There’s a blog post online about some computer security researchers who have found a way to compromise Chip-and-PIN terminal devices.  You can check out the BBC NightNews show here.

Ok, yes this is an attack against the system, but do you realize how it requires physical access to the systems?  I’d be very happy if this was the only way to compromise payment systems because it means all the other security holes in the software, remote administration, encryption, etc. have been addressed.

I think we will see more and more hackers driven to the physical side of data compromise as the current low hanging fruit dries up.

Here’s another example of how a hacker put a video camera outside a Chip-and-PIN machine.  Low tech sometimes still works.

Update: Cory Doctorow of BoingBoing also covered this topic.

Popularity: 37% [?]

We had a post a while back about the most recent APACS fraud numbers (released twice a year.) Many of us were curious why they did not include a reference to PCI. So I emailed Sandra Quinn their Director of Corporate Communications with the single question:

“I assume that the APACS feels that Chip-and-PIN has reduced fraud more than PCI/AIS?”

To which she replied, “Very much so”. (She said I could quote her on that.)

But, I really enjoyed reading a much longer and detailed message she sent including some of the following details:

The key thing is that the £1.1 bn banking sector investment in chip and PIN has seen fraud at retailers decrease from a high point of £218.8m in 2004 to £72m now. That’s an impressive decrease but obviously chip and PIN isn’t a silver bullet for all card fraud which is why we support a multi-layered approach - PCI-DSS is part of that as is online banking security systems, like VbV and MSC, and the move to dynamic customer authentication.

She also corrected our comments on their stance on government intervention:

This relates to legislation currently going through the UK legislative process (the Serious Crime Bill) where we have been lobbying MPs and members of the House of Lords (the UK upper legislative House) for some changes.

“In our view, improved data sharing within organisations, between organisations, within sectors and between the public and private sectors is key to improving the ability of the UK to tackle the challenge of fraud. APACS has been lobbying for several years for wider data sharing between the public and private sectors and we believe there is an opportunity to make significant gains for both sectors in the short term. We see this issue as the major priority in the fight against fraud.

Exercises have already been run by CIFAS (the body that provides an enabling mechanism for the sharing of fraud information between private sector organisations) using samples of data provided by government departments. The high level of match between address details used in frauds against both public and private sectors illustrated the benefits of sharing this information - once an address or other detail such as a telephone number are identified as having been used fraudulently, then
subsequent frauds can be prevented. The results from this exercise clearly demonstrated the importance of greater sharing of this type of data.

We urge the Government to do everything it can to promote such data sharing in the short term, which implies government departments making use of an existing structure, most obviously CIFAS, to start sharing the data as soon as possible. This would also be more cost effective than starting a new system from scratch.

We share the primacy concern of this data being protected from being deliberately, negligently or maliciously compromised and would welcome the opportunity to work with the Information Commissioner on a set of guidelines to clarify the basis on which information should be shared.”

Finally she provided some interesting statistics titled “Card Fraud 2006 Snapshots”.

Popularity: 30% [?]

Ed posts about a reference to Chip and PIN attacks that I feel are actually just risks. The story gets talked about because they associate the words “attack” and “Chip and PIN” making people think there is an actual weakness in the chip on the card.

The story is actually referring to the fact that a Chip and PIN card still has a magnetic stripe across the back of the card for international and backwards compatibility. This means that if someone skims the track data and watches the PIN being entered, as seen in these videos, then someone could “clone” the card… but not really, because they cannot clone the chip information.

There is risk in everything including credit card transactions. Personally I am happy that Chip and PIN is taking over instead of signatures as the form of authentication.

Popularity: 16% [?]

We have discussed many things relating to the payments industry, from Chip-PIN to the details of the PCI DSS, but have not focused much on the technology side of things. There are the PCI PIN (from Visa) requirements for TRSM and now the emergence of ‘contactless‘ payments has taken the stage.

Contactless (’Express Pay’ for American Express & ‘pay pass’ for MasterCard) is a form of smart card that has taken hold in the US. The reason for contactless is that it simply requires the merchant to purchase a device (the reader) that plugs directly into their current POS or Integrated POS (IPOS) device. This permits them to accept either ’swipe’ or ‘contactless’ payments without a major upgrade in their infrastructure. Most European countries (UK, France, Germany, Spain) and Canada have either mandated or at least support the Chip-PIN technology. The benefit of Chip-PIN is a higher level of security, because it requires the cardholder’s PIN to be entered for each transaction, which comes at a high cost — as many of these systems requre a complete upgrade of the merchant’s POS.

The Green Sheet has an article on contactless cards, which you can see a picture of here.

• “By the end of 2006, U.S. banks had issued 17 million to 19 million contactless credit and debit cards, according to industry estimates. One market research company, JupiterResearch, estimated those numbers will increase to 37 million by the end of 2007 and 188 million by 2010.”
• “Contactless enables a fast and secure payment process”
• “Contactless is currently a single-application product. The true value in contactless will lie in multiapplication systems…”

The ubiquity of contactless is going to take hold and with it the security risks. It will be the job of the PCI SSC, all card brands, and the information security industry to raise awareness and prevent fraud within these new electronic devices.

These groups are building security measures into the way contactless is used, but the big question is: will it be enough? Just as with card-present (or ’swipe’) transactions there are two pieces of data that are captured: the magnetic track data and the PAN (or credit card number), which is located within the track data. The question with contactless is can a skimmed card be re-used as a contactless payment or will the fraudsters just tear out the PAN and use it?

There are many security hurtles to overcome, but merchants are teaming up to implement this new technology. It has been shown that making it easier to pay means more people WILL pay. The allure of higher consumer spending will outweigh the security concerns over new technology. It will be the role of security companies and continued audits to verify that companies are securing the credit card data they collect.

Popularity: 100% [?]

Engadget reports that security researchers Steven Murdoch and Saar Drimer hacked one of Britain’s much-vaunted “tamper-resistant” chip-and-PIN credit-card processing terminals so that it plays Tetris.

They have this YouTube video showing it:

A better quality video and description is available on their website.

Popularity: 14% [?]

Some people have been asking, “What is the difference between EMV standards, PCI standards, and Chip/PIN requirements?”

EMV is the EuroCard, MasterCard, Visa chip card protocol standard. Here’s some information from the EMVCo website.

EMVCo LLC was formed February 1999 by Europay International, MasterCard International and Visa International to manage, maintain and enhance the EMVâ„¢ Integrated Circuit Card Specifications for Payment Systems. With the acquisition of Europay by MasterCard in 2002 and JCB International joining the organization in 2005, EMVCo is currently operated by JCB International, MasterCard International, and Visa International.

EMVCo’s primary role is to manage, maintain and enhance the EMV Integrated Circuit Card Specifications to ensure interoperability and acceptance of payment system integrated circuit cards on a worldwide basis.

EMVCo is a standards body that defines the physical and electronic requirements for chip cards. It is concerned only with the cards and not the cardholder data that is retained with merchants, service providers, or data storage entities.
I do not know why, but from everyone I have talked with they seem to feel that the EMVCo standards body is a failed organization. This seems strange as their website has current postings regarding news and events.

PCI refers to the Payment Card Industry standards which include several initiatives such as data security, PIN security, etc. (For information about the PIN security standards check the Visa website.) When we talk about PCI we really must refer specifically to the PCI Data Security Standards (DSS), which address the security of cardholder data that is stored, processed, or transmitted. Here is a bit from the PCI Security Standards Council (PCICo) website:

The PCI Security Standards Council is an independent body formed to develop, enhance, disseminate and assist with implementation of security standards for payment account security. The PCI Security Standards Council will maintain and evolve the PCI Data Security Standard, while working to promote its broad industry adoption, and while providing the tools needed for compliance with the standard. These tools include critical documents such as audit guidelines, scanning vendor requirements, and, in a few months, a self assessment questionnaire. These functions are as important as the promulgation of the standard itself.

PCICo is a collaborative effort of five credit card associations (American Express, Discover Financial Services, JCB, MasterCard Worldwide [MA], and Visa International).

Whereas EMVCo focuses on the chip standards, PCICo focuses on the security of the data that is stored, processed, or transmitted by merchants, service providers, or data storage entities.

Chip/PIN has already been discussed on this blog, but is a method of payment that further verifies the credit card is valid and held by the proper owner. From the Chip-PIN website:

Chip and PIN couldn’t be easier to use. Instead of signing a paper receipt to verify a card payment, you enter a four-digit Personal Identification Number (PIN), just like you do at a cash machine.

The “I Love PIN” logo was launched as a way of informing customers that the UK is moving to Chip-PIN. This means they need to remember their PIN number when making transactions. By accepting Chip-PIN transactions, the merchant is not responsible for fraudulent transactions as they would be under normal “swipe” transactions.

When we talk about Chip-PIN we are just talking about another authentication systems for the cardholder. This system is only used for “card present” transactions. Another system is used for “card not present” or CNP transactions.

Verified by Visa (VBV) or MasterCard Secure Code (MCSC) are systems used by online merchants to further verify the person making the transaction is the authorized cardholder. If a merchant enrolls in these programs the customer will be prompted to enter a password, known only to them, when making online transactions.

Question: I just migrated to Chip-PIN; Why do I have to be PCI DSS compliant?

Even though a merchant uses Chip-PIN, the chip information may be stored at the merchant. Although this information cannot be used to recreate the chip on a fake card, it does store enough information to recreate the track data (or magnetic track 2 data) on a fake card.

Thus, even though a merchant is using Chip-PIN, they must also be PCI DSS compliant. As Chip-PIN evolves to the use of an iCVV value, the storage of Track 2 Data from a Chip-PIN transaction will not occur. Even though the Track2 Data will not be stored, the primary account number (PAN) will be and thus must be secured under the PCI DSS.

Popularity: 19% [?]

Many countries around the world are currently in the process of implementing the ‘chip and PIN’ system for credit card payments. This system is based on the EMV standard, and uses a card with an integrated processor (a ’smartcard’) to store the card holder data. During a card present transaction, the payment terminal obtains the card data from direct communications with the customers smartcard, rather than reading it off the magnetic stripe.

The chip and PIN system allows for the use of a different CVV to authenticate the card data - referred to as an iCVV. From the Visa ‘Chip Card Acceptance Device Reference Guide, Version 7.0‘ , Section 3.4.3:

iCVV is an optional VSDC risk control feature that facilitates detection of skimmed chip data being used to counterfeit magnetic-stripe cards. Issuers may elect to implement an iCVV encoded in the track data stored on the chip, which is different from the CVV encoded on the magnetic stripe.

Put another way, the use of an iCVV logically separates the card data stored on the smartcard from the data stored on the magnetic stripe, preventing the use of data ‘cloned’ from a smartcard to produce a fraudulent magnetic stripe.

So, if a captured card data cannot be used to produce a copied card, how does this system relate to the requirements of the PCI DSS? Do merchants still need to comply to the requirements?

The simple answer is yes.

The astute will have noticed that the use of iCVV is still ‘optional’. Therefore, CVV values can still be used, and must not be stored as stipulated by the PCI DSS requirements. It is also important to remember that the chip and PIN / EMV system is still not implemented world wide - and probably will not be for some time to come. Therefore, it is both possible (and probable, given the current uptake of EMV) that foreign cards will use the magnetic stripe during transactions, which of course will contain the CVV and PVV values. Fall back to magnetic swipe for local transactions may also be permitted, depending on the local risk management rules of the acquiring institution.

Beyond the narrow focus of the CVV itself, it is still important for the merchant or card processor to secure the cardholder environment to protect other data, such as the PAN and PIN block.

Finally, the additional features and protection measures of the chip and PIN system are only useful for card present transactions. Transactions where the cardholder is not physically present are currently performed identically to those using traditional magnetic stripe cards. These transactions are refered to as ‘Card Not Present’ - CNP - or Mail Order / Telephone Order - MOTO - transactions, and are traditionally secured with the use of the CVV2 value printed on the rear of the card. New developments such as Finread or Mastercards Chip Authentication Program (CAP - non-official informative link) may introduce more robust authentication mechanisms for these transactions, but it is still too early to predict the success of these programs.

Popularity: 22% [?]

Chase Paymentech held their first international Fraud Prevention Forum on September 11th in Toronto. They announced the future movement of credit card security with the planned rollout of Chip/PIN to Canada.

Chip and PIN is a proven payment technology with over a 10-year successful track record in Europe. New infrastructure is being put in place to introduce this payment technology into the Canadian market in 2007.

“Protecting credit card data is critically important for all merchants.” said Michael L. Herman, Chief Compliance Officer at Chase Paymentech. “It is in the best interests of consumers and merchants that we make every effort to educate about PCI DSS compliance across our entire portfolio.”

Popularity: 21% [?]