January 2, 2014

Why EMV Isn’t the Answer to Breach at Target

This post was written by Shift4’s VP of Business Development, Bob Lowe.

By now, I’m sure most all of you have heard about the credit and debit card information breach at Target stores. If not, get caught up here and then this post will make more sense.Likewise, you have probably seen the litany of articles published over the past two weeks speculating at how it happened and what security technologies may or may not have been in play. Now, we’re not prone to wild speculation or finger pointing, so we have kept out of the discussion until now, but we just can’t stand by as the self-proclaimed payment security experts publish absolute BS in the hopes of capitalizing on Target’s misfortune.

Case in point: there are articles out there that clearly say that EMV (chip and PIN) payment cards would have prevented this type of breach from occurring. This is absolutely untrue.

Why is that?
EMV is all about the interaction with the card and the device that reads the card. Most EMV devices still send clear text card numbers from the device to the POS, so the POS is getting the exact same information as when a traditional magnetic stripe PIN debit or signature card is used.

There’s also a lot of talk about whether unencrypted or encrypted PIN numbers were lost, and if Target’s PIN encryption key was strong enough. First of all, the processor that receives the transaction provides the encryption key, not Target. Also, the PIN encryption method is provided by the device manufacturer – and must comply with strict PCI regulations. The encryption takes place inside the secure swipe device and Target would not have the ability to decrypt it. So if the PINs are compromised, it’s not because Target had a weak key, it’s because the processor had a weak or compromised key.

When talking about PIN encryption, it’s important to realize that in most payment terminals, while the PIN number is encrypted, the card number and other information from the magnetic stripe of a card is not. We should also remember that PINs are not used with credit transactions, only debit.

P2PE Solution
One technology that actually could have made a difference in this case is point-to-point encryption (P2PE). This newer approach ensures that the card number and all the stripe information, not just the debit PIN, is encrypted. If Target had used P2PE, then they would not have had any sensitive cardholder data in their environment to lose – so even when they were hacked, the thieves would have gotten nothing of any value.

Some media have carried stories that suggest the encryption, while strong enough to thwart an amateur hacker, was not strong enough to beat the attack from serious cyber criminals. That’s where gateways like Shift4 add value. We take the P2PE-protected data, which already has a dynamic key that changes for each transaction, and encrypt it again using what we call “moving target encryption.” Even if the best cyber criminals were able to hack this double encryption, which is unlikely, they would only get one card number. Then they would need to repeat the cracking exercise for each additional card. With the cyber criminals selling magnetic stripe information for about $25 a card, the effort needed to steal one card number when these technologies are involved becomes unprofitable.

Why Didn’t They Have P2PE?
It is unfortunate that an existing technology – one that is readily available in the marketplace – could have prevented this whole situation had it been put in place. The challenge the payment industry faces is that being PCI compliant and being secure are not the same thing. An organization, like Target, can be deemed PCI compliant but can still be breached. And after an organization is breached, they will then be deemed to have been non-PCI complaint at the moment of the breach – even if they were PCI certified the day before! The problem is that PCI does not encourage or reward an organization for taking the additional steps and spending the additional money to invest in strong security technologies like P2PE and the other advanced security solutions companies like Shift4 offer – even when those technologies are readily available and proven in the real world.

Now that Target is struggling to restore public faith in its card acceptance practices and turn around the drop in revenues it experienced after the breach, it’s probably a good time to suggest that organizations that use P2PE and higher levels of security should be rewarded by being able to display a high-security badge at the point of sale. Much like when restaurants proudly post their “A” rating food safety sign from the health department to let customers know they practice verified, proper food safety protocols. This “high-security” badge for retailers and other establishments would become recognizable by the public as deeming the organization a safe place to shop. It would also give merchants a legitimate goal to shoot for, since we’ve clearly seen that “PCI compliant” really doesn’t mean anything.