Prevention Is Better Than Cure EMV and PCI

Similar documents
PREVENTING PAYMENT CARD DATA BREACHES

EMV's Role in reducing Payment Risks: a Multi-Layered Approach

PCI PA-DSS Requirements. For hardware vendors

Payments Transformation - EMV comes to the US

How To Comply With The New Credit Card Chip And Pin Card Standards

EMV Frequently Asked Questions for Merchants May, 2014

What Merchants Need to Know About EMV

EMV : Frequently Asked Questions for Merchants

PCI and EMV Compliance Checkup

Mitigating Fraud Risk Through Card Data Verification

EMV and Restaurants: What you need to know. Mike English. October Executive Director, Product Development Heartland Payment Systems

A Brand New Checkout Experience

A Brand New Checkout Experience

Payment Card Industry (PCI) Data Security Standard. PCI DSS Applicability in an EMV Environment A Guidance Document Version 1

EMV and Small Merchants:

What is EMV? What is different?

Heartland Secure. By: Michael English. A Heartland Payment Systems White Paper Executive Director, Product Development

The need for a secure & trusted payment instrument in e-commerce. Ali AlMeshal

Payment Methods. The cost of doing business. Michelle Powell - BASYS Processing, Inc.

EMV EMV TABLE OF CONTENTS

Credit Card Processing Overview

Visa global Compromised Account

CardControl. Credit Card Processing 101. Overview. Contents

U.S. Smart Card Migration: Stripe to EMV Claudia Swendseid, Federal Reserve Bank of Minneapolis Terry Dooley, SHAZAM Kristine Oberg, Elavon

EMV and Restaurants What you need to know! November 19, 2014

Card Network Update Chip (EMV) Acceptance in the United States At-A-Glance

THE FIVE Ws OF EMV BY DAVE EWALD GLOBAL EMV CONSULTANT AND MANAGER DATACARD GROUP

welcome to liber8:payment

PAYMENT SECURITY. Best Practices

Figure 1: Attacker home-made terminal can read some data from your payment card in your pocket

EMV and Chip Cards Key Information On What This Is, How It Works and What It Means

DATA SECURITY, FRAUD PREVENTION AND COMPLIANCE

Protecting Cardholder Data Throughout Your Enterprise While Reducing the Costs of PCI Compliance

How to Prepare. Point of sale requirements are changing. Get ready now.

How To Spot & Prevent Fraudulent Credit Card Activity

THE ROAD TO U.S. EMV MIGRATION Information and Strategies to Help Your Institution Make the Change

EMV ADOPTION AND ITS IMPACT ON FRAUD MANAGEMENT WORLDWIDE

Target Security Breach

Identifying Security. Payment System. Federal Reserve Bank. Ellen Richey Chief Enterprise Risk Officer Visa Inc. Visa Public

Acceptance to Minimize Fraud

EMV in Hotels Observations and Considerations

Card Acceptance Best Practices Playing it Safe at the Point of Sale

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

Visa Recommended Practices for EMV Chip Implementation in the U.S.

Data Security Basics for Small Merchants

PCI Security Standards Council

We believe First Data is well positioned to take advantage of all of these trends given the breadth of our solutions and our global operating

FAQ on EMV Chip Debit Card and Online Usage

A Guide to EMV. Version 1.0 May Copyright 2011 EMVCo, LLC. All rights reserved.

Corbin Del Carlo Director, National Leader PCI Services. October 5, 2015

NEWS BULLETIN

An Oracle White Paper July 2010 U.S. CARD FRAUD

EMV FAQs for developers

Preparing for EMV chip card acceptance

How to Help Prevent Fraud

Introductions 1 min 4

Flexible and secure. acceo tender retail. payment solution. tender-retail.acceo.com

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

AIS Webinar. Payment Application Security. Hap Huynh Business Leader Visa Inc. 1 April 2009

Effectively Managing Data Breaches

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

OpenEdge Research & Development Group April 2015

Dates VISA MasterCard Discover American Express. support EMV. International ATM liability shift 2

UCSD Credit Card Processing Policy & Procedure

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

OpenEdge Research & Development Group April 2015

Your Single Source. for credit, debit and pre-paid services. Fraud Risk and Mitigation

Langara College PCI Awareness Training

EMV and Encryption + Tokenization: A Layered Approach to Security

Steps for staying PCI DSS compliant Visa Account Information Security Guide October 2009

Payment Card Industry Data Security Standard PCI DSS

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

A Guide to EMV Version 1.0 May 2011

Testimony of Scott Talbott, Sr. V.P. for Government Relations, Electronic Transactions Association (ETA)

PCI DSS Payment Card Industry Data Security Standard. Merchant compliance guidelines for level 4 merchants

BWA Merchant Services. Credit Card Fraud Protection User Guide

INFORMATION SUPPLEMENT. Migrating from SSL and Early TLS. Version 1.0 Date: April 2015 Author: PCI Security Standards Council

REGULATIONS FOR SALES PAID BY CARD SALES IN SHOP (Card Present) (May 2015)

PCI Security Standards Council

FAQ EMV. EMV Overview

Chip and PIN is Broken a view to card payment infrastructure and security

Suzanne Lynch Professor of Practice Economic Crime Utica College sl6-15 1

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

Implication of EMV Migration for the U.S. Transportation Industry. May 1, Implication of EMV Migration for the U.S. Transportation Industry

Securing the Payments System. The facts about fraud prevention

PREPARING FOR THE MIGRATION TO EMV IN

Plotting a Course for EMV Compliance

EMV FAQs. Contact us at: Visit us online: VancoPayments.com

How To Protect Your Restaurant From A Data Security Breach

Security Rules and Procedures Merchant Edition. 5 February 2015

PCI Data Security Standards. Presented by Pat Bergamo for the NJTC February 6, 2014

Fall Conference November 19 21, 2013 Merchant Card Processing Overview

Franchise Data Compromise Trends and Cardholder. December, 2010

Security Rules and Procedures Merchant Edition

A multi-layered approach to payment card security.

The Canadian Migration to EMV. Prepared By:

Merchant Services. How to help protect your business

EMV: Background and Implications for Credit Unions

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Transcription:

Prevention Is Better Than Cure EMV and PCI

Prevention Is Better Than Cure An independent view on the effectiveness of EMV and PCI in case of large-scale card compromise. Over the past couple of months, millions of consumers in the United States fell victim to a so-called payment card data breach. A payment card data breach is the situation where fraudsters are able to gain access on a large scale - to the information stored on debit or credit cards with the aim to sell this information on the black market or to directly perform fraudulent transactions. Exactly how and when consumers become victim of a payment card data breach depends on how attackers plot their attack. If a particular merchant chain is compromised, all consumers that used their payment card at these retail locations are at risk. Worse still, if a payment processing company is compromised then the transactions at thousands of individual retail locations from a variety of chains can be at risk. A payment card breach usually goes unnoticed to consumers until the moment foreign transactions start to appear on the card statement. The 'realistic worst-case scenario' Even though the way in which data breaches are plotted and executed may differ from case to case, the nature of the (card) data that fraudsters are able to exfiltrate is often the same: Fraudsters are able to obtain full Track II data of every card that was swiped at the compromised PoS device Fraudsters were able to record encrypted PIN data for every card transaction that was PIN-based, however fraudsters are however not able to break the encryption and subsequently get access to actual PIN numbers 1 What the fraudsters can and cannot do with the stolen data Fraudsters can use the stolen card data to create a counterfeit copy of the original card. However whether this card can be successfully used in fraudulent transaction, depends on the kind of card that was compromised as well as the usage environment where the fraudulent card is used: Type of card compromised, and Usage environment where fraudster will subsequently attempt to commit fraud This yields the following matrix: page 2 1. In theory fraudsters can get access to actual PIN numbers by breaking DUKPT-based Triple DES cryptography, by installing spy cams, or by attacking and breaking into PIN pad devices. However based on UL s professional expertise, none of these attacks is viable enough for a large-scale, nationwide compromise of consumer s PIN numbers.

The use of EMV technology in ATMs, PoS devices, and cards makes transactions less susceptible to fraud through skimming and digital pickpocketing. Until the moment where all ATMs, PoS devices and cards have been made EMV compliant, the industry is still at risk. The extent of this risk is shown here, where a payment card (as shown horizontally) falls victim to digital pickpocketing at a non-emv compliant PoS device. Depending on the usage environment of the stolen card data (vertically), there may be a certain degree of risk involved. Scenario 1: swipe and PIN transaction was compromised. Fraud is attempted at Magstripe PoS device This will be the most likely form of fraud resulting from large-scale PoS compromise. A fraudster is able to create a copy of the compromised card and to use in Card Present situations using his own signature. Issuer will have no way of telling page 3

the difference between a transaction with the genuine card or with the cloned card. Issuer will be liable for fraud, however may seek to shift liability to the merchant that was the source of the card data compromise. Acquirers can take additional measures to limit exposure to this kind of fraud. For instance, PoS software can be modified to require merchants to enter the last four digits of the embossed PAN prior to authorization as this makes it more difficult for a fraudster to create a cloned card using compromised card data, although it is relatively easy nowadays for fraudsters to obtain embossing equipment. Another fraud mitigation method is to ask customers for photo-id to check against the name on the supplied card, but of course, this can slow down the transaction time and therefore a is a direct cost to the business. Scenario 2: swipe and PIN transaction was compromised. Fraud is attempted at Magstripe PoS device In this scenario, the ability for the fraudster to commit fraud depends on the card type and issuer rules. As the PIN has not been compromised, the fraudster must use signature based, or no CVM, transactions. Some issuers do allow their debit cards to be authorized using signature, or to be authorized without PIN or signature (no CVM, for low ticket transactions). In those circumstances, the transaction is at risk. 2 Scenario 3: transaction with EMV card was compromised. Fraud is attempted at Magstripe PoS device In this scenario, whether or not a fraudster can commit fraud is determined by the issuer of the card. The issuer will be able to detect, based on the POS Entry mode data element in Field 55, that the card is used in a Magstripe-only terminal. Since this was originally an EMV card, this transaction may fall under the EMV liability shift regime (depending on region). The issuer may choose to decline the transaction, in which case no fraudulent transaction takes place. If the issuer chooses to approve the transaction, fraud occurs and local liability shift rules determine whether issuer or acquirer is liable for fraud. Scenario 4: swipe and signature transaction was compromised. Fraud is attempted at EMV compliant PoS device This case follows the same rationale as Scenario 2. The fraudulent card can be successfully used, even though the PoS device is EMV compliant. Scenario 5: swipe and PIN transaction was compromised. Fraud is attempted at EMV compliant PoS device In this case, the same rationale as Scenario 1 applies, under the assumption that the EMV compliant PoS device is still capable of reading magstripe. Depending on the allowed CVM s on a debit or credit card, transactions with a fraudulent card can potentially be authorized. 3 Scenario 6: transaction with EMV card was compromised. Fraud is attempted at EMV-compliant PoS terminal Whether or not a fraudster is able to successfully commit fraud depends on regional fallback rules. To the EMV PoS device, the fraudulent card will look like an EMV card of which the chip is damaged (service code on Magstripe Track II indicates the presence of a chip. However the PoS device is not able to read a chip, hence the transaction may qualify for fallback under appropriate fallback rules). If fallback is not allowed, the fraudster will not be able to complete the transaction. If fallback is allowed, the transaction will be authorized by the issuer given there is sufficient funds available on the account. If fallback is going to be allowed in North America during the initial stages of EMV migration, scenario 6 should be colored orange (potentially at risk). Scenarios 7, 8, and 9 (ATM usage) The fraudster will not be able to successfully use the cloned card at an ATM as this requires a correct PIN number to be entered. In theory, a fraudster has three PIN attempts per compromised card. Because of the impractical nature of such attempted ATM fraud, it is fair to assume that large-scale card compromise is not going to cause an increase in fraudulent cash withdrawals. page 4 2. Issuers may have legacy fraud controls implemented, such as the time and geo-location at which two subsequent transactions with the same card number take place. 3. In mature EMV markets, support for magstripe acceptance is sometimes no longer allowed. In North America there will be a transition period in which acceptance devices will support magstripe as well as EMV technologies.

Scenarios 10, 11, and 12 (Internet Card Not Present usage) In theory, the data that is stolen from cards by compromising a PoS device cannot be used for Card Not Present internet purchases.this is because a compromised PoS device only gives access to Magstripe Track II data, which does not contain the so-called security code (referred to as CVV2 or CVC2 data) printed on the signature panel of the card. However reality shows that under certain circumstances, a fraudster will be able to successfully commit fraud with the data gathered through large-scale PoS compromise: In some cases, the web merchant that accepts card payments does not require entry of a Security Code in order to complete a transaction. A fraudster will be able to successfully use compromised card data for purchases. Since the merchant does not provided all the data that it is supposed to (CVC2), liability is with the merchant in this case. which gives a fraudster a chance of around 0.3% per card for a successful CNP transaction. In case the data of millions of payment cards is stolen, fraudsters have a large statistical chance of committing fraud in CNP environments. In this case, the issuer is liable for transaction fraud however will seek means to shift liability to the merchant where the large-scale PoS compromise took place. Could EMV have prevented this large-scale compromise? EMV is a digital transaction protocol and as such is not a measure that prevents fraudsters from gaining access to PoS devices and installing malicious software. The EMV transaction protocol however introduces a cryptographically secured means of determining authenticity of debit and credit cards. PoS device and / or card issuer will always be able to detect attempted card cloning. The EMV transaction protocol takes place between an EMV-compliant card (debit or credit) and an EMV-compliant PoS device or ATM. For reasons of backwards compatibility, non-emv compliant cards can be used on EMV-compliant acceptance infrastructure. For a similar reason, EMV-compliant cards can be used on Magstripe-only acceptance devices. Therefore the following points are worth noting: Merchants that have EMV-enabled their PoS acceptance infrastructure can still be a source of card data compromise in case a fraudster manages to gain access to PoS software code. EMV compliance provides protection against EMV liability shift however EMV compliance does not provide protection against card compromise liability. Merchants that have EMV-enabled their PoS acceptance infrastructure can still unknowingly acquire card fraud. See scenario s 4, 5, and 6. As long as this merchant was not the source of large-scale card compromise, this merchant will not be held liable for this acquired fraud. Some issuers do not validate the value of the CVC2 data. Also here, fraudster will be able to successfully use compromised card data for CNP purchases. In this case, the issuer will have no means to shift liability to another party. Also a statistical attack vector exists in case of large-scale PoS compromise. The CVC2 code is a three digit numerical value, giving it 1,000 possible values. Most issuers allow for three subsequent CVC2 validation attempts before fraud is suspected and authorization is declined, page 5

What is the role of PCI here? PPCI DSS controls have been designed to prevent and/or detect a large-scale compromise To commit any such fraud, the criminals need a point of ingress to allow for the wide-scale delivery of a compromise, a known vulnerability in the system to allow for the compromise, and a point of egress for the exfiltration of the collected data. These points are directly addressed by the PCI DSS requirements, and although compliance is not an absolute guarantee of prevention of such a compromise, it would not be unexpected to find that any such compromise has resulted from a lack of rigor around one or more of the PCI DSS controls. In case fraudsters manage to collect card data directly from the PoS device, it can be expected that use of encryption of all cardholder data at the POI the PIN Entry Devices themselves, prior to the data being passed into the PC based POS systems would have largely mitigated this form of compromise. Therefore, compliance to the PCI P2PE requirements or even just correct use of SRED approved POI devices, to remove all cardholder data from the POS environment is likely the largest single step that any retailer can take to protect their customers card data. Conclusion As presented in this memo, an acquiring infrastructure that is compliant with applicable and up-to-date PCI standards (PCI DSS, PA-DSS, PTS etc.) should provide sufficient end to end protection against card account compromise. In a similar fashion, EMV compliance will ensure that the card account information that flows through such acquiring infrastructure is genuine and can be authenticated. The combination of PCI and EMV compliance provides a robust framework against card fraud in the card present as well as card not present domain. In case the US had already migrated to EMV, the consequences of large-scale card compromise such as the ones recently reported would have been less severe (see scenario 6). For now, the US payments industry is implementing remedial actions to avoid fraud resulting from data breaches. UL foresees (a combination of) the following remedial actions: Want to know more? UL's EMV, PCI and security experts are happy to assist. Reissuance of those cards that may have been subject to fraud, plus blacklisting of compromised card ranges (issuer action) Tightened spending controls for those cards that may have been subject to fraud (issuer action) Disabling Card Not Present authorizations for those cards that may have been compromised (issuer action) Requiring CVC2 entry for Point Of Sale purchases (has impact on the issuing as well as acquiring side) Requiring the merchant to enter the last four digits of the PAN during a PoS transaction (acquirer action) Requiring the merchant to verify the (part of the) PAN which is printed on the receipt with the PAN embossed engraved on the card. Please visit our website for locations and contact details or email info@ul-ts.com. page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information