Payment Card processing services upgrading to Chip-and-PIN and Point-to-Point Encryption


Userlevel 7
Badge +52
The massive data breaches in U.S retailers 'Target' and 'Neiman Marcus', in which financial credentials of more than 110 million and 1.1 million customers were compromised respectively, have put a spotlight on the need for more secure transactions.
To tackle this issue, the two major payment card brands, MasterCard and Visa have announced the formation of a new cross-industry group that will focus on the security of the enhancing payment system to keep pace with the expectations of consumers, retailers and financial institutions in the United States.

“The recent high-profile breaches have served as a catalyst for much needed collaboration between the retail and financial services industry on the issue of payment security,” says Ryan McInerney, president of Visa Inc. “As we have long said, no one industry or technology can solve the issue of payment system fraud on its own.”

The joint effort aims to advance the migration to EMV chip cards, also known as PIN-and-chip cards and to promote additional security solutions like tokenization and point-to-point encryption as well.
When we talk about the Chip technology, it generates a unique code for every transaction, making it nearly impossible for criminals to use the card for counterfeit fraud.
As the Target hack exposed that traditional magnetic stripe payment cards transmit your account number and, in the case of debit cards, your secret PIN to merchants, but in case of 'Chip-and-PIN' cards you’re not transmitting an actual credit card number, instead it transmits a one-time-use token number that banks and card processors can match up with your account on the other end to process the transaction, but that doesn’t reveal your account number, even with the merchant.

Merrill Halpern of the United Nations Federal Credit Union, a pioneer in the use of chip cards says in an interview with Information Security Media Group, "A PIN cannot be compromised. ... And the chips cannot be copied" and stresses that “EMV also is providing the foundation for moving ahead with more secure transactions, no matter what [type]. It's flexible and it's an evolving standard."

Besides these two cards brands, the alliance will include the banks of all sizes, credit unions, acquirers, retailers, point-of-sale device manufacturers and industry trade groups, says the card brand in the press release. The importance of formation of the group is to work together to deliver meaningful solutions that will benefit consumers, merchants and financial institutions of all sizes and will ensure that all voices can contribute to the strategic direction of payment security.

Group Focuses on:
  • Advancing the migration to EMV in the United States.
  • Promoting additional security solutions like tokenization and point to point encryption.
  • Developing an actionable roadmap for securing the future across all segments of the payments industry.
“One of the critical roles we play is to protect consumers and businesses against criminals and fraudsters,” said Chris McWilton, president of North American Markets, MasterCard. “Only through industry collaboration and cooperation will we address the real and immediate issue of security and maintain consumer confidence and trust. EMV will be the next step in these efforts, alongside enhanced security solutions for online and mobile channels.”
 
Both the card brands are serving organizations and people globally. MasterCard is a technology company in the global payments industry that operate the world’s fastest payments processing network in more than 210 countries and territories, and Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions, and governments in more than 200 countries and territories to fast, secure and reliable electronic payments.
Source

13 replies

Userlevel 7
I couldnt believe how shops were not using chip and pin when I visted the US. Was like stepping into the past, even though I think chip and pin isnt enough its still helps.
Userlevel 7
Badge +56
That is some awesome news.  I can't wait for this to roll out.  Maybe now my credit union will stop locking my card all the time for false positives 🙂
Userlevel 7
Hi Petrovic,
Thanks for an interesting article.
 
Regards,
 
Mike
Userlevel 7
Hi NIc
 
How you doing?
 
Know what you mean but don't hold your breathe...it took a longish time to roll this out in the UK, and we are only a teenie, weenie country when compared to the US, population-wise as well.
 
I think that seriously it could take years, even assuming that a common set of standards is agreed with all the bansk, etc.
 
But definitively a step in the very right direction...although I am wondering if it might not be better for the US to skip Chip 'n Pin and go to the next system...which I am sure is somewhere in the wings, etc.
 
Ah, decision, decisions....etc.,
 
Regards
 
 
Baldrick
Userlevel 7
Well we got it in Ireland shortly after the UK and we cant do anything right over here 🙂 Our goverment could be replaced with 50 blind one armed monkeys and things would improve!
Userlevel 7
Badge +56
@ wrote:
Hi NIc
 
How you doing?
 
Know what you mean but don't hold your breathe...it took a longish time to roll this out in the UK, and we are only a teenie, weenie country when compared to the US, population-wise as well.
 
I think that seriously it could take years, even assuming that a common set of standards is agreed with all the bansk, etc.
 
But definitively a step in the very right direction...although I am wondering if it might not be better for the US to skip Chip 'n Pin and go to the next system...which I am sure is somewhere in the wings, etc.
 
Ah, decision, decisions....etc.,
 
Regards
 
 
Baldrick
Doing good, how about you?  
 
That is a bummer to hear that it might take a long time to roll out.  I guess there is a lot of infrastructure to upgrade.
Userlevel 7
Doing good, Nic...cheers for asking!
 
Yes, bummer it may be but then again I think that the Americans are more striving (in the positive sense of the word, of course) than the British and I am thinking that it will probably take less time than it should...and there will be teething issues...but then again...that is often how implementations go.
 
Regards, Baldrick
Userlevel 7
The following article is a update on Chip and Pin and Point to Point Encryption
 
(Americans to be guinea pigs in vast chip-and-PIN security experiment)
 
By Iain Thomson, 7 Aug 2014
 
 
Black Hat 2014 Next year US banks will begin a wide-scale rollout of chip-and-PIN bank cards, just 11 years after the UK made it mandatory.
In doing so, Americans will take part in a vast experiment to test chip-and-PIN against chip-and-sign when it comes to stamping out money thieves.
 Not every US bank is keen on the PIN system, so some customers will get chip-and-sign cards instead. The results of the split approach will be studied by security experts to determine the pros and cons of each system; whether PINs are really more secure than a signature and whether chips are more tricky to clone than magnetic strips, for instance.
 
The Register/ Full Article Here/ http://www.theregister.co.uk/2014/08/07/americans_about_to_become_guinea_pigs_in_chip_and_pin_experiment/
Userlevel 6
The last point of the article concerning banks changing their terms to make consumers liable for fraudulant charges is not going to go over very well. It is something they promote to get you to use their credit card as well as their debit cards.
 
Being hit with credit card fraud twice in the period of 30 days just a couple months ago, it is fresh in my mined. I have alerts set up for forieng transactions and for charges over $50 made anywhere. On the 1st round, I received a text and as I was home, I responded within seconds answering their question if I made the transaction.
 
The transaction had not posted and it was a purchase made on a website, Once I confirmed it was fraud, they had the ability to reject the charge. Instead the bank allows the charge to post. I was not liable, however, the bank paid the merchant. They could have refused the charge. This is how they handle it. In cases like that, how can they hold the customer responsible.
 
It does concern me if banks do choose to go that route.
Userlevel 7
Badge +54

The EMV or 'chip-and-PIN' system is not without security flaws, researchers warned

By Lucian Constantin August 8, 2014 There's a push to adopt chip-equipped payment cards in the U.S. following high-profile breaches at large retailers and restaurant chains during the past 12 months, but experts warn that switching to this payment system will not make fraud disappear.The EMV (Europay, MasterCard and Visa) standard is widely deployed around the world, and for the past 10 years or so it has been the de facto payment card system in Europe, where it's also known as chip-and-PIN. The cards authenticate with ATMs and payment terminals using the combination of a customer PIN and information stored securely on an integrated circuit.
In order to drive EMV adoption in the U.S., the credit card brands plan to shift liability in October 2015, after which parties that haven't deployed the system will be held liable for fraudulent transactions.
However, the EMV specification suffers from both regulatory and security issues, some of which have already been exploited in real-world attacks, according to Ross Anderson, a security engineering professor at Cambridge University with 25 years of experience in payment systems security.
 
Full Article
Userlevel 7
That goes without saying the US retailers need to beef up their security for everyone's sake. chip n pin technology seems to be the right choice.
Userlevel 6
Something needs to be done as credit card fraud is on the rise. Every time a new security measure is taken, merchants have to update their card readers and/or replace them. It is costly and passed on to the consumer.
 
The theives will always be looking for ways to hack the system, taking the extra steps on all ends will make it more difficult. The industry needs to be a step ahead of them.
 
 
Userlevel 7
Badge +56
It may not be perfect, but it is at least better than what we have now.

Reply