Chip-And-PIN Is Not A Free Pass On PCI

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

Reports of the latest successful attack on chip cards based on the EMV standard should remind all of us once again that there is no such thing as absolute security. Retailers and consumers worldwide--especially those in Canada who are currently implementing chip-and-PIN--need to understand this fact and not count on any single technology to remain secure. That is why PCI remains relevant even in a chip-and-PIN environment.

From a security perspective, retail CIOs should understand a few things about these chip cards or smart cards (i.e., payment cards with an embedded integrated circuit or microchip). Chip cards can reduce fraud losses, but chip-and-PIN zealots can overstate the benefits. While card-present fraud decreases significantly, the bad guys simply shift to card-not-present (e.g., mail, phone or E-Commerce, where the chip has little value) and international fraud (to countries where magnetic stripe technology is used). For example, after the U.K. introduced smart cards, losses from both these sources increased dramatically. Remember that smart cards still have a magnetic stripe (and embossing and signature panels and holograms and every other piece of anti-fraud baggage ever devised).

Retailers should also understand that EMV (Eurocard MasterCard Visa) is a set of generic requirements that allows for the interoperability of cards. Implementation can be card-specific, and issuers still depend greatly on their own internal authorization procedures. Although these procedures are based on EMV, they can vary. For example, it appears the issuers in the recent U.K. case were not checking to see whether a PIN entry was attempted. When you think about chip-and-PIN security, you need to look at the entire authorization process.

One thing that is particularly disturbing about the recent attack is that the printed receipts stated “Verified by PIN” even though they were not. The Cambridge University team managed to convince the smart card that it had a chip-and-signature transaction while simultaneously convincing the POS terminal that it was a chip-and-PIN transaction. As a result, the receipts printed by the terminal indicated that a valid PIN was entered each time. That means defrauded consumers are in the unenviable position of having to convince their issuers that they did not make the transaction. In a particularly ominous quote, Professor Ross Anderson, the lead Cambridge researcher, said: "Over the past five years, thousands of cardholders have had stolen chip-and-PIN cards used by criminals. The banks often tell customers that their PIN was used and so it's their fault." Does this mean the bad guys have already used this fraud, or have consumers been lying?

Chip-and-PIN does not give the retailer a free pass on PCI. Sales clerks will continue to process some smart card transactions as chip-and-signature, and some of your people will be willing or unwilling participants in fraud. (Hint: Don’t use chip cards as an excuse to get rid of your internal fraud and staff monitoring systems.) Your call centers will not see much change, nor will your E-Commerce site. And until the entire planet converts to chip cards (and the U.S. market is a long way away from that happening), you will still see cards that have only a magnetic stripe.Cardholder data and magnetic stripe data from smart cards will continue be used in E-Commerce and ATM fraud. A French friend of mine had his EMV card compromised, and he found out the hard way that a lot of ATMs still rely on the magnetic stripe even in markets that have converted to chip cards. Therefore, retailers still need to secure their systems and networks to protect themselves and their customers and to comply with all of PCI.

On top of all this, can the cloning of a chip card really be all that far behind?

The dismissive reaction from the U.K. Cards Association to this story so far has been disappointing. They claim there are simpler, easier to execute threats than that used by the Cambridge team. Furthermore, they contend that cardholders only have to report their cards stolen to defeat the attack. One supposes that, compared to the Cambridge attack, it could indeed be easier to do a little shoulder surfing to get the PIN, thump the cardholder on the head in the parking lot, take their card and return to the store. But if that is what the issuers are suggesting, their subsequent argument--which rests on reporting the card stolen--rates a FAIL.

The Association also stated that the issuers’ systems are able to detect this fraud. That may indeed be the case in theory. But, unfortunately for each card used--and there was more than one issuer--the issuers’ systems failed to detect the fraud in each case. Oops.

Wouldn’t it be great if the card and bank associations could accept that EMV was compromised, that issuers need to improve their systems and that, while the protocol may be fine, its implementation has to be secure and carefully thought out, too? Then we all could move on.

Smart cards are a technical innovation that can reduce issuers’ fraud losses. But implementing chip-and-PIN is expensive for all parties, not just issuers who need to replace their existing cards. Retailers of all sizes have to spend significant sums to upgrade their POS equipment and retrain staff. Even consumers have to learn a new procedure to use their payment cards. Hopefully, the reduced losses (and increased merchant investment) are reflected in lower interchange reimbursement fees for merchants. This was the case 20 years ago, when incentive interchange rates (anyone else remember TIIF?) paved the way for near universal electronic authorizations.

Smart cards are not a magic wand that will make either fraud or PCI compliance disappear. Merchant and processor systems will still store, process and transmit cardholder data. The bad guys will continue to search for ways around any technology so long as there are economic incentives to do so. That means PCI is just as relevant for chip-and-PIN cards as it is for magnetic stripe cards.

What is your experience with chip cards? What will it take for the U.S. to move to chip-and-PIN? What do you think? I’d like to hear your thoughts. Either leave a comment or E-mail me at [email protected].