Is Your Chip Card Implementation Secure?

As payment technology around the world continues to change, one consideration at the back of everyone’s mind is payment security. Whether you are completing a payment transaction using an app, crypto currency or credit card there is the potential for malicious actors to potentially eavesdrop and even hijack your financial payment information.

Benefits of EMV Cards

With the modernization and increased distribution of EMV cards (or chip cards) it was a major belief that the technology  would strengthen the security protections around credit card payments, both in person and online. The reason for the optimism surrounding EMV cards was due to a number of reasons:

  • Designed to Prevent Fraud - The chip card design was formulated to prevent fraud when it comes to face-to-face purchases as the technology would make counterfeit credit cards easier to identify.
  • Difficult to Clone - To clone a non-chipped card a malicious actor would only need to skim the card in order to steal the associated data. This could be done with a skimmer device at a pay station/kiosk such as a gas station or ATM machine or by brushing up to your purse/wallet with an RFID Skimmer which scans the magnetic strip without your knowledge. EMV cards renders the act of simply skimming a card useless since the data on chip cards is constantly changing, making it extremely hard to isolate and extract. In order for a malicious actor to steal this information, they would have to access and manipulate the physical chip circuit to get your bank information. Not only are these actions difficult to perform, but the equipment needed can cost hundreds of thousands of dollars, or even up to one million dollars.
  • Sophisticated Encryption - Magnetic strip cards have the ability to broadcast your banking information as-is at the point of swipe, but chip cards are different because encryption is built into the card itself. When a chip card is used at the payment terminal, the chip communicates back and forth in a secret language to verify the cardholder’s identity. This is designed to protect the transmission of data associated with your card to prevent eavesdropping and financial theft.

“For EMV’s security protections to work, the back-end systems deployed by card-issuing financial institutions are supposed to check that when a chip card is dipped into a chip reader, only the iCVV is presented; and conversely, that only the CVV is presented when the card is swiped. If somehow these do not align for a given transaction type, the financial institution is supposed to decline the transaction.” – Brian Krebs, www.krebsonsecurity.com.

What Makes a Chip Implementation Compliant?

Based on recent research by Brian Krebs, several financial institutions have not set up their systems to perform the sophisticated encryptions to secure payment validations properly.  

As EMV cards continue to become more prevalent, threat actors are adapting as they continue to develop new methods targeting consumer credit card data. One popular method targeting EMV cards is the creation of point-of-sale malware which is used to capture the EMV transaction data in order for this information to be resold and used to create magnetic strip copies of chip-based cards. In early July, this type of malicious attack came to the forefront of the financial industry when Visa put out a security alert detailing the prevalent of this type of malware.

The Potential Costs of Non-Compliance

As with most industry standards, there are a variety of costs that come into play for non-compliance. While every organization should perform an assessment of their unique risks, some commonalities arise across industries:

  • Fines & Penalties - Merchants may face fees specific to EMV non-compliance as well as general fees for non-compliance with Payment Card Industry Data Security Standard Compliance (PCI DSS). These fees are determined by the individual processor and can add up to thousands of dollars annually.
  • Fraud Liability - Beginning in October 2020, all businesses accepting point-of-sale card payments using magnetic stripes will be liable for fraudulent transactions processed on their terminals (all businesses aside from pay-at-the-pump gas stations have faced this liability since October 2019). The likelihood of card fraud will be different for each merchant, but implementing EMV-capable technology is a straightforward way to mitigate this risk.
  • Data Compromise or Breach - While employing EMV-capable terminals mitigates the risk of fraudulent transactions, point-to-point encryption (P2PE) provides an additional safeguard against the compromise of transactional data in transit. With data breaches costing organizations an average of $150 per record in fines and lawsuits, identity protection services for victims and unmeasurable reputational damage, being the name associated with a data breach can be catastrophic for any company.

How can Schneider Downs help?

At Schneider Downs, we assist clients with their PCI Compliance requirements by providing scalable, efficient solutions for meeting the rigorous demands of PCI compliance. Incorporated within our compliance approach is the strategy to develop a control environment that will ensure future compliance is sustainable. For more details on our PCI service offering, please visit our website or contact us if you have any questions.

Sources

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity.

In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2020 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on

Ransomware Victims May Now Face Federal Fines
Schneider Downs Shortlisted for PTC Tech 50 Cybersecurity Award
Cybersecurity Tips from Home Video Series
National Cybersecurity Awareness Month 2020
Innovation and Implementation of New Technology in Manufacturing
Zerologon: Instant Elevation to Domain Admin

Register to receive our weekly newsletter with our most recent columns and insights.

Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us

contact us

Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

contactsd@schneiderdowns.com
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

contactsd@schneiderdowns.com
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102