Attacks/Breaches
1/30/2014
12:37 PM
50%
50%

Chip-and-PIN Security Push To Pit Retailers Against Banks

While the cost of breaches typically falls on the merchants, card issuers and banks would foot much of the bill for improving the security of the payment-card system

In the wake of widespread hacks of chain-store networks and the theft of credit- and debit-card data from point-of-sale (POS) systems, retailers are lobbying for better payment-card security -- an effort that has caused friction between the merchants and the financial institutions that issue cards.

On Monday, the Retail Industry Leaders Association (RILA) issued a pledge to strengthen the cybersecurity of its members by supporting federal legislation to require breach notification and information sharing, eliminate weak magnetic-stripe payment-card technology, and adopt the more secure chip-and-PIN architecture. The move to payment cards would require that retailers purchase or lease expensive chip-card readers, but the change will cost far more for the financial institutions that issue cards.

Yet without such changes, cybercriminals will continue to be able to defraud the U.S. financial and retail systems, says Brian Dodge, senior vice president of communications and state affairs for RILA.

"We know that criminals are getting better by the day at stealing information, whether it is from retailers or processors or even governments," he says. "So we need to be constantly working to stay ahead of that, and we need to collaborate to get the security of the payment system to keep pace with the criminals."

In late December, retail giant Target acknowledged that online thieves had breached its systems and installed malware on its POS terminals to steal credit- and debit-card data. The attackers collected financial details of approximately 40 million accounts, as well as other personal information on 70 million customers. The retail giant was not the only company hit; attackers have compromised a score of other retailers in the past year, including department store chain Nieman Marcus.

While Target and other retailers have taken the brunt of the criticism for the attacks, the industry has pointed the finger back at financial institutions. Last week, the National Retail Federation, which represents 12,000 retailers worldwide, weighed in on the issue as well, asking Congress to support additional legislation and advocating a change to chip-and-PIN technology.

In its statement, the NRF took solid aim at the financial institutions' history of reticence in adopting chip-and-PIN cards.

"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN-and-chip card technology for customers in Europe and dozens of other markets," NRF CEO Matthew Shay said in a statement.

The American Bankers Association, which represents the vast majority of banks in the United States, pointed out in a heated statement that banks are the first line of defense for consumers, and frequently are not reimbursed for their costs caused by fraud.

"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," Frank Keating, president and CEO of the ABA, said in a statement sent to Congressional members (PDF). "It is often the case that banks must explain to their customers what has happened without the bank knowing where the breach has occurred."

The industry is slated to move to a chip-card standard by October 2015. Known as Europay-Mastercard-Visa (EMV), the standard will force retailers to support chip cards, but not require the use of PINs to secure the data on the cards. Offering the option to allow a simple signature for authorization does not protect the data on the card, says RILA's Dodge.

With the number of large breaches escalating, the U.S. payment card ecosystem may finally be ready to move to chip cards secured by PINs, says Avivah Litan, a security analyst with business-intelligence firm Gartner. Attempts to secure the various entities in the payment-card chain through the Payment Card Industry's Data Security Standard (PCI-DSS) have largely failed, she says.

"I think the banks are finally ready to go for it," Litan says. "While it's not a bad standard, PCI is just too prone to failure. We need to put the security where the data is, and that is what chip-and-PIN cards do."

There are at least three hearing on the retail breaches and the need for better cybersecurity in front of congressional committees next week. Both sides of the debate have called for "shared responsibility" moving forward, but whether that means they are willing to work toward speeding chip-and-PIN implementations remains to be seen.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/6/2014 | 12:52:30 PM
re: Chip-and-PIN Security Push To Pit Retailers Against Banks
no
last i heard the cost of fraud was 6 cents per $100
they just write it off as part of the cost of doing business

as consumers this is un-acceptable as the cost of obtaining a satisfactory correction after an error is way too high

the alternative: use cash.
payment cards are skimming something like 3% off the market but they don't get that if you use cash.

the other advantage to cash is you don't buy so much stuff you don't need.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/3/2014 | 3:35:03 PM
re: Chip-and-PIN Security Push To Pit Retailers Against Banks
I would think the card-issuing banks would be most interested in getting a chip-and-PIN system in place because they're the ones who have to eat fradulent charges and pay to issue new cards.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.