Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/30/2014
12:37 PM
50%
50%

Chip-and-PIN Security Push To Pit Retailers Against Banks

While the cost of breaches typically falls on the merchants, card issuers and banks would foot much of the bill for improving the security of the payment-card system

In the wake of widespread hacks of chain-store networks and the theft of credit- and debit-card data from point-of-sale (POS) systems, retailers are lobbying for better payment-card security -- an effort that has caused friction between the merchants and the financial institutions that issue cards.

On Monday, the Retail Industry Leaders Association (RILA) issued a pledge to strengthen the cybersecurity of its members by supporting federal legislation to require breach notification and information sharing, eliminate weak magnetic-stripe payment-card technology, and adopt the more secure chip-and-PIN architecture. The move to payment cards would require that retailers purchase or lease expensive chip-card readers, but the change will cost far more for the financial institutions that issue cards.

Yet without such changes, cybercriminals will continue to be able to defraud the U.S. financial and retail systems, says Brian Dodge, senior vice president of communications and state affairs for RILA.

"We know that criminals are getting better by the day at stealing information, whether it is from retailers or processors or even governments," he says. "So we need to be constantly working to stay ahead of that, and we need to collaborate to get the security of the payment system to keep pace with the criminals."

In late December, retail giant Target acknowledged that online thieves had breached its systems and installed malware on its POS terminals to steal credit- and debit-card data. The attackers collected financial details of approximately 40 million accounts, as well as other personal information on 70 million customers. The retail giant was not the only company hit; attackers have compromised a score of other retailers in the past year, including department store chain Nieman Marcus.

While Target and other retailers have taken the brunt of the criticism for the attacks, the industry has pointed the finger back at financial institutions. Last week, the National Retail Federation, which represents 12,000 retailers worldwide, weighed in on the issue as well, asking Congress to support additional legislation and advocating a change to chip-and-PIN technology.

In its statement, the NRF took solid aim at the financial institutions' history of reticence in adopting chip-and-PIN cards.

"For years, banks have continued to issue fraud-prone magnetic stripe cards to U.S. customers, putting sensitive financial information at risk while simultaneously touting the security benefits of next-generation PIN-and-chip card technology for customers in Europe and dozens of other markets," NRF CEO Matthew Shay said in a statement.

The American Bankers Association, which represents the vast majority of banks in the United States, pointed out in a heated statement that banks are the first line of defense for consumers, and frequently are not reimbursed for their costs caused by fraud.

"When a retailer like Target speaks of its customers having 'zero liability' from fraudulent transactions, it is because our nation's banks are providing that relief, not the retailer that suffered the breach," Frank Keating, president and CEO of the ABA, said in a statement sent to Congressional members (PDF). "It is often the case that banks must explain to their customers what has happened without the bank knowing where the breach has occurred."

The industry is slated to move to a chip-card standard by October 2015. Known as Europay-Mastercard-Visa (EMV), the standard will force retailers to support chip cards, but not require the use of PINs to secure the data on the cards. Offering the option to allow a simple signature for authorization does not protect the data on the card, says RILA's Dodge.

With the number of large breaches escalating, the U.S. payment card ecosystem may finally be ready to move to chip cards secured by PINs, says Avivah Litan, a security analyst with business-intelligence firm Gartner. Attempts to secure the various entities in the payment-card chain through the Payment Card Industry's Data Security Standard (PCI-DSS) have largely failed, she says.

"I think the banks are finally ready to go for it," Litan says. "While it's not a bad standard, PCI is just too prone to failure. We need to put the security where the data is, and that is what chip-and-PIN cards do."

There are at least three hearing on the retail breaches and the need for better cybersecurity in front of congressional committees next week. Both sides of the debate have called for "shared responsibility" moving forward, but whether that means they are willing to work toward speeding chip-and-PIN implementations remains to be seen.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
2/6/2014 | 12:52:30 PM
re: Chip-and-PIN Security Push To Pit Retailers Against Banks
no
last i heard the cost of fraud was 6 cents per $100
they just write it off as part of the cost of doing business

as consumers this is un-acceptable as the cost of obtaining a satisfactory correction after an error is way too high

the alternative: use cash.
payment cards are skimming something like 3% off the market but they don't get that if you use cash.

the other advantage to cash is you don't buy so much stuff you don't need.
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
2/3/2014 | 3:35:03 PM
re: Chip-and-PIN Security Push To Pit Retailers Against Banks
I would think the card-issuing banks would be most interested in getting a chip-and-PIN system in place because they're the ones who have to eat fradulent charges and pay to issue new cards.
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23396
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.
CVE-2021-32681
PUBLISHED: 2021-06-17
Wagtail is an open source content management system built on Django. A cross-site scripting vulnerability exists in versions 2.13-2.13.1, versions 2.12-2.12.4, and versions prior to 2.11.8. When the `{% include_block %}` template tag is used to output the value of a plain-text StreamField block (`Ch...
CVE-2013-20002
PUBLISHED: 2021-06-17
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
CVE-2020-19202
PUBLISHED: 2021-06-17
An authenticated Stored XSS (Cross-site Scripting) exists in the "captive.cgi" Captive Portal via the "Title of Login Page" text box or "TITLE" parameter in IPFire 2.21 (x86_64) - Core Update 130. It allows an authenticated WebGUI user with privileges for the affected p...
CVE-2020-35373
PUBLISHED: 2021-06-17
In Fiyo CMS 2.0.6.1, the 'tag' parameter results in an unauthenticated XSS attack.