Chip and PIN Crash Course

September 22, 2014

EMV and chip & PIN have become bigger buzzwords lately as more national retailers have reported their credit card data being breached. There’s a lot around EMV and it can be incredibly confusing even if you’re mired waist deep in the card payment industry. I’m only ankle-deep, but hopefully this can help clarify some of the bigger points of the program.

What is EMV?

EMV stands for Europay/MasterCard/Visa and is a series of specifications designed to maximize the security of payment systems. It started in Europe and is beginning to gain traction in the US. The current method uses a chip built onto a credit card that activates when plugged into a special card reader or payment terminal. It won’t release the data unless the user enters a PIN, thereby making it more secure than swiping a magnetic card through a reader.

There are other methods, including contactless payment, but the chip and PIN method is the next to be adopted in the US. You may have seen these types of cards already, they’re often used as smart cards for employee access and other ways to manage use/access of things. For instance, at Western Washington University, their laundry machines used smart cards to run. So the cards themselves have been around for a while.
emv_card_300w

Why is it awesome?

The main reason EMV is useful is because it’s a multi-step method of authorizing and approving payment. With current credit cards, the proof that you’re you is a signature, and they rarely check it. For reals. I’ve drawn giant smiley faces for signatures and the charge went through no sweat. With debit cards you need to enter a PIN, which is fantastic, but the card can also be used as a credit card so you can circumvent that step.

Secondly, the technology has been adopted pretty much everywhere else, so the hardware exists, it’s been tested, and it’s been optimized to cut down on the hassle for customers. The data on the card changes slightly every use, which provides an added layer of protection. I imagine there’s a checksum involved and if it doesn’t pass, the transaction gets flagged or outright denied.

I own a business, what do I do?

I guess for now, you get to wait. If you accept credit and debit cards, it might be a good idea to get in touch with your merchant services provider to see what their plan is. The major card reader and payment terminal manufacturers have products ready to go, if not already in use, so the transition should be relatively painless.

Hardware:

Since adoption rates are so high outside of the US (Western Europe boasts 73.9% of cards and 89% of Terminals utilizing EMV), there’s a fair bit of hardware already out there. It looks like for now the biggest issue is ensuring that whatever you have to take cards is compatible with every variant on the market.

pin-dynaproMagTek DynaPro – MagTek has led the way when it comes to securing card data. From their Dynamag (née Centurion) hardware-encrypted card reader to their check reader platform, you can be sure if your card data falls into the wrong hands, it’ll be useless. The DynaPro incorporates their MagneSafe hardware encryption platform with contact and contactless smart card reading, making it a great option during the transition period.

vx_520VeriFone VX 520 – The VX 520 is a standalone payment terminal, like what you might see at a convenience store or places that use an electronic cash register instead of a full POS system. Like the DynaPro, it supports both traditional magnetic cards as well as EMV smart cards. You do gain additional versatility with this terminal; it supports transmitting card data via dialup, Ethernet, and even GPRS cellular networks, so this could be a great fit for mobile POS platforms.

unipayID Tech Unipay – Mobile POS on smartphones is blowing up, or it blew up. Either way it’s pretty huge. ID Tech has been making various readers that hook in via audio jack, and their new UniPay extends that functionality by supporting EMV cards. It does require the software you run to accept that data, so there are some extra steps required. It’s not out yet, but should be soon.

ipphtouch480Ingenico iPP H-Touch 480 – Ingenico, like Verifone, has been making payment terminals for years. They’re usually the ones you see at grocery stores and larger department stores, and are pretty robust. The iPP H-Touch 480 supports magnetic card reading as well as smart card and contactless cards, making it a great transitional tool. It does require integration with your POS system, so you may want to talk with your software provider to make sure this is a compatible solution.

Square EMV – Everyone and their brother loves Square and their 2.75% transaction rates, so it’s good that they’re working on creating a reader that supports chip and PIN. It looks like you can give them your email and they’ll let you know when it’s ready. I bet every news site and blog aggregator will also let you know when it’s ready.

Important Dates:

We’ve already passed a few important dates, mostly with regard to processors adopting the standards and deadlines, but the main two for businesses are October 2015 and October 2017.

October 2015

– Liability shifts to processors if their merchant lacks an EMV-enabled device and is involved in a counterfeit or fraudulent card-present transaction.

October 2017

– Similar liability shifts, but for automated fuel dispensers. They get extra time because replacing gas station systems sounds expensive and complicated.

Conclusion:

Businesses, if they’re not already supporting EMV and chip & PIN, have about a year to get transitioned over and ready to go. Thankfully, it looks like solutions are in development or already available, so it’s a matter of working with your credit card processor to ensure you get the right one. We are working with our merchant account provider partners to make sure we have the hardware ready as soon as possible and will let you know as soon as we have solutions available.

Sources:

http://www.tsys.com/acquiring/engage/white-papers/United-States-EMV-Adoption.cfm – U.S. EMV Adoption: Lessons Learned from a Canadian-Based Value Added Resource (VAR) – TSYS
http://www.idtechproducts.com/products/mobile-readers/176.html – ID Tech Unipay – ID Tech
http://www.magtek.com/V2/products/pin-entry-and-management/DynaPro.asp -DynaPro – MagTek
http://www.ingenico.com/en/products/payment-terminals/retail-pin-pads/ipp-h-touch-480/ – iPP H-Touch 480 – Ingenico
http://www.verifone.com/products/hardware/countertop/vx-520/ – VX 520 – VeriFone
http://www.verifone.com/solutions-services/emv/ – The Key to EMV – Verifone
http://www.emvco.com/about_emv.aspx – About EMV – EMVCo
https://squareup.com/emv – Square EMV Reader – Square
http://masteryourcard.com/blog/2008/04/11/a-prank-to-remember-do-signatures-matter/ A Prank to Remember: Do Signatures Matter – Master Your Card

Advertisements

Just caught an article from last month, where a group of men installed card skimmers on cash registers in a Florida Nordstroms. The registers used the PS/2 port on the PCs for keyboard entry, and so any text sent to the register would be caught by the skimmer. Unfortunately, the keyboards used generally have the credit card reader built into the keyboard, so that means credit card data was being sent as plain text through that same port. That’s a really big risk for cardholders and Nordstrom.

I’m not sure how they were able to hot install a PS/2 device without having to reboot the PC. In my experience, unplugging a PS/2 mouse or keyboard usually meant you had to reboot the PC to re-establish the connection. But they were able to get the skimmer installed somehow, so that’s a threat right there. Also amazed that PS/2 is still being used in industry. When I started, support handled a 50/50 split between PS/2 and USB-based keyboards and input devices. Today, it’s closer to 95% in favor of USB. It’s just easier to use and troubleshoot.

Anyway, as I’ve mentioned in previous posts, if third parties have access to your POS system, they have access to everything on it, including credit card data. It doesn’t matter if your processing software encrypts it before it shoots it off to the internet, the data is still available at some point on the computer. That’s why companies like MagTek have created great products like the Dynamag, which can encrypt the data in the MSR itself before sending it to the PC. So even if it does get compromised, all the thieves get is a garbled mess.

With PCI compliance becoming more prevalent, and merchants facing fines for data loss, doing what you can as a business owner to mitigate the damage now is a great way to avoid paying a steep fine later. We have the Dynamag available for a little over 50 dollars, and your merchant account provider can encode it usually for a nominal fee, or even for free. Seems a lot cheaper than a $20,000 fine for a data breach.

As PCI standards have become more stringent, there’s been some hesitation from retailers and restaurant owners. Ensuring your business is compliant can be expensive, and the standards have been a relatively mobile target over the years. One of the big ones on the horizon is table-side payment, which can be a tremendous cost, including mobile computers and software to take payment.

But the upside is your customers can be certain that their card isn’t being compromised, like in this KIRO article of a Red Robin employee skimming cards and then making major purchases with the card data. If you don’t feel like checking out the nitty gritty of the article, the employee had a secondary card reader, probably something that paired with her phone or maybe a custom built device to batch store card data. When she’d ring up the customers, she’d also swipe the card in the device and have all the info needed to perform online purchases.

This is usually the portion of the post where I talk about the great products that make it easy to have table-side payment. And there are some options available, such as the Motorola MC40, or mobile card readers for iOS & Android devices. But the big thing is that these kind of situations can cause problems for business owners, such as an increase in liability insurance, or increased processing fees. So while meeting PCI standards can have a steep initial investment, in the long term you are definitely going to save money and provide a safer and better experience for your customers.

Read Write Web has an interesting article up covering potential Square credit card reader vulnerabilities. To catch up, Square is a card reader designed by Jack Dorsey (inventor of Twitter), and allows people to take credit card payments with their iPhones. They also act as the credit card processor, cutting out traditional merchant account providers & transaction hardware manufacturers.

Anyway, at this year’s Black Hat security conference, a couple presenters figured out a couple ways to exploit the Square payment system, either by accepting cardless transactions or by skimming card data into a secondary app. One method involved converting track data as an audio signal, then piping it into the software through the headphone jack. The second and more useful method allows the Square card reader to send credit card data to another app, which is a little more disconcerting.

The card skimming exploit outlined in the article requires a jailbroken iPhone, custom software that reads the input data from the Square reader, and a Square reader. In this way, it’s remarkably easy to capture and store credit card data. The software could even be designed to look like the Square processing software, further adding to the illusion of a safe transaction.

The crux of the article was that hardware encryption would render this technique moot, and that’s a great point to make. Encrypting the data before it’s even sent to the iPhone/iPad makes it nigh impossible to turn the encrypted gibberish into legitimate credit card data. However, there are already a ton of unencrypted Square readers now in the wild, and on Ebay for a couple bucks, so the potential for fraud sticks around. I emailed Square to find out if, when the encrypted readers come out, they’ll exchange them with existing customers, but haven’t heard back.

While it is a little scary to think of iPhones as a new vector for committing fraud, the steps required to achieve it are a little steeper than exist for standard retail PCs with credit card readers attached. Most POS systems in retail & restaurant locations run some flavor of Windows and are connected to the internet to process transactions. But that also means they’re connected to the internet for idle people to surf the web, catch malware, and generally cause problems. Grabbing an encrypted card reader for your business or even switching to a separate payment terminal can definitely mitigate these issues.

So to sum up: Square credit card readers can potentially be used for evil. So can regular credit card readers. As a customer, don’t hand your card over unless you trust the business or person running the transaction. As a merchant, make sure you have methods in place to prevent your customers’ credit card data gets in the wrong hands.

A lot of brilliant people are making some phenomenal progress in credit card processing and card security methods, and this new method of using your webcam to capture credit card data for purchases sounds intriguing.

They have some of the nitty gritty in the press release, but I’ll try to break it down somewhat. Right now when you buy stuff online, you have to manually enter your credit card data. And a lot of personal data. I think most retailers require billing address, CC number, CVV, and blood type. All this data is encrypted a TON and fired off to the retailer, who then runs the card and sends you some coulottes or mustache wax. I buy weird stuff. What’s really unfortunate is that the data can still be compromised/captured en route to the PC via keyloggers and other assorted malware designed to steal your stuff.

Enter Jumio and Netswipe. Rather than hand enter data, your webcam opens a secure connection to an authentication service, and you hold your card in front of the webcam while it gets a read. It might also see your messy apartment, but I don’t think it will judge. You use your mouse to enter the CVV so keyloggers just see some clicks, and the transaction’s complete. They mention that this could be used at businesses as well, my guess would be via a 2D barcode scanner that can also capture images.

I think Netswipe has the potential to minimize a lot of fraud that occurs online. You actually need the card to make the transaction, so you cut back potential users to those who own the card, or may have physically stolen it. Although a well-printed duplicate may also work, I’m not sure how that plays out. Since the CVV is entered by mouse clicks instead of keystrokes, you also eliminate another chunk of data that could be stolen.

My only worry would be malware designers building for this new capture method, where they either capture the video stream, or set the camera to take a still image after the transaction’s complete, so then they get a nice crisp image of the card instead of the keyboard-entered data. But I’m sure the Jumio developers are looking at a variety of ways to minimize abuse.

In the meantime, there are methods to secure transactions at the point of sale. The MagTek Centurion card reader offers hardware encryption that is only decrypted by your credit card processor. I’ve mentioned previously that businesses are starting to get fined for data breaches, so taking steps to secure sensitive data now will definitely save you time and money in the long run.

PCI Compliance has (to me) seemed like a pretty big boogeyman over the years. Like a method for credit card processors to enact higher rates on businesses who aren’t following very specific and esoteric rules for data encyrption. Data security is vital in business, especially when it’s customer data like credit cards and addresses and such. But a lot of the rules always felt like overkill.
After hearing about a restaurant chain in Boston being fined $110,000 for a data breach, I can see why PCI Compliance is going to be more and more important. The business in question had malicious software unknowingly installed onto one of their PC’s, giving a third party access to credit and debit card info. The software wasn’t detected for 8 months, including the holiday season, so a lot of customer data could have been lifted.
Massachusetts has one of the strictest data breach policies in the country, as well as the most difficult to spell name, but it doesn’t take away the fact that this business could’ve taken meager steps to eliminate this problem. Antivirus/Antimalware software could have probably caught this issue quickly, but an even better step would be to limit employee access to the web on payment terminals. If they can’t connect to malicious sites, they can’t download malicious code. And if it comes from someone installing software from portable media, you have a bigger issue at your business than PCI Compliance.
However, if your merchant account provider can swing it, a really easy way to secure customer credit and debit data is to get an encrypted credit card reader, like MagTek’s Centurion. The reader is programmed by your credit card processor and uses hardware in the device itself to encrypt card data, which is decrypted by the processor upstream. So now even if your computer is festooned with malware, viruses, trojans, and every other piece of horrific software, all they can get is gibberish. Hard to commit fraud with gibberish.

%d bloggers like this: