What new mandates mean for fraud prevention, security and PCI obligations
The mandate by the credit card brands for merchants in the U.S. to accept Chip and PIN cards in October 2015 is being welcomed as a big boost to credit card security. After high-profile breaches at big-name retailers, such as Target, Home Depot and Neiman Marcus in recent years, one of the technologies often brought up to combat hackers has been Chip and PIN.
Chip and PIN is also being touted as a way for merchants to reduce their PCI scope. However, since Chip and PIN doesn’t change where card numbers are stored, transmitted or processed, the direct impact on PCI is minimal. In fact, the technology neither reduces PCI scope nor greatly improves the security of credit card numbers. Chip and PIN is designed to prevent credit card fraud, namely card cloning. Not surprisingly, cloning is most prevalent in the U.S., the only country to have not adopted Chip and PIN technology. Chip and PIN has been implemented in Europe for almost a decade, under the name EMV, short for Europay, MasterCard and Visa, but never caught on in the U.S.
While the technology offers some protection for credit card numbers, it isn’t the cure-all for the card industry’s security ills. In the case of the Target breach in 2014, for example, Chip and PIN would have had mixed results. Chip and PIN wouldn’t have prevented the theft of credit card numbers, but it could have possibly stopped their subsequent fraudulent use via card cloning. In the Target breach, credit card numbers were stolen through malicious access to point-of-sale (POS) systems after cards had been swiped.
Since Chip and PIN doesn’t require the encryption of card numbers through the entire transaction flow, card numbers would have still been able to be stolen. However, Chip and PIN can greatly increase the difficulty in cloning stolen credit cards, which would have limited their use for in person (card-present) transactions, where a fraudster might attempt to use a copied card. But the numbers can still be used for online transaction fraud, which still makes the numbers valuable to criminals.
The conversion to Chip and PIN technology is required at two points in the credit card payment and processing cycle: the merchant and the bank. Merchants must install and use a new type of PIN pad, and possibly POS software, to accept Chip and PIN cards. Banks must issue new credit cards with embedded chips and distribute them to all their customers, replacing their existing magnetic stripe cards. For both the merchant, who must install new hardware, and the bank, which must cut new cards, there is a substantial cost.
If there is minimal security benefit to card numbers and no reduction in PCI scope, on top of costs for new hardware and cards, why go through the headache of converting to Chip and PIN? The answer is two-fold: a reduction in card-present credit card fraud and a liability shift for fraudulent transactions.
The drop in card-present credit card fraud after Chip and PIN implementation is dramatic. In the U.K., the rate of credit card fraud dropped 80 percent from 2007-14, while it surged 70 percent in the U.S. over the same time period. Some have hypothesized this has to do with Chip and PIN just being harder cards to clone than magnetic swipe cards, so the attackers have focused on easier targets. The validity of that hypothesis will not be known until magnetic swipe cards have been eliminated.
However, before further discussing these benefits, let’s take a step back and explain the technology and how it works. This will shed some light on its advantages and disadvantages. It will also provide an understanding of how Chip and PIN is superior to the existing magnetic stripe technology at fighting fraud.
In the current payment system, which only accepts magnetic stripe cards, a customer swipes their card through a slot in a PIN pad or card reader. The data from the magnetic stripe, called track data, is sent to the POS system, which, in turn, depending on the architecture of the payment application, sends it to either directly to the payment processor, or via an application server, acting as the gateway to the payment processor. In the scenario where the POS uses an application server, the server communicates directly with the processor.
Track data is the crown jewel of the credit card. It contains not only the card number, known in PCI lingo as the primary account number (PAN), but also the other data that makes up a valid credit card. This includes secret data (similar to a password) that authenticates the card as real. That data, if captured directly from a live credit card, can then be used to make an exact copy clone of the credit card. This cloned card looks identical to the card processor and the issuing bank as the rightfully issued card.
The card is cloned by copying the stolen track data onto the magnetic stripe of a blank credit card with a magnetic stripe. Blank plastic cards, identical to credit cards with magnetic stripes, are easy for any fraudster to purchase. The fraudster can then use the card, which, in effect, is a perfect copy of the legitimate card, to make illegitimate purchases. However, for the merchant, these illegitimate purchases get valid approval codes.
This can lead to situations where the merchant loses both the merchandise and the funds if the transaction is deemed fraudulent.
Track data, including the PAN, can potentially be stolen at any point along the credit card transaction chain, from the point of swipe through to the processor. That transaction chain includes the POS, where the Target breach occurred; the application server, if the application has one; or the transmission of card data from the POS or application server to the processor.
Currently, hackers generally steal track data at the POS by using malware to scrape it from the POS’ memory, even before it goes out to the processor. If the data is stolen from memory immediately after the card is swiped, track data theft can occur before the POS can implement any type of encryption. Therefore, even PCI-compliant systems that encrypt track data and send it to the processor for authentication and approval and do not store any track data on disk can still be compromised. Attackers then send the stolen data to their underground networks and use it to clone cards for malicious use.
The fundamental problem with the track data in magnetic stripes on credit cards is that it’s clear text and static. Once the track data is compromised, cloned cards with the exact same track data can be easily created. To change the track data, a new card for the account must be reissued with new information on the magnetic swipe. If the card’s magnetic stripe is compromised again, another new card must be issued—all at a cost to the issuing bank and to the annoyance of the cardholder, besides the inconvenience and lost sales for the merchant.
In a Chip and PIN system, the credit card is inserted into a slot on the PIN pad, rather than being swiped. Unlike swiping, where the card is immediately removed from the PIN pad afterward, the card remains in the slot until the transaction is completed. The card must be left in the slot because the chip is actually a microprocessor. The microprocessor connects to the hardware in the PIN pad, so the device can begin accepting card data. The chip is the “chip” in the “Chip and PIN.”
After the card is inserted, or dipped, into the PIN pad, the cardholder enters a personal identification number (PIN)—the “PIN” in the “chip and PIN”—and then the transaction proceeds. The microprocessor contains encryption keys and embedded code that encrypt the PIN and create a unique encrypted message, or identifier, for each transaction. If a hacker viewed the transaction message generated by the chip, or scraped it from the POS’ memory, they couldn’t use it to clone a credit card, as they could with a magnetic stripe card, because the next time the card is used, the message will not be the same.
In addition, Chip and PIN uses the PIN to verify the cardholder is legitimate, because, supposedly, only the cardholder knows the PIN. A hacker who stole the PAN, or even a thief who stole the card from someone’s wallet, for that matter, would need the PIN to use the card.
Some implementations of Chip and PIN allow the cardholder to use their signature instead of a PIN, as PINs can be forgotten and add a layer of complexity to the cardholder. Other implementations in the U.S. won’t require a PIN or signature, just the chip. In any of these cases, the chip technology still generates a unique message for each transaction that can’t be replayed or reused to copy the card (but does not protect from physical theft of the card).
A common misconception—especially when people hear the word “encryption” associated with Chip and PIN—is that it encrypts the PAN. However, the PAN is not required to be encrypted; the Chip only encrypts the PIN. Legacy systems often cannot process payments with encrypted PAN. Therefore, the PAN sometimes must be passed unencrypted for the payment to process. PCI compliance still applies to any PAN data that is stored, processed or transmitted through the cardholder data environment (CDE) at the merchant or service provider. This is because just the PAN could be used fraudulently in online e-commerce transactions.
Basically, the differences between magnetic stripe and Chip and PIN technology are that a magnetic stripe is static and can be captured and used to create fraudulent credit cards, while Chip and PIN is dynamic, generating a different message for each transaction and can’t be used to make a new credit card. Magnetic stripes don’t verify the validity of the credit card, while Chip and PIN verifies the legitimacy of the card.
Technology aside, the benefit of Chip and PIN is the reduction of liability for fraudulent transactions. The card brands endorsing Chip and PIN have said the party, which could be either the issuer or the merchant using the lesser technology, will be responsible for fraudulent transactions. This is a change, as currently liability for fraudulent transactions typically defaults to the merchant, but is negotiated as part of the merchant and card processor’s agreement.
With the new liability rules, there are four possible scenarios for each transaction: neither the merchant nor the issuer are deploying Chip and PIN; the merchant isn’t deploying Chip and PIN, but the issuer has embedded chips in their cards; the merchant has installed POS systems, or payment terminals, that accept Chip and PIN, but the issuer’s cards don’t have Chip and PIN; and lastly, both the merchant and issuer have installed the technology.
Here is a closer look at each scenario, and how each one impacts the liability shift for fraud.
Both the first and last scenarios are an all or nothing proposition. Either the merchant or issuer both have the technology, or neither deploys it. In the eyes of the card brands, the liability remains the same as it is currently. There are no set rules currently for determining the liability for fraudulent transactions. Liability is determined strictly by agreement between the acquirer and the merchant, and then defined in the contract between both parties.
In the second scenario, where the merchant hasn’t yet deployed payment terminals with Chip and PIN, but a credit card with a chip was used for the fraudulent transaction, the merchant would be responsible. The issuer, whose card had the chip and was used for the transaction, would be off the hook. Again, this follows the rule of the party with the lesser technology, here being the merchant without Chip and PIN, bearing the brunt of the loss from fraud.
This brings up the question: If the merchant’s terminal couldn’t read a Chip and PIN card, how could a transaction take place with such a card? The answer is that Chip and PIN cards will still have a magnetic stripe for backup purposes. Eventually, the magnetic stripe will be phased out, but when that could occur has still not been determined.
However, since the magnetic stripe is on the card, there will be a training issue for merchants to ensure cashiers are assisting cardholders to use the chip on cards, instead of falling back on the magnetic stripe. The customer’s choice to use a lesser technology could affect the merchant’s liability.
Even with Chip and PIN cards, the risk of card cloning remains, since they still have a magnetic stripe. However, cloning could only copy the magnetic stripe data, and the payment must be made using the magnetic swipe instead of the Chip and PIN part of the payment terminal. It’s also possible that some future hacker will figure out a way to attack payment terminals to disable their Chip and PIN capability, allowing only the magnetic stripe to be read on dual use terminals. For now, that is just conjecture and shouldn’t be a consideration of whether or not to deploy Chip and PIN terminals.
In the third scenario, where the merchant has deployed Chip and PIN payment terminals, but the card used in the fraudulent transaction has only a magnetic stripe, the card issuer is responsible. This follows the rule of thumb where the party with the lesser technology is liable. The issuer, who issued a card with only a magnetic stripe, deployed the lesser technology.
Besides the liability shift, MasterCard started offering a PCI audit relief (not to be confused with PCI scope reduction) program in 2012 to entice merchants to implement Chip and PIN. The idea was to reduce the number of PCI audits required by a merchant. The MasterCard program follows a similar program by Visa, also instituted in October 2012.
To qualify for audit relief, 75 percent of a merchant’s transactions must originate from Chip and PIN compliant payment terminals able to accept both contact and contactless transactions. In addition, if 95 percent of the transactions originate from Chip and PIN terminals as of the October 2015 deadline, MasterCard will waive all account data compromise penalties for merchants who are victims of fraudulent transactions.
For a retailer, the implementation cost of the new terminals will need to be weighed against the potential liability. Small merchants and mom-and-pop shops that can’t afford the new equipment required for Chip and PIN will have to rely on their relationship with their acquirer or processor, who has the final say on compliance matters. Larger retailers that can pay the implementation cost have to decide whether or not they want to accept the liability.
To sum up the issue, the benefits of Chip and PIN are mostly for countering credit card fraud. It doesn’t offer huge data security benefits or PCI scope reduction. The technology prevents fraud by verifying the card and the transaction. It doesn’t add any more security for the PAN than the current magnetic stripe technology. Merchants must decide whether to implement the technology based on cost, acceptance of liability and their relationship with their acquirer or processor.
Joel Dubin is QSA, Manager at McGladrey LLP. He oversees and manages compliance assessments, including PCI, HIPAA and pen testing and he reviews security architectures for clients to conduct security and compliance gap analyses.
