Chip & PIN vs. Chip & Signature

The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

Read Full Story at http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

 

Advertisements

Obama signs chip and PIN executive order

usa flag

US president Barack Obama has signed an executive order mandating the use of Chip and PIN Technology at executive departments and agencies for card payments.

With more than a 100 million Americans falling to data breaches over the past year, thanks in part to massive attacks on the likes of Target, Home Depot and JPMorgan, the Obama administration has moved to get its own house in order.

From 1 January, cards issued by the federal government to distribute benefits will have to be chip and PIN and payment terminals acquired by agencies through the department of the treasury will also be upgraded.

“We know this technology works — when Britain switched to a chip-and-pin system, they cut fraud in stores by 70%,” says the president.

For online transactions, Obama has given a group of agencies 90 days to come up with a plan to ensure that all those making personal data accessible to citizens through digital applications use multiple factors of authentication and an effective identity proofing process.

Obama ha also set out plans designed to cut the time victims of identity theft have to wait for remediation and actions designed to improve credit score transparency.

“There is a need to act, and to move our economy toward stronger, more secure technologies that better secure transactions and safeguard sensitive data,” says the White House in a statement.

The president called on the private sector to up its game, commending those that have taken action, including breach victims Target and Home Depot, who are now rolling out chip and PIN. Earlier today, a trade body set up to push the migration from magstripes, estimated that nearly half of US merchant terminals will accept EMV chip card payments by the end of next year.

In an effort to speed up adoption, there will be a White House Summit on cybersecurity and consumer protection later this year to promote partnership and innovation, with mobile payments a particular focus. Obama is also renewing his call to Congress to enact cybersecurity legislation.

National Retail Federation CEO Matthew Shay, says: “We applaud the administration for taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards, among other things.”

Obama admits his card was rejected

At today’s event, Obama revealed that even the most powerful man on the planet can suffer the indignity of having his payment declined. “My credit card was rejected,” at a restaurant in New York last month, the president said. “Fortunately, Michelle had hers.”

Author Bill Trueman, is an independent Payments, Fraud & Risk Specialist and Managing Director of UK Fraud and Riskskill

Source: http://www.finextra.com/news/fullstory.aspx?newsitemid=26601

Is the US ATM industry making too big a fuss about EMV?

Being based in Europe (though working globally), the U.S. reporting on EMV becomes more and more astounding to me as time goes by. The debate amazes us in Europe, and no doubt, observers globally, mainly because of the extremely strange logic being applied, and the major inaccuracies that are being propagated in the anti-EMV debates. So let’s get some of these issues aired.

EMV is a European thing. This is the most surprising revelation, and people have got to stop, stop saying this. The U.S. principle of “not invented here” does not apply. EMV is a wholly U.S.-developed, -owned and -domiciled solution that Europe adopted because of the mandates to do so coming out of U.S. companies, and because Europe saw the fraud problems looming.

With the obvious exception of Europay (which does not exist today), the original forefathers of EMV — Europay, MasterCard and Visa — are all U.S.-owned, -controlled and -headquartered companies. The EMV standards authorship and member organizations are all U.S.-owned and -based with the exception now of a Japanese and a Chinese company.

The need for EMV was driven by the fraud needs of markets outside of the U.S. coupled with the desire for enhanced cardholder verification and the ability to manage Issuer authorizations, either online to issuer host or offline at an Issuer’s agent — i.e., an EMV-enabled chip card. The European market saw the direction fraud was going; saw increases in domestic fraud losses; saw increasing cross-border fraud problems, not because we have more borders, but because in the U.K. or Germany or France we could measure it and publish it nationally because we collected national data on fraud losses.

And please stop spreading the myth that France was first to adopt EMV. It wasn’t. France was the first country to adopt cards with chips on them, using a domestic and proprietary standard, but these chips contained only low-level security that is associated today with all the inherent problems of the magnetic stripe — skimming, reproducing, counterfeiting, etc.

In Europe, though incredibly challenging to “cut through the treacle” of economic and cultural stubbornness (i.e., red tape), markets collaborated to deploy EMV-enabled cards, ATMs and point-of-sale devices. This was not delivered overnight, but it was delivered through the cooperation of a multitude of stakeholders across the financial services sector, merchant industry segments, suppliers, regulators, and others. It also took significant “championing” skills by the international card schemes — primarily Visa and MasterCard — to educate, facilitate, coerce, and reward or penalize, as the case may have been, and clearly is at the moment in the U.S..

It is also interesting to see that many other key markets and regions around the globe took lessons from Europe — both the positive and negative — to shape their own national and regional migration plans.

The ‘business case’ does not work. Well that is a corker! The business case has been established now in almost every jurisdiction around the globe. I imagine that national markets, individual stakeholders, and card schemes both regionally and globally have prepared their own weighty tomes. I am sure that if we were to read some of these individual masterpieces we would have a little “titter,” but it was a business justification that was required more than a business case.

Why is there no business case made in the U.S. yet? Why has the U.S. not been able to develop a logical, and yes expensive, business justification? I have been seeking out these mythical business cases for the last two years, and every time someone quotes from these ethereal documents, I have asked for a copy. Strangely one never appears.

Business justification is more than just cost vs. revenue. Everyone has looked at the EMV migration as a very long journey — over the long term. This does make it difficult though for a financial services industry that is fixated on next quarter’s performance reporting.

The U.S. does have an exceptional set of circumstances and problems, in that it does not have a single (or even a collection of) industry bodies that have been (or could be) coordinating a business case, costs, and losses; or developing a series of fixed vendor costs along the way.

The U.K. and Canada are just two examples of where this collaborative approach was essential, necessary, delivered and successful.

And if the business case does not exist, then why not? Business justification is more than just bottom line costs vs. revenues. It is about doing the right thing for the marketplace, corporate social responsibility, brand reputation, defending against and managing regulatory interference, new business development opportunities and, yes, the question of ROI.

Have we collectively learned nothing from the debacle at Target, to pick on just one recent case of management blindness?

In developing chips, cards, point-of-sale devices, terminal software, standards, certification requirements and the necessary supporting infrastructure, the hard work has now been done and valuable lessons learned. Key elements are already in place and these things are now all commodities.

The supplier community is ready. Merchants will take some more encouragement, but those with an international footprint already get the message and also wonder why the U.S. is so far behind. Accordingly, the costs of putting ICCs on cards are approaching single-digit percentages of the costs the European early adopters had to pay more than a decade ago at the behest of the U.S.-mandated requirements. The same applies to much of the rest of the infrastructure required.

The U.S. has so many more different suppliers, systems, infrastructures, etc. Hmmm … The U.S. does have a small number of national languages (not dozens) and a single currency (not dozens). Yes, the U.S. political stage is overly complex with federal and state legislature —  not dissimilar to the multijurisdictions of the European marketplace and those playing, or not, in the Eurozone.

Germany, France, Italy, Spain and other nations have local states and languages spread across them, and they’re often much more diverse in these single countries than within the U.S. as a whole. The telecoms-communications infrastructure in Europe has had to evolve faster as there are so many countries and in each one, different standards and architecture.

And rest assured, in most European countries (again, dozens of them), there is a completely different set of issuers, acquirers, processors, POS device suppliers and integrators, gateways, standards for these things and encryption, security, screening solutions etc. There are different European laws about data protection and transmission and privacy — and it goes on. As in the U.S., European players need to be cognizant of international law and how this affects the jurisdictions of the seller and buyer.

Durbin Act — Why this “red-herring” has suddenly become an issue is rather odd. This type of legislation is not adopted in some European countries, but it is in many others. Accordingly, one of the features that EMV had to develop to meet such legal requirements of the EU (and other countries) was multichannel functionality and the opportunity for consumers to be given choice through account selection at the point of sale. Equally, merchants can still facilitate processing options for debit and credit transactions.

Contrary to popular myth, routing logic is not prevented by the introduction of EMV. In fact, EMV functionality makes it easier to determine and communicate at the point of interaction. All that is needed is for all key stakeholders to sort out the legal debate and agree on the business rules.

Would somebody please track down the first person that started to propagate the Durbin EMV fallacy and see why they started this hare running, and would everyone else please check the facts and stop believing it?

EMV does not support NFC. Really? Check the numbers for all NFC-enabled card programs outside of the U.S. EMV supports the pixies at the end of the garden; it is the founding technology behind warp-drives, cloaking devices and time travel; it will make the supper; and it contributes towards world peace. Again all fallacies, though the last maybe nearer to the truth than all the rest put together. But it is this world peace question that is worth debate and thinking about — especially in the context of the challenges of card acceptance in Russia at the moment!

Author of this post is Bill Trueman, who is an UK based independent Payments, Fraud & Risk Specialist and Managing Director of UK Fraud and Riskskill

For more information visit http://www.ukfraud.co.uk/ and http://www.riskskill.com/

News Source

,,,