Potential Breach Affecting VISA, MasterCard — EMV Won’t be Here Soon Enough
Brian Krebs scooped a major story yesterday about a potential major credit card breach at a U.S.-based payment processor affecting both VISA and MasterCard.
The news made headlines across top media outlets for good reason: this is NOT the first major credit card breach. 2011 saw a wrath of breaches including Epsilon and Sony, not to mention the “out-of-control” card-skimming fraud that is going on throughout the USA prompting FBI involvement.
Not unlike robbing banks, forging checks or conducting online fraud, criminals find the weak link in security systems and put plans in place to exploit them. Unfortunately, the industry has known for decades that magnetic stripe cards offer poor security protection, and with the shift toward using cards for online payments, it’s no wonder we’re reading about new breaches on a weekly basis.
Fortunately, technology exists that helps dramatically improve credit card security — it’s called EMV or chip-based credit cards. EMV allows for an encrypted security key to be contained within the chip on the credit card, thereby making card-skimming or duplication virtually impossible; or at the very least, extremely difficult, impractical and uneconomical for a criminal to execute. As well, implementations support the concept of a user PIN to help prevent card use when a card is physically lost or stolen.
Unfortunately, credit card companies and payment processors in many parts of the world — including the U.S. — have yet to adopt EMV-based credit cards since the cost to upgrade the point-of-sale payment terminals at retail outlets is an expensive undertaking.
This obstacle will change in the next few years as both VISA and MasterCard have introduced programs for EMV in the U.S. One of the key driving forces that will help provide the business case for terminal upgrades, in addition to increased security benefits, is that outdated terminals also require a refresh to support the emerging trend of smartphone-based payments. Paying for coffee, gas or even movie tickets with a smartphone is based on a technology called NFC (near-field communications), which allows the smartphone to communicate and/or issue payment authorization to the payment terminal.
NFC is already used in certain retail locations today as contactless payments cards such as MasterCard Paypass and Visa Paywave rely on the same technology.
Although not broadly known, one of the additional key benefits of building EMV and NFC into payments cards is that this technology can also be leveraged for securing Internet-based payments using EMV CAP (Chip Authentication Program). Imagine a scenario where, along with supplying your credit card number, you supply a one-time-passcode (OTP) that is generated from the security key contained on your card. Sure, a criminal can steal your card number, but without the ability to generate an OTP, the credit card number is useless.
There have been attempts to secure in-person and online payments for many years, but EMV promises to dramatically take security AND user experience to a whole new level. The net result? Credit card breaches and card-skimming will become a thing of the past. Where will the criminals then focus their attention? That’s another story.