Signatures or PINs? EMV is Coming

Whether you are a seasoned, international road warrior, or a domestic suburbanite, new security features will soon be showing up on a credit card near you. In light of recent card data compromises, there’s a new drive to adopt credit card security technologies known as “Chip and PIN” (typically noted as “chip/PIN”) to better secure credit card data against fraud or compromise. While chip/PIN is new to most U.S. cardholders, it is the norm across most of Europe, Canada, and Mexico. There have been many initiatives in the last several years to drive U.S. payment card systems towards more secure technologies, but only now is adoption of chip/PIN starting to get increased traction across the U.S. payment card industry.

For individual card holders, these developments are important, and in this post we will cover some of the key points of these technologies.

 

First, what exactly is chip/PIN and what does it do to protect credit card data?

In a chip/PIN environment, when purchasing goods at a point of sale (POS) device, the credit card is inserted or “dipped” into a card reading device—not swiped as it is in the U.S. Once inserted, the customer inputs a PIN which authenticates the cardholder against the chip embedded on the card. Upon successful authentication, the chip generates the data necessary to complete the transaction and transmits the data for authorization.

Before we get too far into the discussion about chip/PIN, there is one point that needs to be clarified: The chip component of chip/PIN cards is sometimes referred to as “EMV data” or “EMV transactions” in the payment industry. The term EMV (for Europay, MasterCard and Visa) refers to a standard definition for chip-based payment cards, or “chip cards”—also referred to as “IC (integrated circuit) cards” as defined by EMVCo LLC. EMV is the basis for the chip/PIN implementation throughout Europe, and is planned for implementation in the U.S. (more on that, below). In short, EMV refers to the “chip” portion of chip/PIN cards, with the “PIN” implementation being a separate matter entirely.

Why is this relevant? Because much of what has been discussed thus far about implementing chip cards in the U.S. is focused primarily on the “chip” component, and does not necessarily include the “PIN” component that is otherwise present in Europe’s EMV environment. In lieu of using a PIN to authenticate the chip card, discussions in the U.S. have leaned toward reliance on manual signature verification (such as when a clerk compares the signature on the receipt to the signature on the card). As a result, the U.S. implementation will likely wind up being referred to as “chip and signature” or “chip/signature.”

 

What’s the difference between chip/PIN and chip/signature?

From the merchant’s perspective the credit-card payment process wouldn’t change significantly, outside of likely hardware upgrade requirements. And from the processor’s perspective, there really isn’t a difference, as long as they process or support transactions using EMV, or “track-equivalent data.”

Track-equivalent data is the data — including cryptographic data — used for transaction authentication and authorization within EMV environments. It is generated by the on-board integrated circuit, or the “chip,” on the card itself—not the card-reading device. This is not to say that track-equivalent data is “secure” in-and-of-itself. Because of some of the underlying functional requirements, track-equivalent data typically includes certain discretionary data elements, some of which are sensitive in nature and cannot be stored (something merchants should note).

From the cardholder perspective, however, there is one notable difference and that is the requirement of a PIN or signature to verify that the person holding the card is the actual card owner.

 

Is chip/PIN more or less secure than chip/signature?

That depends.

In a chip/PIN scenario, the PIN is used to authenticate the cardholder against the information stored on the chip. If you don’t know the PIN, the chip won’t give up the information necessary to complete the transaction. In a chip/signature scenario (theoretically speaking), the clerk responsible for completing the transaction would be required to validate the customer signature on the receipt with their signature on the card. If your signature doesn’t match sufficiently enough per the clerk’s perusal, they won’t complete the transaction. Say what you will about how consistently the practice of signature verification is actually practiced, versus how it is supposed to in theory, there are equally compelling arguments for either approach.

In a chip/PIN environment, as long as the cardholder’s PIN is kept secret, it would be theoretically impossible for someone to use a stolen card to perform fraudulent card-present transactions. It is because of the PIN requirement that card criminals have evolved their data collection strategies to include video surveillance targeting PIN entry devices, such as at ATMs and retail point-of-sale devices, to collect customer PINs. Once the PIN is compromised, the card can be used for fraudulent transactions. On the other hand, I can show my signature around to anyone, put it on all my receipts, etc., and the likelihood of anyone being able to reliably reproduce it on demand is pretty slim (expert forgers, excluded). Ultimately, the question boils down to this: Which is a more secure means to verify that a credit card belongs to the person holding the card?

 

Conclusion

It can be erroneously concluded that U.S. implementation of EMV heading in the direction of chip/signature undermines many of the anti-fraud security protections of chip/PIN. However, when the issue is considered from multiple sides, especially in putting everything together for this article, the more it is clear that there is no significant security benefit of one solution over the other.  Whether it is PIN or signature, the control is only used to authenticate the cardholder—the rest is about implementing security controls via EMV and integrated circuit cards that has nothing to do with either PINs or signatures. Until there is historical data to demonstrate the effectiveness or ineffectiveness of signatures vs. PINs in reducing card fraud, the jury is still out on which solution offers a significant upside over alternatives.

Ultimately, whether cards are authenticated via PIN or signature, the chip-based credit cards being rolled out in the U.S. will rely upon EMV security measures to protect the security of credit card data. These technologies provide a solid foundation for improving the overall security of credit card information and limiting fraud and misuse of compromised credit card data.

 

Resources

EMVCo LLC Website: http://www.emvco.com/

Wikipedia: EMV http://en.wikipedia.org/wiki/EMV

PCI Surprises

By Patrick Harbauer

Whenever we perform a PCI assessment for a new client, we invariably have the Gomer Pyle “Surprise!, surprise!” conversation with IT management. And the outcome of the conversation is that IT security controls are more closely monitored and the overall security posture of the organization improves. Here are a few examples:

Swiss Cheese Firewalls – When we perform a PCI assessment, we take firewall rule set reviews very seriously. Besides finding the obvious “ANY ANY” rule infractions, we find rules that were meant to be “temporary for testing” or rules that are no longer needed because entire environments have been decommissioned. It isn’t uncommon to see 10-20% of the firewall rules removed or tightened to allow only protocols, IP’s and ports that are actually required for the cardholder environment to function properly.

Missing Patches – Time and again we find in-scope systems that are not properly patched. This is usually due to overtaxed IT staff who don’t find the time to patch systems or a malfunctioning patching software solution. And in some cases administrators have been burned by a patch that brought down an application and vow to never patch again. What we usually find is that “practice makes perfect” with patching. Organizations that are up to date on patches have well-defined processes and document procedures to perform patching. And that leads us to our next issue…

One Environment – In many cases, organizations that are not up-to-date with their patches do not have isolated test/development and production environments. Besides being a PCI violation to have test/development and production systems on the same network and/or servers, if you do not have a test environment that mirrors production, you are more likely to break production applications when you patch. You will be much more successful remaining current with patches if you have a test environment that mirrors production and where you can address issues before applying the patches to production systems.

These are just a few examples of what we see when performing PCI assessments for new clients and illustrates some of the benefits that come out of a PCI assessment.

Response to Visa’s Chief Enterprise Risk Officer comments on PCI DSS

Visa’s Chief Enterprise Risk Officer, Ellen Richey, recently presented at the Visa Security Summit on March 19th. One of the valuable points made in her presentation was defending the value of implementing PCI DSS to protect against data theft. In addition, Ellen Richey spoke about the challenge organizations face, not only becoming compliant, but proactively maintaining compliance, defending against attacks and protecting sensitive information.

Recent compromises of payment processors and merchants that were stated to be PCI compliant have brought criticism to the PCI program. Our views are strongly aligned with the views presented by Ellen Richey. While the current PCI program requires an annual audit, this audit is simply an annual health-check. If you were to view the PCI audit like a state vehicle inspection. Even though at the time of the inspection everything on your car checks out, this does not prevent the situation of days later your brake lights go out. You would still have a valid inspection sticker, but are no longer in compliance with safety requirements. It is the owner’s responsibility to ensure the car is maintained appropriately. Similarly in PCI, it is the company’s responsibility to ensure the effectiveness and maintenance of controls to protect their data in an ongoing manner.

Ellen Richey also mentioned increased collaboration with the payment card industry, merchants and consumers. Collaboration is a key step to implementing the technology and processes necessary to continue reducing fraud and data theft. From a merchant, service provider and payment processor perspective, new technologies and programs will continue to reduce transaction risk, but, today, there are areas where these organizations need to proactively improve. The PCI DSS standard provides guidance around the implementation of controls to protect data. Though in addition to protecting data, merchants, service providers and processors need to proactively address their ability to detect attack and be prepared to respond effectively in the event of a compromise. These are two areas that are not currently adequately addressed by the PCI DSS and are areas where we continue to see organizations lacking.

See the following link to the Remarks by Ellen Richey, Chief Enterprise Risk Officer, Visa Inc. at the Visa Security Summit, March 19, 2009:

http://www.corporate.visa.com/md/dl/documents/downloads/EllenRichey09SummitRemarks.pdf