented this capability into their Internet processing environments.  As a result, security of online environments is not always enhanced by using Chip and PIN cards.  In fact, some banks will not allow their Chip and PIN cards to be used online.
• Offline entry of PINs is supported by certain cards in certain countries.  In offline mode, the PIN is not encrypted, so it can readily be retrieved in plaintext from the terminal.
• The introduction of Chip and PIN technology has moved attacks to the merchant terminal or integrated point of sale (POS) solution. In the case of terminals, the terminal is modified by the attacker to record the information on the chip after it is decrypted (skimming).  Since most terminals use some form of high-speed network connection, the compromised terminal periodically sends the captured chip data to an attacker any where in the world. For POS, the attacker compromises the POS station and then obtains the chip data by monitoring the program that processes the Chip and PIN card.  Again, since most POS terminals are on a network, the attacker has their capture program send the captured card data to their computer.A number of incidents involving the skimming of Chip and PIN cards using tampered software or terminals have been documented.  Skimmed cards are typically sold in areas like Asia and the United States where magnetic stripes are still used.  The incidence of compromised terminals and POS systems has risen significantly since the introduction of Chip and PIN technology.

Many European organizations believe that Chip and PIN makes them immune to complying with the PCI standards.  The standards promulgated by the PCI Security Standards Council are worldwide in nature.  So, regardless of the type of card used, all merchants and acquirers are required to comply with all PCI standards.  This is legally enforced through merchant and service provider agreements between these entities and the card brands.  All agreements were updated worldwide over the last three to four years to include addendums that require all parties to be PCI compliant.

While Chip and PIN cards and their terminals are different, the integrated POS and the back end systems that authorize and process transactions are not different.  These systems provide their functionality the same way regardless of the card used.  At a minimum, these back end systems process and transmit cardholder data.  But these back end systems may also store cardholder data.  As a result, these back end systems must comply with the PCI standards.

Chip and PIN terminals are no different than their magnetic stripe swiping cousins.  They require proper configuration to ensure that they mask cardholder data and that they transmit transactions securely so that they comply with the PCI Data Security Standard.  They are also required to comply with the PCI PIN Entry Device (PED) standard.

The bottom line is that Chip and PIN reduces face-to-face transaction fraud, but it does not remove all of the risks involved in the use of a credit card.  As a result, there is still some amount of effort required to ensure that an organization’s credit card processing infrastructure is secure and complies with the various relevant PCI standards.

Update: Bruce Schneier has an interesting post regarding a new flaw in the Chip and PIN card that basically makes the PIN unimportant.

Advertisement

Dispelling Rumors – CVV/CVC

One of the things I hate about blogs is that they seem to generate more rumors than dispel. One of the reasons I created this blog was to get rid of some of the rumors surrounding the PCI process. Where these rumors come from, I’m not sure. However, the sooner they are dispelled, the more secure we will be.

The rumors I would like to dispel in this posting are related to why merchants seem to think they need to retain the card verification value or code otherwise known as CVV/CVC. It’s that three digit code on the backs of Visa or MasterCard cards and four digit value on the front of American Express cards. Actually, to be correct, American Express calls it the CID. Regardless of what it’s called, it is NOT allowed to be retained once a transaction has been processed.

The first rumor is that by using the CVV/CVC in transactions merchants reduce their interchange fees with their processor and the card brands. This is not true.

What is true is that by including the CVV/CVC value when a merchant submits a transaction for authorization, should a dispute or chargeback situation arise, the processor and/or card brands will reduce their fees on the dispute or chargeback. The rationale being that the processors and card brands assume that by having the CVV/CVC, it is less likely that the transaction will result in a dispute or chargeback.

The second rumor is that merchants conducting repeat transactions need to submit the CVV/CVC for the original and all subsequent transactions. Again, this is false.

There are two ways to conduct such recurring transactions. The easiest way is to use a processor that can provide you with a reference number from the original transaction and then process all subsequent transactions by allowing you to use the reference number so that your organization does not have to store the cardholder information. The other option is for your organization to store the cardholder’s name, account number and expiration date. Of course, if your organization is storing this information, you need to ensure it is stored securely either by encrypting it if on a computer or physically securing it if using a manual system.