Vulnerabilities / Threats

01:04 PM

Visa Pushes PIN Requirement With Credit Card Purchases

European consumers are used to this drill, but now Visa is putting its muscle behind increased security measures in the United States.

Get ready to enter a personal identification number (PIN) code every time you present your credit or debit card to make a purchase.

This week, Visa announced that it's putting its muscle behind the adoption of "chip and PIN" capabilities in U.S. credit cards, which require in-person purchasers to input a PIN code into a point-of-sale machine before the card can be used. Also known as EMV--for Europay, MasterCard, and Visa, referring to their global standard for integrated circuit chips built into cards--the U.S. chip will include contactless chip technology, laying the groundwork for greater adoption of mobile payments using near-field communications (NFC).

"By encouraging investments in EMV contact and contactless chip technology, we will speed up the adoption of mobile payments as well as improve international interoperability and security," said Jim McCarthy, global head of product for Visa, in a statement.

To help nudge merchants to invest in the required, new point-of-sale equipment, Visa said that starting in October 2012, any merchant that processes at least 75% of its Visa transactions via terminals that are compatible with cards carrying the new chips will be exempt from having to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). By April 2013, meanwhile, Visa will require U.S. service providers and processors to support merchants' chip transactions.

Finally, beginning in October 2017, Visa said that for merchants who sell fuel, it will transfer the liability for fraudulent transactions to the merchant's bank, if the merchant isn't using contact and contactless chip technology at the point of sale. In the United States, credit card companies now mostly absorb those fraud-related costs.

EMV technology is already in wide use in Europe. Why is it only now making it to the United States? "There have been a number of factors that have held back the U.S. market for moving towards EMV," said Randy Vanderhoof, executive director of the Smart Card Alliance, an industry association, in an interview. "Most of them are economic, where the U.S. market has been utilizing the intelligence in the payments networks, and doing risk scoring of online transactions as a way to prevent fraud, and has done a pretty good job of keeping fraud rates down. They also implemented some pretty strict security rules on merchants, to try and harden the networks, to try and protect static data."

But the new push for EMV is a tacit nod to those approaches having failed. "The techniques that fraudsters are applying now, using hacking tools to harvest millions of accounts at a time, and requiring issuers to have to reissue tens of millions of cards, just on the possibility that some of those cards might be counterfeit, has created a lot of pressure to make some changes," he said.

Current estimates are that there are 650 million to 750 million active credit and debit cards in the United States. PCI, of course, was supposed to help secure those credit card details, by protecting how the card data was acquired and stored. But studies suggest that PCI never took off; only one-third of covered companies fully comply, and enforcement actions by companies such as Visa appear to be rare.

At the same time, there's now a burgeoning market in stolen credit card data, which sells for as little as $2 per card, though security researchers have recently said that an oversupply of such data may have further driven down prices. With the wide availability of stolen credit card details on the black market, perhaps it's not surprising that since 2009, credit card fraud has increased by 62%.

Without a doubt, EMV will be a security step forward for the United States. But the technology isn't bulletproof, even for card-present transactions. Last week at the Black Hat conference, a UBM TechWeb event in Las Vegas, for example, security researcher Andrea Barisani of Inverse Path demonstrated a card-skimming attack that works against EMV cards, even though their passwords are encrypted. The attack, which sneaks a chip into point-of-sale, EMV-compatible readers, which are supposedly tamperproof, was discovered in the wild.

"We think an EMV skimmer poses a serious threat, due to ease of installation, and is very difficult to detect," said Barisani. "There have been reported chip-skimmer installations dated 2008, being seen in the wild," he said. But it's often impossible for someone to tell if a point-of-sale terminal had been tampered with.

In response to his card-skimming research, Barisani said that some card organizations, such as EMVCo, have said that any such flaws would be mitigated through other means. Meanwhile, MasterCard has said that it would be too difficult at this point to overhaul EMV. But the Netherlands appears to have blocked this type of attack via a point-of-sale machine firmware upgrade that disables plaintext PIN verification for Dutch cards. As a result, a card skimmer can't read the PIN code.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.