Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Visa Pushes PIN Requirement With Credit Card Purchases

European consumers are used to this drill, but now Visa is putting its muscle behind increased security measures in the United States.

Get ready to enter a personal identification number (PIN) code every time you present your credit or debit card to make a purchase.

This week, Visa announced that it's putting its muscle behind the adoption of "chip and PIN" capabilities in U.S. credit cards, which require in-person purchasers to input a PIN code into a point-of-sale machine before the card can be used. Also known as EMV--for Europay, MasterCard, and Visa, referring to their global standard for integrated circuit chips built into cards--the U.S. chip will include contactless chip technology, laying the groundwork for greater adoption of mobile payments using near-field communications (NFC).

"By encouraging investments in EMV contact and contactless chip technology, we will speed up the adoption of mobile payments as well as improve international interoperability and security," said Jim McCarthy, global head of product for Visa, in a statement.

To help nudge merchants to invest in the required, new point-of-sale equipment, Visa said that starting in October 2012, any merchant that processes at least 75% of its Visa transactions via terminals that are compatible with cards carrying the new chips will be exempt from having to validate their compliance with the Payment Card Industry Data Security Standard (PCI DSS). By April 2013, meanwhile, Visa will require U.S. service providers and processors to support merchants' chip transactions.

Finally, beginning in October 2017, Visa said that for merchants who sell fuel, it will transfer the liability for fraudulent transactions to the merchant's bank, if the merchant isn't using contact and contactless chip technology at the point of sale. In the United States, credit card companies now mostly absorb those fraud-related costs.

EMV technology is already in wide use in Europe. Why is it only now making it to the United States? "There have been a number of factors that have held back the U.S. market for moving towards EMV," said Randy Vanderhoof, executive director of the Smart Card Alliance, an industry association, in an interview. "Most of them are economic, where the U.S. market has been utilizing the intelligence in the payments networks, and doing risk scoring of online transactions as a way to prevent fraud, and has done a pretty good job of keeping fraud rates down. They also implemented some pretty strict security rules on merchants, to try and harden the networks, to try and protect static data."

But the new push for EMV is a tacit nod to those approaches having failed. "The techniques that fraudsters are applying now, using hacking tools to harvest millions of accounts at a time, and requiring issuers to have to reissue tens of millions of cards, just on the possibility that some of those cards might be counterfeit, has created a lot of pressure to make some changes," he said.

Current estimates are that there are 650 million to 750 million active credit and debit cards in the United States. PCI, of course, was supposed to help secure those credit card details, by protecting how the card data was acquired and stored. But studies suggest that PCI never took off; only one-third of covered companies fully comply, and enforcement actions by companies such as Visa appear to be rare.

At the same time, there's now a burgeoning market in stolen credit card data, which sells for as little as $2 per card, though security researchers have recently said that an oversupply of such data may have further driven down prices. With the wide availability of stolen credit card details on the black market, perhaps it's not surprising that since 2009, credit card fraud has increased by 62%.

Without a doubt, EMV will be a security step forward for the United States. But the technology isn't bulletproof, even for card-present transactions. Last week at the Black Hat conference, a UBM TechWeb event in Las Vegas, for example, security researcher Andrea Barisani of Inverse Path demonstrated a card-skimming attack that works against EMV cards, even though their passwords are encrypted. The attack, which sneaks a chip into point-of-sale, EMV-compatible readers, which are supposedly tamperproof, was discovered in the wild.

"We think an EMV skimmer poses a serious threat, due to ease of installation, and is very difficult to detect," said Barisani. "There have been reported chip-skimmer installations dated 2008, being seen in the wild," he said. But it's often impossible for someone to tell if a point-of-sale terminal had been tampered with.

In response to his card-skimming research, Barisani said that some card organizations, such as EMVCo, have said that any such flaws would be mitigated through other means. Meanwhile, MasterCard has said that it would be too difficult at this point to overhaul EMV. But the Netherlands appears to have blocked this type of attack via a point-of-sale machine firmware upgrade that disables plaintext PIN verification for Dutch cards. As a result, a card skimmer can't read the PIN code.

In this new Tech Center report, we profile five database breaches--and extract the lessons to be learned from each. Plus: A rundown of six technologies to reduce your risk. Download it here (registration required).


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-13
The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in th...
PUBLISHED: 2020-07-13
The version of docker as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 advisory included an incorrect version of runc missing the fix for CVE-2019-5736, which was previously fixed via RHSA-2019:0304. This issue could allow a malicious or compromised container to compromise the co...
PUBLISHED: 2020-07-13
An issue was discovered in the Video Extension in Suprema BioStar 2 before 2.8.2. Remote attackers can read arbitrary files from the server via Directory Traversal.
PUBLISHED: 2020-07-13
The goform/setUsbUnload endpoint of Tenda AC15 AC1900 version allows remote attackers to execute arbitrary system commands via the deviceName POST parameter.
PUBLISHED: 2020-07-13
A hard-coded telnet credential in the tenda_login binary of Tenda AC15 AC1900 version allows unauthenticated remote attackers to start a telnetd service on the device.