COLUMN

Chip and PIN adoption serves lesson for U.S. payment industry

By Eric Ogren 29 Oct 2009 | SearchSecurity.co.UK Digg This!     StumbleUpon     Del.icio.us

First Data Corp. and RSA, the security division of EMC Corp., are the latest major companies working together to encrypt credit card data at the point-of-sale device. This early encryption approach, also offered by other vendors, including ProPay Inc. and Merchant Warehouse, can lower the technical costs of Payment Card Industry Data Security Standard (PCI DSS) compliance, as well as the legal risk of disclosure notifications and the risk of mass information loss. It is a proactive approach that retailers should be evaluating.

But while U.S.-based payment processors focus on end-to-end encryption, the UK, France and other European countries are finding some success in reducing fraud by deploying chip and PIN technology. There are initial costs. The process focuses on replacing traditional credit card terminals with smartcard technology. Banks must reissue credit cards with embedded chips that authenticate using a PIN. The process helps verify a card as authentic by checking the PIN a customer enters against the PIN stored on the card.

Last month I had harsh words for the effectiveness of the PCI standard's efforts. My major issue with PCI DSS is that it imposes a wide range of security technology and process requirements on the retailer, credit card processor, and bank supply chain without regard to the unique needs of each business, and without the credit card industry recommending commensurate changes for an insecure business process. Considering, institutions are taking initiatives with pilot security programs, particularly leveraging European experiences with early encryption.

Chip and PIN represents one such area of innovation that uses the application of cryptography at the card swipe as a possible solution to data loss at retail sites. If the remote site does not have sensitive data in clear text, its security burden is dramatically lessened. As we have seen from the Gonzalez indictment, retail outlets create a massive attack surface for payment cards and are easily accessible by hackers.

Fraud data compiled from the UK Payments Administration based on chip and PIN credit card technology introduced in 2004 suggests success with credit card theft at the point of sale, with implications that could map to potential compensating controls approaches in the US. The figures compiled by the organization show the costs associated with lost or stolen card fraud dropping from about $185 million in 2004 to about $88.1 million in 2008.

Banks deploying chip and PIN card technology have made mistakes that could be corrected before point-of-sale encryption takes off in North America. For one, applying password guidelines to PINs would make it more difficult to use a stolen card number. It is surprising that the credit card folks would be non-compliant with their own PCI DSS standard by allowing four-digit PINs. If an attacker tried the last four digits of the persons telephone number, they would probably be right half the time. But I digress. The data does indicate that encrypting data at the swipe has a positive impact on credit card security.

PCI DSS compliance targets businesses that have large databases of credit card information, such as card processors and large merchants. However, PCI DSS is not a total panacea for credit card fraud and does not address fraud of transactions where a card is not used (e.g. Web and telephone transactions), which is a huge business problem for the credit card industry. Security vendors such as RSA and First Data are to be commended for teaming up to find a more secure process for conducting credit card transactions.

Tags: Secure User Authentication and Authorization,  Biometrics, Smart Cards, Tokens,  Compliance Regulation and Standard Requirements,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Secure User Authentication and Authorization Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Physical security threats: Don't gift your data away Using unique device identification for bank website security Yahoo login credentials at risk to hijacking attack Single sign-on system removes password chaos at East Kent NHS Trust Tokenless two-factor authentication helps council with CoCo compliance Risk-based multifactor authentication implementation best practices Group to shed light on secure identity management threats Poor privileged account management practices leave security gap Biometrics, Smart Cards, Tokens Preventing password fatigue with single sign-on (SSO) authentication Gridsure finds global deal for its pattern-based authentication Single sign-on system removes password chaos at East Kent NHS Trust Will physical security integrators work with IT departments? Tokenless two-factor authentication helps council with CoCo compliance Visa probes tokens, encryption for PCI card data protection Strong authentication methods, voice recognition systems make comeback Security on a budget: How to make the most of authentication tools Creating a secure platform for smart card programmers Portable security storage device could replace OTP devices Compliance Regulation and Standard Requirements PCI DSS requirements still baffling as compliance deadline approaches Make PCI DSS compliance easier by reducing scope, outsourcing data Cloud computing compliance: Exploring data security in the cloud Encryption basics: How asymmetric and symmetric encryption works SIEM systems streamline compliance processes, offer security benefits No major PCI DSS revision expected in 2010 PCI QSAs, certifications to get new scrutiny Tips to achieve PCI compliance PCI DSS requirements: Get ready for stricter enforcement, fines Data Protection Act breach could cost companies 500,000 pounds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Chip and PIN  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary