PREVENTING PAYMENT CARD DATA BREACHES

Transcription

1 NEW SCIENCE TRANSACTION SECURITY ARTICLE PREVENTING PAYMENT CARD DATA BREACHES DECEMBER 2014 UL.COM/NEWSCIENCE

2 NEW SCIENCE TRANSACTION SECURITY OVERVIEW From research on the latest electronic transaction security technologies to comprehensive strategies for reliable mobile payment solutions, UL s New Science advances are helping to support compliance, interoperability and security for the latest transaction technology implementations. UL is working with customers across the industry, conducting stateof-the-art trials; analyzing and assessing the security, functionality and interoperability of new and existing technologies; and enhancing implementation processes and developing unique migration architectures to help transition disparate systems to a new platform. NEW SCIENCE TRANSACTION SECURITY 2

3 WHY PREVENTING PAYMENT CARD DATA BREACHES MATTERS Payment card data breaches became a hot topic in the U.S. in 2013, highlighted by the Target and Neiman Marcus incidents, in which 40 million 1 and 350,000 2 cards, respectively, were compromised. However, while these two incidents dominated the spotlight, in the same year there were more than 600 security breaches in the U.S., 3 resulting in $6.8 billion in card fraud losses. 4 There were an additional $6.5 billion in card fraud losses in other countries in Understandably, preventing payment card data breaches has become a top priority for the payments industry, particularly in the U.S. CONTEXT A payment card data breach is the result of one or more hackers gaining access, often on a large scale, to information stored on debit or credit cards with the goal of selling this information on the black market or directly performing fraudulent transactions. 6 When a particular merchant is compromised, all consumers who used their payment cards at that merchant s retail locations are at risk. 7 This is broadly what occurred in the Target and Neiman Marcus incidents. In both cases, malware strains designed to take advantage of system vulnerabilities circumvented security, enabling backdoor access to consumer card data. 8 EMV cards have achieved a high level of adoption largely because they have helped decrease counterfeit fraud by 60 to 80 percent. Currently, the U.S. accounts for almost 50 percent of annual card fraud globally, which is comparatively high, given that 27 percent of card transactions occur in the U.S. 9 One contributing factor is that the U.S. is the last of the G20 countries to migrate to EMVbased credit and debit cards, 10 and the predominant credit and debit cards currently in use in the U.S. employ magnetic stripe (magstripe) technology, which was introduced to the mass market in the early 1970s 11 long before the Internet and mobility transformed the payments industry. EMV cards were first introduced in and were later adopted by most of the world, including 19 of the G20 nations. 13 These cards use an embedded chip to generate a unique encrypted code for each transaction, allowing the issuer to accurately confirm the authenticity of the card, while reducing the risk of fraud, unauthorized access to information and duplicate cards. 14 EMV cards have achieved a high level of adoption largely because they have helped decrease counterfeit fraud by 60 to 80 percent in countries where EMV cards have become the standard. 15 By the end of 2013, there were more than 2.37 billion EMV cards issued globally, 16 of which 17 to 20 million were issued in the U.S. 17 3

4 Driven by the major credit card brands, the U.S. is now in the process of migrating to EMV, with liability to card fraud mandated to shift to merchants by October 1, 2015 if they do not have EMV-enabled payment devices. 18 However, EMV is a digital transaction protocol that introduces a cryptographically secured means of determining the authenticity of credit and debit cards, helping these cards avoid being cloned by hackers. 19 Despite this protection, which goes beyond what is provided by magnetic stripe technology, EMV itself is unable to prevent the installation of malicious software that could lead to a commercial data breach, such as what occurred at Target and Neiman Marcus. 20 WHAT DID UL DO? UL conducted a comprehensive risk analysis of payment card fraud scenarios. From our study of data breaches, we understand that the type of card data that is obtained tends to include Track 2 data (the cardholder s account, encrypted PIN plus other discretionary data 21 ) of every card that was swiped at the compromised point-of-sale (PoS) device, along with the encrypted PIN data for every card transaction that was PIN-based. Although we believe it is extremely unlikely for the encryption to be broken, which would provide access to the actual PIN numbers, we have seen that stolen card data can be used to create counterfeit copies of the original cards. Whether these cards can be used in fraudulent transactions depends on two considerations: the kind of card that is compromised and the usage environment where the fraudulent card is used. These two considerations became the parameters for our risk analysis. 22 By itself, EMV technology is unable to prevent the installation of malicious software that could lead to a commercial data breach. We assessed the potential for fraud across different scenarios that are based on crossreferencing payment card technologies with acceptance environments. The specific payment card technologies we examined included magstripe and PIN, magstripe and signature, and EMV. The different acceptance environments included a magstripe PoS terminal, an EMV PoS terminal and an ATM machine for card-present transactions, as well as an Internet-based payment for card-not-present (CNP) transactions. This process yielded a robust set of scenarios, for which we then conducted risk assessments. 23 4

5 Payment card fraud risk assessment scenarios 24 Magstripe + Signature Compromised Card Magstripe + PIN EMV Attempted usage environment Magstripe PoS EMV PoS ATM Internet (CNP) Scenarios No fraud possibilities Conditional possibilities Unconditional possibilities Not a valid scenario Risk assessment insights Scenario 1: A swipe and PIN transaction is compromised, and fraud is attempted at magstripe PoS device that only requires a signature Unconditional fraud possibilities In this scenario, the ability for a criminal to commit fraud depends on the card type and issuer rules. As the PIN has not been compromised, signaturebased or no-cvm required (without the 3- or 4-digit code that is imprinted on the physical card but excluded from the magnetic stripe) transactions are at risk with issuers that allow their debit cards to be authorized either using a signature or without a PIN or signature (no CVM, for lowticket transactions). 26 Scenario 2: A swipe and PIN transaction is compromised, and fraud is attempted at a magstripe PoS device Conditional fraud possibilities This is the most likely form of fraud resulting from large-scale PoS compromise. In this scenario, a hacker is able to clone (i.e., create a copy) the compromised card to use in card-present situations using his or her 5

6 own signature. An issuer would have no way of telling the difference between a transaction with the genuine card or with the cloned card. The issuer would be liable for the fraud but may seek to shift liability to the merchant that was the source of the card data compromise. Acquirers can take additional measures to limit exposure to this kind of fraud. For example, PoS software can be modified to require merchants to enter the last four digits of the embossed primary account number (PAN) prior to authorization, as this would make it more difficult for a criminal to create cloned cards using compromised card data; although, this measure can be overcome because it has become relatively easy to obtain embossing equipment. Another fraud mitigation method is to ask customers for photo- ID to check against the name on the supplied card, but this can slow the transaction time, adding cost to the merchant while inconveniencing customers. 25 Scenario 3: An EMV-card transaction is compromised, and fraud is attempted at a magstripe PoS device Conditional fraud possibilities We assessed the potential for fraud across 12 different scenarios that were created by cross-referencing key payment card technologies with common acceptance environments. In this scenario, the ability to commit fraud is determined by the issuer of the card. The issuer will be able to detect that, based on the PoS entry mode data element in Field 55 (authorization data in the magstripe used by an acquirer to create a clearing message), the card is used in a magstripeonly terminal. Since this was originally an EMV card, this transaction may fall under the EMV liability shift regime (depending on region). The issuer may choose to decline the transaction, in which case no fraudulent transaction can take place. If the issuer chooses to approve the transaction, the fraud can occur and local liability shift rules will determine whether issuer or acquirer is liable for fraud. 27 Scenario 4: A swipe and PIN transaction is compromised, and fraud is attempted at EMV-compliant PoS device Unconditional fraud possibilities Here, the same rationale as Scenario 1 applies, with the assumption that the EMV-compliant PoS device is still capable of reading a magstripe card. Depending on the CVM requirements on a debit or credit card, transactions with a fraudulent card can potentially be authorized. 28 Scenario 5: A swipe and signature transaction is compromised, and fraud is attempted at EMV-compliant PoS device Conditional fraud possibilities 6

7 This case follows the same rationale as Scenario 2, in which the fraudulent card can be successfully used by the hacker, even though the PoS device is EMV-compliant. 29 Scenario 6: An EMV-card transaction is compromised, and fraud is attempted at EMV-compliant PoS terminal No fraud possibilities The ability to commit fraud in this scenario depends on regional fallback rules (the backup protocols, if any, that are authorized when the primary mode does not work). To an EMV-compliant PoS device, the fraudulent card will look like an EMV card in which the chip is damaged. In this case, the service code on the magstripe Track 2 would indicate the presence of a chip that the PoS device is unable to read, so the transaction may qualify for fallback under appropriate rules. If fallback is not allowed, the fraudulent transaction will be rejected. However, if fallback is allowed, the issuer will authorize the transaction if sufficient funds are available in the account. During the initial stages of EMV migration in the U.S., if fallback is allowed, Scenario 6 should be colored orange to indicate the potential for risk. 30 If the U.S. had already migrated to EMV, the consequences of the reported large-scale card compromises would have been less severe. Scenario 7: Magstripe and signature at an ATM Not a valid scenario There is no signature at an ATM. 31 Scenario 8: A swipe and PIN transaction is compromised, and fraud is attempted at an ATM Conditional fraud possibilities Generally, a cloned card is unable to be used to commit fraud at an ATM machine, as this would require a correct PIN number to be entered. However, criminals can use social engineering and phishing techniques to obtain PIN numbers 32, and it is also possible for criminals to obtain identity information to change the PIN numbers of cloned cards. 33 Scenario 9: ATM usage of a compromised EMV card No fraud possibilities With a cloned EMV card, criminals will not be able to duplicate the information contained in the EMV chip. An EMV-enabled ATM will return an invalid transaction on a duplicated card. 34 7

8 Scenarios 10, 11 and 12: Internet, CNP usage of a compromised card Conditional fraud possibilities In theory, the data that are stolen from cards by compromising a PoS device cannot be used for CNP internet purchases. This is because a compromised PoS device only gives access to magstripe Track 2 data, which do not contain the so-called security code (referred to as CVV2 or CVC2 data) printed on the signature panel of the card. 35 However, experience has shown that under certain circumstances, fraud can be successfully committed with the data gathered through a large-scale PoS compromise: In some cases, a web-based merchant that accepts card payments does not require entry of a security code to complete a transaction. In these cases, compromised card data can successfully be used for fraudulent purchases. Since the merchant does not require all the data it is supposed to (the CVC2 security code), the merchant will be liable for any losses. Some issuers do not validate the value of the CVC2 data, which means compromised card data can be used for CNP purchases. In this case, the issuer will be liable for any losses. A statistical attack vector exists with a large-scale PoS compromise. Because the CVC2 security code is a three-digit numerical value, there are 1,000 possible combinations. Most issuers allow three subsequent CVC2 validation attempts before fraud is suspected and authorization is declined, which yields a 0.3 percent per card success rate for fraudulent CNP transactions. When the data from millions of payment cards are stolen, there is a large statistical chance of committing fraud in CNP environments (the 0.3 percent hit rate would yield 3,000 usable cards out of one million compromised). In this case, the issuer would be liable for transaction fraud, but would likely seek to shift liability to the merchant where the large-scale PoS compromise took place. 36 Preventing large-scale data breaches The EMV transaction protocol takes place between an EMV-compliant card (debit or credit) and an EMV-compliant PoS device or ATM. By using EMV, PoS devices and/or card issuers will always be able to detect attempted card cloning. However, for reasons of backwards compatibility, non-emv compliant cards can be used on EMV-compliant 8

9 acceptance infrastructures. Similarly, EMV-compliant cards are usable on magstripeonly acceptance devices. Because of this, merchants that have EMV-enabled their PoS acceptance infrastructures can still be a source of card data compromise in case a hacker gains access to PoS software code and can still unknowingly acquire card fraud (see Scenarios 4, 5, and 6). That said, if the U.S. had already migrated to EMV, the consequences of large-scale card compromises, such as the ones recently reported, would have been less severe (see Scenario 6). 37 Beyond EMV compliance, UL believes that the Payment Card Industry (PCI) standards play a vital role in the process of preventing data breaches. PCI Data Security Standard (DSS) controls (a set of technical and operational requirements designed to protect cardholder data 38 ) have been designed to prevent and/or detect a large-scale compromise. To commit such fraud, criminals need a point of ingress to allow for the wide-scale delivery of a compromise, a known vulnerability in the system to allow for the compromise and a point of egress for the exfiltration of the collected data. These points are directly addressed by the PCI DSS requirements, and although compliance is not an absolute guarantee of prevention of such a compromise, we believe that data breaches are far more likely to have resulted from a lack of rigor around one or more of the PCI DSS controls. 39 If hackers were to attempt to collect card data directly from a PoS device, this form of compromise could largely be mitigated through the use of encryption on all cardholder data at the point of interaction (POI) at the PIN Entry Device itself before the data are passed into a PC-based PoS system. Specifically, compliance with the PCI Point-to-Point Encryption (P2PE) requirements, or even just the correct use of Secure Reading and Exchange of Data (SRED)-approved POI devices, would help remove all cardholder data from the PoS environment. This is likely the largest single step retailers can take to protect their customers card data. 40 The combination of PCI and EMV compliance will provide a robust framework against card fraud in both the card-present and CNP domains. IMPACT As the U.S. payments industry transitions from magstripe to EMV cards, a large number of potential security risks will be mitigated. EMV compliance will help ensure that the card account information that flows through a PCI-compliant acquiring infrastructure is genuine and can be authenticated, and an acquiring infrastructure that is compliant with applicable and up-to-date PCI standards should provide sufficient end-to-end protection against card account compromise. UL believes that the combination of PCI and EMV compliance will provide a robust framework against card fraud in both the card-present and CNP domains. During this time of transition in the U.S., we will continue to closely monitor existing and emerging security threats, identify gaps and formulate proactive risk mitigation strategies to help ensure payment security. 41 9

10 SOURCES 1 Riley, M. et al., Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, BloombergBusinessweek, 13 Mar Web: 25 June Roman, J., Neiman Marcus Downsizes Breach Estimate, BankInfo Security, 23 Feb Web: 25 June The Path to Payment Security, CardConnect, Web: 13 June White_Paper.pdf. 4 Heggestuen, J., Here s What Will Change When the US Switches Over to the New EMV Chip on Credit Cards, Business Insider, 21 Apr Web: 13 June Ibid. 6 Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Ibid. 8 Kepes, B., Target and Neiman Marcus Just the Tip of the Iceberg More Retail Security Breaches to Come, Forbes, 23 Jan Web: 26 June Dahiya, R., Preparing for EMV Cards, Independent Banker, 28 May Web: 13 June EMV: FAQ, Smart Card Alliance, Web: 26 June smartcardalliance.org/pages/publications-emv-faq#q2. 11 Halliday, S.G., Introduction to Magnetic Stripe & Other Card Technologies, High Tech Aid, 24 Apr Web: 26 June tech/card/intro_ms.htm. 12 Urken, R. K., Why Your Credit Card Needs an International Upgrade: The EMV Chip, Daily Finance, 8 Aug Web: 13 June com/2012/08/08/why-your-credit-card-needs-an-international-upgrade-theemv-chi/. 13 EMV: FAQ, Smart Card Alliance, Web: 26 June smartcardalliance.org/pages/publications-emv-faq#q2. 14 Tips for Preventing a Data Breach in Your Business Prepare for EMV Acceptance, Worldpay, Spring Web: 13 June us/merchant-advisor/spring-2014/tips.html. 15 EMV Chip + Fingerprint Technology Combine on SmartMetric Card to Fight Fraud, Marketwired, 4 Feb Web: 12 June marketwired.com/press-release/emv-chip-fingerprint-technology-combineon-smartmetric-card-to-fight-fraud-otcqb-smme htm. 16 EMV Resources, EMV Connection, Web: 13 June EMV: FAQ, Smart Card Alliance, Web: 26 June smartcardalliance.org/pages/publications-emv-faq#q2. 18 Morea, D., EMV in the U.S.: Putting It Into Perspective for Merchants and Financial Institutions, First Data Corporation White paper, Web: 26 June Bron, M., Interview, UL, 5 June Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Padilla, L., Track Format of Magnetic Stripe Cards, ACME Technologies, 14 July Web: 26 June credit_cards/magstripe_track_format.html. 22 Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Ibid. 24 Ibid. 25 Ibid. 26 Ibid. 27 Ibid. 28 Ibid. 29 Ibid. 30 Ibid. 31 Ibid. 32 What Should You Know About the Switch to EMV? Welch ATM, Web: 12 Nov Bron, M., Interview, UL, 7 Nov Krebs, B., Replay Attacks Spoof Chip Card Charges, Krebs on Security, 27 Oct Web: 12 Nov Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Ibid. 37 Ibid. 38 Payment Card Industry (PCI) Data Security Standard, PCI Security Standards Council, Oct Web: 27 June documents/pci_dss_v2.pdf. 39 Bron, M., Prevention Is Better Than Cure, UL, White paper, 27 May Ibid. 41 Ibid. 10

11 TRANSACTION SECURITY ARTICLES MOBILE PAYMENTS SECURING HCE MOBILE PAYMENT SECURITY: BLE OR NFC SECURE PAYMENTS BIOMETRICS FOR PAYMENTS TRANSIT TICKETING CONTACTLESS INTEROPERABILITY IN TRANSIT NEXT GENERATION TRANSIT TICKETING 11

12 To learn more, explore the New Science advances in Indoor Air Quality, Transaction Security, Sustainable Energy, Workplace Health & Safety and Fire Safety. Watch our videos, read our journals, articles and case studies, scroll through our galleries and meet our experts. VISIT US ON UL.COM/NEWSCIENCE New Science Transaction Security cannot be copied, reproduced, distributed or displayed without UL s express written permission. V.17. UL, the UL Logo and NEW SCIENCE are trademarks of UL LLC 2014.