Why EMV won’t be enough to prevent criminals attacking retail systems and what to do about it.

While it’s encouraging to see a request for the industry to strategically embrace EMV, as in this article, it’s necessary to look at mitigating threats to data that EMV unfortunately doesn’t protect, often the data the criminals want the most, the PAN, or Primary Account Numbers. EMV, aka chip and PIN in Europe or chip and signature in the U.S., helps reduce card cloning which was a top fraud problem in the 90’s when EMV was first specified. However, the UK experiences over the last several years [1] clearly show that the stolen data from EMV systems can be re-purposed for fraud in non-EMV systems  and in the rapidly expanding card-not-present ecosystems (i.e. e-commerce). The result is a major surge in online transaction fraud, something the U.S. needs to prepare for.

With EMV, the sensitive credit card number is unfortunately not encrypted from chip to the POS or beyond. This may be a surprise to some who assume the chip-based approach is more secure. EMV transactions are authenticated using private and unique data items in each chip and card, but they are not encrypted at the data level when it comes to the sensitive data elements.  EMV authentication makes card-present transactions hard to re-play, and chips harder to copy. EMV’s designers assumed every single place reading cards would be chip-based, so if card data was not encrypted, it wouldn’t matter. Sadly, that vision was never realized and likely won’t change for the foreseeable future.

So, mass credit and debit card data breaches need to be mitigated by the complementary combination of EMV with end-to-end encryption and tokenization. Breakthroughs like AES Format-Preserving Encryption (NIST 800-38G) enable this right from the chip or stripe reading device, well outside the reach of POS malware. Stateless key management avoids the complexity of encryption key injection and persistent key storage. Stateless key management is backed international standards such as Identity-Based Encryption (IEEE 1363.3) and makes it very simple to scale to millions of endpoints. For post card-authorization processes like settlement, analytics, charge back and fraud detection, approaches using secure and independently validated tokenization provide a convenient solution to reduce further risks of data compromise.

Contrary to the article, these data-centric security technologies are already here and in daily use. In fact, they are proving their worth in the fight to make attacks harder and unattractive to criminals, and making card data useless to them when stolen. The technologies make an ideal complementary combination to complete the EMV strategy given the rise of advanced threats since EMV arrived, and are strongly recommended by card brands like Visa.

The US standards bodies at the heart of the financial system security like ANSI X9 (X9.119, X9.124) and NIST (SP800-38G), and major hardware and software providers to retail payments industry, are today providing the necessary foundation for this data-centric strategy to be embraced on an industry-wide basis. This is why many of the top 10 US merchant acquirers and national merchants are already well ahead of the game with this powerful 3-pronged approach. This includes Heartland Payment Systems who led the industry charge towards better security approaches after a similar well-documented mass-breach in 2009 [2], effectively changing the whole industry in the process with their “E3” data-centric security strategy. Since then, billions of transactions have been secured by the same approach across thousands of merchants as well as enterprise systems.

The combined approach helps eliminate many of the kinds of exploitable gaps we have witnessed in 2013 and prior in retail payment flows in addition to sensitive personal data processes. More specifically, with this approach, the ever-vulnerable POS/Checkout, people and upstream retail systems never see live data until it hits the acquirer. Yet, with current techniques, the protected data can still drive the full payments process and providing analytic data to the merchant or acquirer. The only risk that remains is from acquirer to the card brands and issuers: a smaller network of highly trusted ecosystems much easier to protect than millions of endpoints and of course, well beyond the merchants PCI scope.

The result is a much safer and low risk operating environment for payment data when properly protected, and as Bob Carr, then Heartland CEO, famously stated in response to the repetitive similar breaches we have witnessed [3] , “Every single breach I know of wouldn’t have happened if our end-to-end encryption solution had been there”.

For further details, the following webinar may be useful. As always, don’t hesitate to contact us if you would like to learn more at info@voltage.com

[1] http://www.frbatlanta.org/documents/rprf/rprf_pubs/120111_wp.pdf

[2] https://www.philadelphiafed.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2010/D-2010-January-Heartland-Payment-Systems.pdf

[3] http://www.networkworld.com/news/2010/063010-heartland-end-to-end-encryption.html

Leave a Reply

Your email address will not be published. Required fields are marked *