Attacks/Breaches
1/30/2014
12:37 PM
Connect Directly
RSS
E-Mail
50%
50%

Chip-and-PIN Security Push To Pit Retailers Against Banks

While the cost of breaches typically falls on the merchants, card issuers and banks would foot much of the bill for improving the security of the payment-card system

In the wake of widespread hacks of chain-store networks and the theft of credit- and debit-card data from point-of-sale (POS) systems, retailers are lobbying for better payment-card security -- an effort that has caused friction between the merchants and the financial institutions that issue cards.

On Monday, the Retail Industry Leaders Association (RILA) issued a pledge to strengthen the cybersecurity of its members by supporting federal legislation to require breach notification and information sharing, eliminate weak magnetic-stripe payment-card technology, and adopt the more secure chip-and-PIN architecture. The move to payment cards would require that retailers purchase or lease expensive chip-card readers, but the change will cost far more for the financial institutions that issue cards.

Yet without such changes, cybercriminals will continue to be able to defraud the U.S. financial and retail systems, says Brian Dodge, senior vice president of communications and state affairs for RILA.

"We know that criminals are getting better by the day at stealing information, whether it is from retailers or processors or even governments," he says. "So we need to be constantly working to stay ahead of that, and we need to collaborate to get the security of the payment system to keep pace with the criminals."

In late December, retail giant Target acknowledged that online thieves had breached its systems and installed malware on its POS terminals to steal credit- and debit-card data. The attackers collected financial details of approximately 40 million accounts, as well as other personal information on 70 million customers. The retail giant was not the only company hit; attackers have compromised a score of other retailers in the past year, including department store chain Nieman Marcus.

While Target and other retailers have taken the brunt of the criticism for the attacks, the industry has pointed the finger back at financial institutions. Last week, the National Retail Federation, which represents 12,000 retailers worldwide, weighed in on the issue as well, asking Congress to support additional legislation and advocating a change to chip-and-PIN technology.

In its statement, the NRF took solid aim at the financial institutions' history of reticence in adopting chip-and-PIN cards.

"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN-and-chip card technology for customers in Europe and dozens of other markets," NRF CEO Matthew Shay said in a statement.

The American Bankers Association, which represents the vast majority of banks in the United States, pointed out in a heated statement that banks are the first line of defense for consumers, and frequently are not reimbursed for their costs caused by fraud.

"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," Frank Keating, president and CEO of the ABA, said in a statement sent to Congressional members (PDF). "It is often the case that banks must explain to their customers what has happened without the bank knowing where the breach has occurred."

The industry is slated to move to a chip-card standard by October 2015. Known as Europay-Mastercard-Visa (EMV), the standard will force retailers to support chip cards, but not require the use of PINs to secure the data on the cards. Offering the option to allow a simple signature for authorization does not protect the data on the card, says RILA's Dodge.

With the number of large breaches escalating, the U.S. payment card ecosystem may finally be ready to move to chip cards secured by PINs, says Avivah Litan, a security analyst with business-intelligence firm Gartner. Attempts to secure the various entities in the payment-card chain through the Payment Card Industry's Data Security Standard (PCI-DSS) have largely failed, she says.

"I think the banks are finally ready to go for it," Litan says. "While it's not a bad standard, PCI is just too prone to failure. We need to put the security where the data is, and that is what chip-and-PIN cards do."

There are at least three hearing on the retail breaches and the need for better cybersecurity in front of congressional committees next week. Both sides of the debate have called for "shared responsibility" moving forward, but whether that means they are willing to work toward speeding chip-and-PIN implementations remains to be seen.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/6/2014 | 12:52:30 PM
re: Chip-and-PIN Security Push To Pit Retailers Against Banks
no
last i heard the cost of fraud was 6 cents per $100
they just write it off as part of the cost of doing business

as consumers this is un-acceptable as the cost of obtaining a satisfactory correction after an error is way too high

the alternative: use cash.
payment cards are skimming something like 3% off the market but they don't get that if you use cash.

the other advantage to cash is you don't buy so much stuff you don't need.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/3/2014 | 3:35:03 PM
re: Chip-and-PIN Security Push To Pit Retailers Against Banks
I would think the card-issuing banks would be most interested in getting a chip-and-PIN system in place because they're the ones who have to eat fradulent charges and pay to issue new cards.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.