Wednesday, August 24, 2011

Tearing off the PCI/DSS Band-aid

More than a quarter of a century ago, while I was still at IBM, I had discussions with staff at Sears, then the nation’s flagship retailer, about their forthcoming credit card. I tried to convince them to take the opportunity to force the industry to replace mag-stripe cards with smart cards. They were Sears, they had the clout, they could make it happen. They didn't and the rest is history.

Now, the nation's new flagship retailers, Wal-Mart, Target, CVS, and McDonalds are making it happen. Sears and K-Mart will come along.

Partly in response to these forward leaning merchants, Visa has announced that it will expand its Technology Innovation Program (TIP) program to the US. They will begin transitioning to EMV standard cards and infrastructure.

Some of you are aware that I have been very critical of the payment card industry for continuing to use the broken mag-stripe and PIN system. By doing so, they have put the necessary public trust and confidence in the retail payment system at risk. I am torn between "what took you so long" and "better late than never."

The EMV (EuroCard, MasterCard, and Visa) technology that Visa plans to use has been in use in the rest of the world for years. It uses a contact-less smart card, and optionally, a signature or PIN. It is already deployed in the US in some markets and the leading retailers already mentioned.

Here is an American Express EMV card that I have had for a couple of years. For reasons of backwards compatibility, it also has a mag-stripe. That is good because I can use it in EMV mode in only a limited number of places. Those places include McDonalds, CVS, Target, and Wal-Mart. it is bad because the vulnerabilities of mag-stripe and PIN will persist for years.

Many of the users of the EMV/POS readers deployed by these flagship merchants are foreign travelers to the US. These retailers have bitten the bullet but they cannot get all of the return on their investment until Americans carry EMV cards.

Therefore, these retailers have been a source of public pressure on the payment card industry to deploy this technology. Wal-Mart has been castigating the payment card issuers for more than a year now for "blocking" the use of this technology. Google Wal-Mart EMV and you can see for yourself.

Of course, "blocking" is stronger rhetoric than I am prepared to use. There is history here and business reasons why the issuers have not used EMV in the US. For example, the reason that Sears did not deploy smart cards was that the barrier to entry was too high; it was far cheaper to exploit the existing infrastructure than to replicate it.

While I understand those reasons, and to some degree am sympathetic, I have argued for some time that we cannot continue to rely on a broken technology for the security of our retail payment system. In the presence of cheaper counterfeiting technology, we have strengthened our currency, and even checks, to the point where cards are now the weak link in our system.

Notice that the merchants in this list are all nation wide chains that operate their own systems for authorizing payments. Part of the resistance in the US is rooted in the fact that most of our small and medium-sized merchants use third-party card service providers to accept card payments. These third-party providers enable them to accept any issuer;s card without having to have a separate agreement with and connection to that provider.

While it is an industry standard, EMV is also proprietary. The issuers share the exact workings, under contract and non-disclosure agreements, only within the industry. The important thing for you and I to know is that the card "signs" the transaction, without disclosing its own identity, the "credit card number," to the POS device. EMV resists skimmers and rogue or compromised POS devices. It resists replay attacks and card cloning attacks.

As with mag-stripe, in some, but not all, transactions, EMV will use PINs and signatures to resist the fraudulent use of lost or stolen cards. Because, the primary protection against the use of lost or stolen cards is disabling it after it is reported lost or stolen, PINs and signatures will not be required for all small value transactions.

For example, when I buy a Big Mac, I simply touch my card to the POS device and check the display and receipt to satisfy myself that I was charged the correct amount. No signature or PIN. If I use the same card to purchase an HDTV, I expect to enter a PIN or sign a transaction slip.

One interesting feature of EMV is that a card can be limited in the number of PIN-less transactions that it can do. An internal counter keeps track of the number of PIN-less transactions. The count is reset to zero for every PIN transaction. If the count reaches the threshold, the next transaction must involve, will prompt for, the PIN.

Because the POS device cannot capture the EMV card number, it is safe to enter a PIN into it. The PIN is only useful with the card or card number. I have long argued against "debit" card transactions where both the card number and the PIN appear in the clear at the point of sale. These are the source for many counterfeit cards.

While it is now relatively cheap to clone a mag-stripe card, knowing only the public number, this is not sufficient to clone an EMV card. Putting aside the fact that it is more expensive to write chips than stripes, cloning the EMV card requires knowledge of its secret token. It is secret for a reason, a security reason.

Another reason the issuers have resisted EMV in the US is that it does not solve the fraudulent "card not present" problem, those on-line transactions where the rogue has the card number but not the card. Most solutions to this problem involve a display and power, expensive, though not impossible, to put on a card.

Oh, I almost forgot about the PCI DSS, the Band-Aid that the issuers have been relying upon to hold their broken system together. Visa has announced that after October 1, 2012, merchants who have 75% or more of their transactions originating on EMV equipped terminals, will be exempt from compliance with DSS for any year for which that is so. This is a big incentive to those third-party card service providers, who have been one of the problems, for whom DSS compliance is so expensive. Their participation and cooperation in EMV is essential.

Some have suggested that merchants will resist replacing their POS devices. Probably true but "resist" only means that they will take their time. McDonalds did not replace their terminals, only added the EMV reader to the top. Check it out, but unless you know that you are looking for a red semicircle at the top of the device, you might miss it. The expense was not so much in this part as in installing it.

While we think of them as capital equipment, POS devices are actually consumables with a life measured in months to years. One can buy the latest feature-rich model, with built in WiFi or cellular communication, for hundreds of dollars. Most merchants buy their POS device from the card service provider who will be motivated to see them upgrade.

I wish I could tell you that everyone is going to love this technology as much as I do but I cannot. In fact, you can expect to hear all kinds of slurs about its security. After all, anything built by man can be broken by man.

For example, two weeks ago, at Black Hat, an NVP (We do not mention the names of NVPs; it feeds their narcissism.) was quoted as saying, "We think an EMV skimmer poses a serious threat, due to ease of installation, and is very difficult to detect." (Sic) First, a skimmer would be a tool, not a threat. Second, it might be easy to build and conceal, but the issue is getting the card to cough up its secret token. There is no command to ask it to do that. A cryptographer will tell you that one could simply ask it to authenticate a lot of transactions, a few million might do it, and then solve for the secret. A security person will tell you that "that will take a long time." it will take so long that it is not practical, much less efficient.

When you read these "expert remarks," remember two things. First, this is a mature technology, used and tested around the world. It is new only to the US market. Second, however vulnerable it may be, it is orders of magnitude stronger than the broken technology which it replaces.

Getting from our current system to EMV will not be without problems. Experience in Europe suggests that many problems will be related to the transition, in general, and backward compatibility to mag-stripe, in particular. Anticipating and mitigating these problems will not be easy but that is why we are called professionals and are paid the big bucks.

1 comment:

  1. What will the effect of this be on all the PCI audit business that is going on? Also, Big Macs are not healthy.