Chip and PIN Crash Course

September 22, 2014

EMV and chip & PIN have become bigger buzzwords lately as more national retailers have reported their credit card data being breached. There’s a lot around EMV and it can be incredibly confusing even if you’re mired waist deep in the card payment industry. I’m only ankle-deep, but hopefully this can help clarify some of the bigger points of the program.

What is EMV?

EMV stands for Europay/MasterCard/Visa and is a series of specifications designed to maximize the security of payment systems. It started in Europe and is beginning to gain traction in the US. The current method uses a chip built onto a credit card that activates when plugged into a special card reader or payment terminal. It won’t release the data unless the user enters a PIN, thereby making it more secure than swiping a magnetic card through a reader.

There are other methods, including contactless payment, but the chip and PIN method is the next to be adopted in the US. You may have seen these types of cards already, they’re often used as smart cards for employee access and other ways to manage use/access of things. For instance, at Western Washington University, their laundry machines used smart cards to run. So the cards themselves have been around for a while.
emv_card_300w

Why is it awesome?

The main reason EMV is useful is because it’s a multi-step method of authorizing and approving payment. With current credit cards, the proof that you’re you is a signature, and they rarely check it. For reals. I’ve drawn giant smiley faces for signatures and the charge went through no sweat. With debit cards you need to enter a PIN, which is fantastic, but the card can also be used as a credit card so you can circumvent that step.

Secondly, the technology has been adopted pretty much everywhere else, so the hardware exists, it’s been tested, and it’s been optimized to cut down on the hassle for customers. The data on the card changes slightly every use, which provides an added layer of protection. I imagine there’s a checksum involved and if it doesn’t pass, the transaction gets flagged or outright denied.

I own a business, what do I do?

I guess for now, you get to wait. If you accept credit and debit cards, it might be a good idea to get in touch with your merchant services provider to see what their plan is. The major card reader and payment terminal manufacturers have products ready to go, if not already in use, so the transition should be relatively painless.

Hardware:

Since adoption rates are so high outside of the US (Western Europe boasts 73.9% of cards and 89% of Terminals utilizing EMV), there’s a fair bit of hardware already out there. It looks like for now the biggest issue is ensuring that whatever you have to take cards is compatible with every variant on the market.

pin-dynaproMagTek DynaPro – MagTek has led the way when it comes to securing card data. From their Dynamag (née Centurion) hardware-encrypted card reader to their check reader platform, you can be sure if your card data falls into the wrong hands, it’ll be useless. The DynaPro incorporates their MagneSafe hardware encryption platform with contact and contactless smart card reading, making it a great option during the transition period.

vx_520VeriFone VX 520 – The VX 520 is a standalone payment terminal, like what you might see at a convenience store or places that use an electronic cash register instead of a full POS system. Like the DynaPro, it supports both traditional magnetic cards as well as EMV smart cards. You do gain additional versatility with this terminal; it supports transmitting card data via dialup, Ethernet, and even GPRS cellular networks, so this could be a great fit for mobile POS platforms.

unipayID Tech Unipay – Mobile POS on smartphones is blowing up, or it blew up. Either way it’s pretty huge. ID Tech has been making various readers that hook in via audio jack, and their new UniPay extends that functionality by supporting EMV cards. It does require the software you run to accept that data, so there are some extra steps required. It’s not out yet, but should be soon.

ipphtouch480Ingenico iPP H-Touch 480 – Ingenico, like Verifone, has been making payment terminals for years. They’re usually the ones you see at grocery stores and larger department stores, and are pretty robust. The iPP H-Touch 480 supports magnetic card reading as well as smart card and contactless cards, making it a great transitional tool. It does require integration with your POS system, so you may want to talk with your software provider to make sure this is a compatible solution.

Square EMV – Everyone and their brother loves Square and their 2.75% transaction rates, so it’s good that they’re working on creating a reader that supports chip and PIN. It looks like you can give them your email and they’ll let you know when it’s ready. I bet every news site and blog aggregator will also let you know when it’s ready.

Important Dates:

We’ve already passed a few important dates, mostly with regard to processors adopting the standards and deadlines, but the main two for businesses are October 2015 and October 2017.

October 2015

– Liability shifts to processors if their merchant lacks an EMV-enabled device and is involved in a counterfeit or fraudulent card-present transaction.

October 2017

– Similar liability shifts, but for automated fuel dispensers. They get extra time because replacing gas station systems sounds expensive and complicated.

Conclusion:

Businesses, if they’re not already supporting EMV and chip & PIN, have about a year to get transitioned over and ready to go. Thankfully, it looks like solutions are in development or already available, so it’s a matter of working with your credit card processor to ensure you get the right one. We are working with our merchant account provider partners to make sure we have the hardware ready as soon as possible and will let you know as soon as we have solutions available.

Sources:

http://www.tsys.com/acquiring/engage/white-papers/United-States-EMV-Adoption.cfm – U.S. EMV Adoption: Lessons Learned from a Canadian-Based Value Added Resource (VAR) – TSYS
http://www.idtechproducts.com/products/mobile-readers/176.html – ID Tech Unipay – ID Tech
http://www.magtek.com/V2/products/pin-entry-and-management/DynaPro.asp -DynaPro – MagTek
http://www.ingenico.com/en/products/payment-terminals/retail-pin-pads/ipp-h-touch-480/ – iPP H-Touch 480 – Ingenico
http://www.verifone.com/products/hardware/countertop/vx-520/ – VX 520 – VeriFone
http://www.verifone.com/solutions-services/emv/ – The Key to EMV – Verifone
http://www.emvco.com/about_emv.aspx – About EMV – EMVCo
https://squareup.com/emv – Square EMV Reader – Square
http://masteryourcard.com/blog/2008/04/11/a-prank-to-remember-do-signatures-matter/ A Prank to Remember: Do Signatures Matter – Master Your Card

Advertisements

Hey remember how Target got hacked and managed to give up a metric boatload of credit card info? Apparently the malware that did that has reportedly infected over one thousand businesses across the US. Including some UPS stores. So I guess you should go log in to your various credit card accounts and see if you, too, just maxed out your cards to buy power tools or Jack in the Box gift cards. Unless you really did, then good luck chop sawing that bacon ultimate cheeseburger.

The main vector for this attack is to hit poorly configured remote access software on the POS computers at the business. This software is a boon when a business needs help but tech support is a ways away. However, if it’s not setup properly, it’s relatively straightforward for someone to try to brute force their way in. And once the thief has access, they can install software that captures credit card data during transaction and sends it off to be sold to the highest bidder.

There are some ways to mitigate these issues, or eliminate them. I’ll list them out in terms of most to least brutal:

  1. Don’t take cards anymore: If you want to be hack free, just stop taking and processing cards. This is probably the easiest way to eliminate the vulnerability, but it’s also the easiest way to lose a ton of business. I’ve seen it work in tiny shops, usually places where people wouldn’t want to use their cards anyway. Most of the time it’s funky night clubs or tackle shops. This is a remarkably draconian way to protect yourself. But it’s an option. It’s not one I recommend at all.
  2. Switch to a standalone terminal: This separates your payment processing from your POS system, all but eliminating the possibility of malware getting installed that can scrape credit card data. Unfortunately, this also means you go through the sale on your POS system, then go through a separate path to enter in payment information. You can also get errors, like if someone types in a charge of $21.15 on the terminal instead of $12.15. It’s not something that’ll happen often, but something to concern yourself with.
  3. Lock down your POS System: The system should be locked down before you even receive it. We do that with the systems we ship out; the firewall is setup during configuration, and we don’t install remote access anything on them. If your POS system provider has installed remote access software, call them up like right now and ask them how secure it is. I bet they’ll tell you it’s super secure. Then have them make it more secure. Or make it even more secure by uninstalling it.
  4. Switch to encrypted card reading: Most POS and card processing software should support this by now, where the credit card data is encrypted by the card reader before it’s even sent to your computer. This doesn’t make you completely safe; if you have the malware on your system the thieves still end up with a big pile of data that *could* be turned into credit card info with enough work. But it’s super tough to get the encryption key, and it’s probably tough to brute force it. So it does slow down the process, and sometimes that’s all you need.

Three and four are pretty close in terms of easiness, I’d recommend doing both really. Definitely do three. That’s a great one. There’s no reason any third party company you work with should have unfettered access to your system. Even if you have to click a “yes I need help” button to initiate the connection, having the software on there is just opening you up to a world of hurt. When we help customers remotely, they have to log in to a service online, no software is installed on their computer at all. And when we’re done, there’s no way for us to reconnect. As it should be.

As for encrypted card reading, if your credit card processing company allows for encrypted card reading, and your software supports it, GO FOR IT. Seriously. The encrypted card readers are cheap, and sometimes the card processor will give you one for free. It limits your surface area of vulnerability somewhat, which helps them on insurance fees, I’d imagine.

Credit card security is vital. So vital that card processors are going to transition to the more secure Chip & PIN method in the next year or so. In that instance, you can’t run the card unless you physically have the original card. I didn’t put it in the list of options since not everyone has a Chip & PIN card yet.

A group of students at Sweden’s Lund University have concocted a new way to link a person to a payment account. Traditional credit cards are easy to use, but also really easy to duplicate or otherwise copy. Newer PCI compliance rules have made that a bit difficult, with the addition of hardware encryption in magnetic card readers, but some want to get away from cards entirely.

Enter the students, with a method that maps the vein patterns in your hand to identify who is making a purchase. Engadget had a pretty solid article about the method, and it seems like there’s a lot of promise to it. It also looks like there are a lot of steps that could make adoption a bit slower.

So with their setup, you apparently have to give the issuing agency a scan of your hand, social security number, bank info, and phone number, and you’d then be linked. In this instance, the startup the students created would act as an intermediary, meaning there’s one more step between retailers getting your info and also getting your money. If there was a way to set this up directly with your credit card company, I could see it becoming easier down the road. But in its current incarnation, there’s a pretty high barrier to entry.

That being said, I could see this being a great option for Universities or High Schools. Currently, most colleges require students to swipe a card to gain access to dining hall services or buy additional food items. The student (or their parents) can add funds to the account as needed, in case they are hungry and out of Universi-Bucks. In this instance, the payment system is relatively closed, so setting a student up to use it would be relatively straightforward. It does become another vector for contamination, unless the hand scanner is sanitized after every use.

I do enjoy seeing students and researchers trying to create alternative methods to authenticate a user for payment. Hopefully this catches on somewhere.

Very rarely does POS equipment make its way onto sites like Engadget or Gizmodo, but hey sometimes interesting stuff happens. This time it was a video of hardware that can make your receipt printer print out the constitution.

From the article, this is the work of Thibault Brevet, a Swiss artist, who showed off his work at SXSW. The trigger system is apparently a small computer type thing that just fires out the proper commands over to the printer and boom, constitution! Gizmodo claims it’s any receipt printer, but it looks like there are some specifics to the setup. Namely, the printer needs a serial port in order to communicate with the crazy trigger system, and given that it’s an Epson TM-T88V, I assume the commands are sent using ESC/POS. Many printers do support ESC/POS, though sometimes it’s not always exact.

It is interesting to see POS hardware used in unconventional ways. Kind of like using mobile computers to play a song.

Just learned from Engadget that Gearbox software, developers of the Borderlands series of games, has just released an interesting companion app to their Borderlands 2 title. For the uninitiated (I imagine all three of you who read this blog), the Borderlands series is a first person role-playing shooter. Kind of a mash of Halo and Diablo. The crux of this game is loot acquisition: weapons, shields, and power ups that make your character a beefier and more formidable loot acquisition machine.

With Loot the World, the new app, you use your iPhone or Android phone to scan a QR code, and it generates an item you can use in game with your character. It’s a tremendous way to extend the lifespan of a game and will most likely draw players back in who may have completed the game moved on to different titles.

With that bit of exposition out of the way, I wanted to point out our online barcode generator at https://www.posguys.com/barcode/ is a fun and easy way to make your very own QR Codes to create items. Items are specific to the code you scan, so theoretically you could find a great item, and send that QR code to friends who may want the item themselves.

For Android users, if you happen to scan a code and get an item you don’t like, you can click and hold on the product and it’ll bring up an option to remove it from your inventory.

QR codes support a ton of characters per code, including non alphanumeric. So you could dump some Emoji into our QR code generator and you’ll get some new results.

Update: Further testing let us get items by scanning any barcode. But wouldn’t you rather convert the Modern Major General song from Pirates of Penzance into great loot?

Earlier one of my coworkers sent me a couple links to two Epson calculators, one for how much paper you’ll save using Epson’s paper reduction techniques, and one for how much money you’ll save using one of their energy star compliant printers over a competitor printer. It’s great to see back-of-the-envelope math being used outside of bars and anywhere else you might have the back of an envelope.

PAPER SAVER
This one is probably the easiest to spot savings, since media is a pretty established cost. I guess Epson’s receipt printers can reduce usage 10%, 20%, or 30%, so that makes calculations pretty straightforward. It’s also pretty easy to calculate savings on one’s own, if your yearly paper bill is something on the order of $1,000, 30% paper reduction should result in a new bill of $700. But that’s also a raw estimate and not as fun as a whole page with sliders & whatnot. And sometimes it helps to have a third party verify your calculations, especially when trying to justify an expenditure to a supervisor.

ENERGY SAVER
Of the two, this can be a bit more nebulous. You do have the ability to set your rates per KWh and over what span, which is a great way to see about how much it’ll cost to run the device. What makes it a little tougher is that the list of comparable products is relatively limited. Within the thermal section, you have a robust selection of Epson printers, but for competitors you have Star, Ithaca, Citizen, NCR, Bixolon, Toshiba, and Beiyang. I guess I was hoping to see CognitiveTPG, or maybe POS-X up in the list.

Both of these are definitely aimed at larger retailers with multiple checkstands. Especially the energy saver one, where the difference between a ReadyPrint T20 and TSP100ECO over 5 years is $0.25 savings. However, if you have a grocery store or department store with 10 to 20 printers in use, the savings really starts to add, and that’s important to see. It’s also nice to have a hard monetary value associated with the general warm feelings you might get knowing you’re cutting back on usage. It’s like an extrinsic reward to go with the intrinsic.

Just caught an article from last month, where a group of men installed card skimmers on cash registers in a Florida Nordstroms. The registers used the PS/2 port on the PCs for keyboard entry, and so any text sent to the register would be caught by the skimmer. Unfortunately, the keyboards used generally have the credit card reader built into the keyboard, so that means credit card data was being sent as plain text through that same port. That’s a really big risk for cardholders and Nordstrom.

I’m not sure how they were able to hot install a PS/2 device without having to reboot the PC. In my experience, unplugging a PS/2 mouse or keyboard usually meant you had to reboot the PC to re-establish the connection. But they were able to get the skimmer installed somehow, so that’s a threat right there. Also amazed that PS/2 is still being used in industry. When I started, support handled a 50/50 split between PS/2 and USB-based keyboards and input devices. Today, it’s closer to 95% in favor of USB. It’s just easier to use and troubleshoot.

Anyway, as I’ve mentioned in previous posts, if third parties have access to your POS system, they have access to everything on it, including credit card data. It doesn’t matter if your processing software encrypts it before it shoots it off to the internet, the data is still available at some point on the computer. That’s why companies like MagTek have created great products like the Dynamag, which can encrypt the data in the MSR itself before sending it to the PC. So even if it does get compromised, all the thieves get is a garbled mess.

With PCI compliance becoming more prevalent, and merchants facing fines for data loss, doing what you can as a business owner to mitigate the damage now is a great way to avoid paying a steep fine later. We have the Dynamag available for a little over 50 dollars, and your merchant account provider can encode it usually for a nominal fee, or even for free. Seems a lot cheaper than a $20,000 fine for a data breach.

%d bloggers like this: