Attacks/Breaches

1/30/2014
12:37 PM
50%
50%

Chip-and-PIN Security Push To Pit Retailers Against Banks

While the cost of breaches typically falls on the merchants, card issuers and banks would foot much of the bill for improving the security of the payment-card system

In the wake of widespread hacks of chain-store networks and the theft of credit- and debit-card data from point-of-sale (POS) systems, retailers are lobbying for better payment-card security -- an effort that has caused friction between the merchants and the financial institutions that issue cards.

On Monday, the Retail Industry Leaders Association (RILA) issued a pledge to strengthen the cybersecurity of its members by supporting federal legislation to require breach notification and information sharing, eliminate weak magnetic-stripe payment-card technology, and adopt the more secure chip-and-PIN architecture. The move to payment cards would require that retailers purchase or lease expensive chip-card readers, but the change will cost far more for the financial institutions that issue cards.

Yet without such changes, cybercriminals will continue to be able to defraud the U.S. financial and retail systems, says Brian Dodge, senior vice president of communications and state affairs for RILA.

"We know that criminals are getting better by the day at stealing information, whether it is from retailers or processors or even governments," he says. "So we need to be constantly working to stay ahead of that, and we need to collaborate to get the security of the payment system to keep pace with the criminals."

In late December, retail giant Target acknowledged that online thieves had breached its systems and installed malware on its POS terminals to steal credit- and debit-card data. The attackers collected financial details of approximately 40 million accounts, as well as other personal information on 70 million customers. The retail giant was not the only company hit; attackers have compromised a score of other retailers in the past year, including department store chain Nieman Marcus.

While Target and other retailers have taken the brunt of the criticism for the attacks, the industry has pointed the finger back at financial institutions. Last week, the National Retail Federation, which represents 12,000 retailers worldwide, weighed in on the issue as well, asking Congress to support additional legislation and advocating a change to chip-and-PIN technology.

In its statement, the NRF took solid aim at the financial institutions' history of reticence in adopting chip-and-PIN cards.

"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN-and-chip card technology for customers in Europe and dozens of other markets," NRF CEO Matthew Shay said in a statement.

The American Bankers Association, which represents the vast majority of banks in the United States, pointed out in a heated statement that banks are the first line of defense for consumers, and frequently are not reimbursed for their costs caused by fraud.

"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," Frank Keating, president and CEO of the ABA, said in a statement sent to Congressional members (PDF). "It is often the case that banks must explain to their customers what has happened without the bank knowing where the breach has occurred."

The industry is slated to move to a chip-card standard by October 2015. Known as Europay-Mastercard-Visa (EMV), the standard will force retailers to support chip cards, but not require the use of PINs to secure the data on the cards. Offering the option to allow a simple signature for authorization does not protect the data on the card, says RILA's Dodge.

With the number of large breaches escalating, the U.S. payment card ecosystem may finally be ready to move to chip cards secured by PINs, says Avivah Litan, a security analyst with business-intelligence firm Gartner. Attempts to secure the various entities in the payment-card chain through the Payment Card Industry's Data Security Standard (PCI-DSS) have largely failed, she says.

"I think the banks are finally ready to go for it," Litan says. "While it's not a bad standard, PCI is just too prone to failure. We need to put the security where the data is, and that is what chip-and-PIN cards do."

There are at least three hearing on the retail breaches and the need for better cybersecurity in front of congressional committees next week. Both sides of the debate have called for "shared responsibility" moving forward, but whether that means they are willing to work toward speeding chip-and-PIN implementations remains to be seen.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/6/2014 | 12:52:30 PM
re: Chip-and-PIN Security Push To Pit Retailers Against Banks
no
last i heard the cost of fraud was 6 cents per $100
they just write it off as part of the cost of doing business

as consumers this is un-acceptable as the cost of obtaining a satisfactory correction after an error is way too high

the alternative: use cash.
payment cards are skimming something like 3% off the market but they don't get that if you use cash.

the other advantage to cash is you don't buy so much stuff you don't need.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/3/2014 | 3:35:03 PM
re: Chip-and-PIN Security Push To Pit Retailers Against Banks
I would think the card-issuing banks would be most interested in getting a chip-and-PIN system in place because they're the ones who have to eat fradulent charges and pay to issue new cards.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11486
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
CVE-2019-11487
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
CVE-2018-7576
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
CVE-2018-8825
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
CVE-2019-10688
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.