Vulnerabilities / Threats
01:04 PM

Visa Pushes PIN Requirement With Credit Card Purchases

European consumers are used to this drill, but now Visa is putting its muscle behind increased security measures in the United States.

Get ready to enter a personal identification number (PIN) code every time you present your credit or debit card to make a purchase.

This week, Visa announced that it's putting its muscle behind the adoption of "chip and PIN" capabilities in U.S. credit cards, which require in-person purchasers to input a PIN code into a point-of-sale machine before the card can be used. Also known as EMV--for Europay, MasterCard, and Visa, referring to their global standard for integrated circuit chips built into cards--the U.S. chip will include contactless chip technology, laying the groundwork for greater adoption of mobile payments using near-field communications (NFC).

"By encouraging investments in EMV contact and contactless chip technology, we will speed up the adoption of mobile payments as well as improve international interoperability and security," said Jim McCarthy, global head of product for Visa, in a statement.

To help nudge merchants to invest in the required, new point-of-sale equipment, Visa said that starting in October 2012, any merchant that processes at least 75% of its Visa transactions via terminals that are compatible with cards carrying the new chips will be exempt from having to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). By April 2013, meanwhile, Visa will require U.S. service providers and processors to support merchants' chip transactions.

Finally, beginning in October 2017, Visa said that for merchants who sell fuel, it will transfer the liability for fraudulent transactions to the merchant's bank, if the merchant isn't using contact and contactless chip technology at the point of sale. In the United States, credit card companies now mostly absorb those fraud-related costs.

EMV technology is already in wide use in Europe. Why is it only now making it to the United States? "There have been a number of factors that have held back the U.S. market for moving towards EMV," said Randy Vanderhoof, executive director of the Smart Card Alliance, an industry association, in an interview. "Most of them are economic, where the U.S. market has been utilizing the intelligence in the payments networks, and doing risk scoring of online transactions as a way to prevent fraud, and has done a pretty good job of keeping fraud rates down. They also implemented some pretty strict security rules on merchants, to try and harden the networks, to try and protect static data."

But the new push for EMV is a tacit nod to those approaches having failed. "The techniques that fraudsters are applying now, using hacking tools to harvest millions of accounts at a time, and requiring issuers to have to reissue tens of millions of cards, just on the possibility that some of those cards might be counterfeit, has created a lot of pressure to make some changes," he said.

Current estimates are that there are 650 million to 750 million active credit and debit cards in the United States. PCI, of course, was supposed to help secure those credit card details, by protecting how the card data was acquired and stored. But studies suggest that PCI never took off; only one-third of covered companies fully comply, and enforcement actions by companies such as Visa appear to be rare.

At the same time, there's now a burgeoning market in stolen credit card data, which sells for as little as $2 per card, though security researchers have recently said that an oversupply of such data may have further driven down prices. With the wide availability of stolen credit card details on the black market, perhaps it's not surprising that since 2009, credit card fraud has increased by 62%.

Without a doubt, EMV will be a security step forward for the United States. But the technology isn't bulletproof, even for card-present transactions. Last week at the Black Hat conference, a UBM TechWeb event in Las Vegas, for example, security researcher Andrea Barisani of Inverse Path demonstrated a card-skimming attack that works against EMV cards, even though their passwords are encrypted. The attack, which sneaks a chip into point-of-sale, EMV-compatible readers, which are supposedly tamperproof, was discovered in the wild.

"We think an EMV skimmer poses a serious threat, due to ease of installation, and is very difficult to detect," said Barisani. "There have been reported chip-skimmer installations dated 2008, being seen in the wild," he said. But it's often impossible for someone to tell if a point-of-sale terminal had been tampered with.

In response to his card-skimming research, Barisani said that some card organizations, such as EMVCo, have said that any such flaws would be mitigated through other means. Meanwhile, MasterCard has said that it would be too difficult at this point to overhaul EMV. But the Netherlands appears to have blocked this type of attack via a point-of-sale machine firmware upgrade that disables plaintext PIN verification for Dutch cards. As a result, a card skimmer can't read the PIN code.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in the live preview in the Panopoly Magic module before 7.x-1.17 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a pane title.

Published: 2015-02-26
Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.

Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

Published: 2015-02-26
Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (...

Published: 2015-02-26
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.