Sophos Cloud Optix
Target will adopt chip-and-PIN payment card security for its debit and credit cards, it announced on Tuesday, setting itself up to become probably the first major retailer in the US to take the plunge.
Beginning in early 2015, the horrifically hacked, still scrambling retailer will try to strengthen its bludgeoned security by plugging MasterCard’s chip-and-PIN security into its entire REDcard portfolio.
Chip-and-PIN systems are already widely used in Europe and elsewhere, while the US has been verrrrrrry sloooooooowly inching toward adoption of what’s widely considered to be far more fraud-proof payment cards.
In fact, the large-scale theft of payment card data from the likes of retailers Target and Neiman Marcus have focused attention on the problem of the US’s stubborn refusal to back away from magnetic stripe cards.
Two major credit card companies, MasterCard and Visa, have plans to change to chip and PIN and have both recently set October 2015 as an important deadline in the switch, according to the Wall Street Journal.
Chip-and-PIN cards rely on a microchip embedded in the card, as opposed to the magnetic stripe on the back of nearly all cards used in the US.
The data on that magnetic stripe – known as track data – can be used to fairly easily create counterfeit cards by encoding the data onto any card with a magnetic stripe.
The chips on chip-and-PIN cards, in contrast, can’t be duplicated.
The PIN part of the equation, meanwhile, is also a more secure authentication factor compared with what a card holder scribbles on the bottom of a receipt (a signature that merchants frequently don’t even bother to check).
Mind you, chip-and-PIN is by no means a foolproof payment card security system.
In 2008, Trojanised chip-and-PIN machines in Europe were reported to have been compromised during the manufacturing process.
These Trojanised devices sported additional internal hardware, including a GSM modem, to transmit phished credentials to cybercriminals in Pakistan.
There have also been problems with ATMs and point-of-sale systems (POSes) that process chip-and-PIN cards using random number generators that have proved to be anything but random.
Another weak spot is the PIN entry device (PED) – the device into which customers insert cards.
Cambridge University has demonstrated that two popular brands of PEDs used in the UK don’t encrypt data exchanged between the card and the PED during a transaction.
That means that crooks with “basic technical skills” can record the information and create fake cards that can then be used to withdraw cash from ATMs abroad, as well as at some ATMs in the UK, according to researchers.
But while chip-and-PIN cards and their readers have been demonstrably hackable, they’re still considered better than magnetic-stripe cards.
There are various reasons for why the US has balked at chip-and-PIN, including lack of PIN management features in ATM machines.
Another daunting prospect is that of replacing the extremely extensive existing infrastructure that supports magnetic stripe cards.
A recent payment systems industry white paper compares the changeover to a nationwide replacement of all standard-speed rail service with high-speed trains.
It will be pricey, and it will be tough, given that, as industry sources estimate, the existing infrastructure spans 15 million magnetic stripe POS devices. There were more than 360,000 ATMs as of 2007, credit cards number around 609.8 million, and there are an estimated 520 million debit cards.
The cost to upgrade to chip-and-PIN, as estimated by Javelin Strategy and Research, is about $500 million for ATM upgrades and at least $8 billion to implement EMV – that stands for Europay, MasterCard and Visa, with the acronym designating a global standard for interoperation of these integrated circuit cards.
Target’s chip-and-PIN announcement puts it on track to become probably the first major retailer in the US to bite the bullet on these daunting changes and sky-high costs as it moves to chip-and-PIN.
It will be interesting to see which other major retailers follow that big red Target dot as it bounces toward chip-and-PIN and how long it will take them to get there.
It will be even more interesting to see what widespread chip-and-PIN adoption will do to the rate of credit card fraud in the US, which is far higher than you find in other countries.
As Business Week reported in December 2013, the US last year accounted for 47% of global fraud, while processing just 24% of the payments by volume.
Finally, the US might just well be on the path to seeing that unenviable number shrink.
Image of chip and PIN courtesy of Shutterstock.
I no longer have a credit card. However, not to long past, just to prove a point to the doubtful cashier, I signed the scanner with Horse Collar, which was accepted as my signature. The surprised cashier shook her head and I went out with my purchase.
I am a cashier at walmart, and we just implemented this on our registers. Why is it saying that target will be the first to? They just updated our registers for this, and we have outdated ones as it is. Not replaced, just updated the software.
Target, in this case, wouldn’t just be accepting the cards – it would be providing them. That’s what they’re leading the charge with, by being the first company to provide REDcard holders with chip-and-pin versions.
I have a Target card but I refuse to use it until they put better security in place. They keep sending me letters that it is “safe” to use it at the present time but I highly doubt it. I have also signed the scanner with funny names like “Dirty Store” and no one has even bothered to notice. How sad is that!
Target had a problem in early 2015? Its 2014 yo
What begins in 2015 is the Chip-n-PIN deployment. (Not, we hope, another breach 🙂
You say it’s being adopted very slowly, but most gas stations, grocery stores, and most retail stores (including Target) here in Tucson, AZ have upgraded to VeriFone’s MX 925/915, or have EMV support with the widely adopted MX 800 series with the large NFC pay pad on top.
What is going to take years and years is financial institutions to either burn through their stockpiles of preprinted plastic, or cut their losses (highly unlikely) and order cards with EMV.
But ‘Chip&Pin’ is NOT more secure. Think about it, when you make a payment the card device immediately tells the operator whether your PIN entered matches that stored on the card – even if you swiped the card instead of using the CHIP embeded within the card.
So the CHIP contains your PIN as does the magnetic stripe – how else would the system know it was the correct PIN *before* connecting with the supplier’s server?
As the PIN is held in at least 2 places on the card it can be read, as can the card number, the name on the card the expiry date, the CRC code, etc.
All that means that anyone with the know-how and equipment can gather all the required details from your card when you use it or if you lose it.
Safer? I think not.
If it was that easy to get the PIN off the card LindaB, don’t you think that Europe would have found that out by now?
Yes, they have and that’s why there are so many card-based scams in Europe.
And the cards still have both stripe and CHIP.
Chip and Pin cards typically don’t have mag stripes in addition to the chip…and the whole argument for them is that the chips can’t be copied (which we all know isn’t true, but they’re far more DIFFICULT to copy), so regardless of if you have that additional information, to make a purchase with Chip and Pin requires your specific card to validate.
Not true in Europe at least. Both my and my partner’s C&P cards have both magnetic stripe and the chip embedded.
It has been found that the data on the chip can be copied in seconds! And there has been at least three scams using ‘cloned’ C&P cards in Europe and another (at least) in the USA.
The fact that a till terminal can read your card data means that with the right malware installed, as Target found out I believe, the nefarious can find out almost anything – nothing is sacrosacnt these days.
OK – so regardless of it there is an accompanying mag stripe, that PIN data is still not shared with the terminal as you originally suggested. The terminal simply transmits the PIN to the chip to verify if it is correct. The mag stripe still only contains what it does in the US, which is supposed to be less valuable thanks to the PIN requirement.
I think the argument here is not that Chip and PIN is flawless, because nothing is. It’s that it’s likely to be more secure for the US in a number of ways: transactions require you to be present to enter the pin, so restaurants, etc. will likely process tableside rather than disappearing with your card (making it very easy to covertly copy), and PIN is one step better than signature verification, which I can tell you merchants RARELY, if ever, look at. It’s even gotten to the point where transactions under $25-30 don’t require a signature at many merchants.
Exposure at the terminal is honestly a whole different argument, and not something better card technology is likely to solve. It’s also what most of the chip and pin-related fraud seems to be perpetrated.
I just shopped t two targets and a walmart. They all have the C&P capable card scanners but only walmart uses them. Target hasn’t purchased the software yet. Jan 2015. Poor target!