New technology to prevent credit card breaches

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

ST. LOUIS, MO (KTVI)-- It seems a week doesn't go by that we don't hear about some kind of credit card or data breach, but that could soon be changing.

First it was Schnucks and TJ Maxx, then Michael's and Neiman Marcus and of course the biggest of all, Target.

All of these retailers, victims of credit and debit card data breaches that affected millions of shoppers and cost banks and businesses billions of dollars.

Mark Sundt is the chief technology officer at Clearent, a Clayton-based credit card processing company that's working on deploying new, more secure ways to process electronic payments. One example is a super-secure credit card swipe-reader.

All of the information is communicated over private, secure network computer lines.

Another advance will change the look of the cards in our wallets. By late next year, most credit and debit cards will come with a special embedded chip, called an EMV chip that stands for Europay, Mastercard and Visa because the technology has been used in Europe for years.

The new cards have two big advantages over the cards we currently use: unlike magnet strips that are easy to reproduce, it's virtually impossible for hackers to manufacture and embed these chips in counterfeit cards.

Also, the chip cards must remain in the credit card reader machine during the entire transaction, and sometimes for an added layer of protection, a secret personal identification number must also be entered.

Target, feeling heat from regulators and lower sales from its customers, has announced it will add new, more secure credit card readers that are able to accept EMV chip cards, trying to stay one step ahead of the hackers to prevent the next data breach.

Those new chip cards will become far more common next year.

The other big advancement, look for more secure mobile payment systems, using your smartphone instead of a debit or credit card.

5 comments

  • Andy

    EMV (aka Chip & PIN/Chip & Sig) is not the ‘silver bullet’ that people are being led to believe it will be.

    The problem we have is we rely on static data to authorize payment transactions. Because the account data is static, it can be used again, which is why the bad guys want to steal it. We must move to a system that relies on dynamic data for transactions. When the account data becomes dynamic, it cannot be re-used nor predicted from one transaction to the next – so why steal it in the first place? That’s how you make stolen data useless and ultimately prevent/deter fraud.

    Moving to EMV requires a massive change (and huge investment) to everything in the payment eco-system and as EMV is currently implemented, there is still enough static account data that can be stolen from the card/chip and used for telephone and internet transactions. So will the investment in EMV stop fraud for the consumer? The answer is NO. It might move the fraud elsewhere in the payment eco-system, but as designed and implemented, it will NOT stop fraud.

    There is a technology called MagnePrint that is already part of every magstripe card and in your wallet now. It’s like a magnetic fingerprint for cards and can be used to gather dynamic data with every swipe. MagTek is based in Seal Beach, CA and has pioneered this technology. If dynamic data is the ‘solution’, then MagnePrint can help.

  • Jeff Schroth

    EMV technology is certainly preferable to the “stone age” tech that U.S. cards currently employ. Even so, if the information released by the compromised retailers is reliable EMV cards definitely would not have prevented the Target breach and probably would not have prevented the Schnucks breach.

    No matter how strong the safeguards on a card, if the customer name and account info is not adequately encrypted at any point in the data transmission chain (from the point of sale to the financial institution that is the source of payment) thieves WILL use every conceivable technique to compromise that weak point in the information chain and steal the information.

    Under current regulation when someone performs an ATM transaction today even the information from each button pushed to enter a PIN or a dollar amount on every ATM is encrypted – and the information remains encrypted until it has reached the financial institution’s secure system.

    Retailers are not held to these same standards – there is no regulation requiring them to adequately encrypt consumer data from the instant they receive it and at all times thereafter – and now we can all see the easily-predictable result.

    The inevitable regulatory mandate for EMV technology on cards will NOT solve this problem. The simplest and fastest way to address breaches like those at Schnucks, Target, etc., is to require retailers to implement the same security practices that EVERYONE ELSE in the consumer data transmission chain is already required to use (and penalize them if they fail to do so.)

    • Scott Spiker

      Mr. Schroth, I agree with most of your post except the area that “Retailers are not held to these same standards”. First of all it is not the merchants fault that the payment product is weak and easily counterfeited. Until the card brands and the card issuers feel the pain of compromise, nothing will change. The back end authorization network and systems do not support encryption like we have with PIN. The authorization network is antiquated, no investment to improve the systems.

      Why should the banks and card brands invest in improving security when the merchant carry to burden. Merchants pay interchange for each transaction, that is supposed to help cover the cost of fraud, and then when a breach occurs, they are responsible for the cost of the breach.

      Merchants have no incentive to invest dollars to increase security so they are not going to waste dollars to buy new equipment, Today, merchants can spend dollars to increase security but will still b held accountable in the even of a breach. No R.O.I.

      Today, I can buy a payment device that will encrypt all sensitive data. Without a back end that can decrypt the data and process the transaction, there is no point.

      As for the first post, MagnePrint is a great idea but is too late to be effective.

      • Jeff Schroth

        You are correct that the retail transaction channel currently lacks end-to-end encryption, Mr. Spiker. I believe that if the retailers are required to implement encryption from the point of sale on, the rest of the players in the transaction information channel would have to follow suit – and I think most of them would be (perhaps only secretly) happy to do it.

        FYI, BY LAW the interchange fee for debit card transactions CANNOT include any portion “that is supposed to help cover the cost of fraud.” The law and regulation that defines what “the right amount” for the interchange fee must be specifically excludes fraud prevention expenses from inclusion in the calculation.

        In fact when the Fed tried to piggy-back an additional amount on top of the now-regulated interchange fee for exactly that purpose, the retail merchants complained and the courts told the Fed they weren’t allowed to do that!

        The statement that “Today, merchants can spend dollars to increase security but will still b(e) held accountable in the even(t) of a breach” are simply not accurate.

        Merchants certainly suffer from whatever injury to their customer and public relations that may occur, and they may have to defend themselves against lawsuits by their customers – and I agree that these costs are certainly not inconsequential… but they are only a very small portion of the total costs associated with these breaches.

        These merchants are most assuredly NOT being held accountable for ANY of the MILLIONS of dollars in fraud losses from an event like the Target fiasco.

        The financial institutions bear the vast majority of these costs – which means, as anyone familiar with financial services knows, that ultimately the consumers indirectly pay it, one way or another.

      • Scott Spiker

        I have been in this industry since 1985. Back then the answer to why credit card information was not being encrypted was because the data was primarily sent over private leased lines to the acquirer or for small merchants, the data was sent over dial up. Both methods were very hard to sniff to record information, so those attacks were not feasible.

        Additionally, the consumer was not really effected by card fraud, since most of the transactions were credit card, when a card number was used for fraud, it was the credit card companies money, the card holder simply reported the fraudulent transaction to the credit card company and did not pay the bill.

        When the major card brands created the signature debit product, card data skimmed and used for fraud directly effected card holders bank accounts. This is the point when card data became valuable. Fraud has always been a concern to banks and credit card companies, but when their customers back account was directly debited by fraud and the card holder had to deal with bounced checks, and other NSF issues, then they started to pay attention.

        Great job by the card brands and banks to convince us all that it it the fault of the retailer.

        The credit/debit card product provided by the card brands and banks is very weak and prone to counterfeiting. Consider this, the United States treasury has changed currency technology at least 5 times since 1990 because of counterfeit issues. The magnetic stripe technology that is used for card payments is from the 1950’s. It is cheap to product and issue and the cost to change is much more than the cost of fraud, basically a negative ROI.

        The simply solution of encrypting the data at the point of entry is not so easily implemented. The authorization network is vast and very outdated. Encryption key management is very difficult, and don’t even try to get a Point to Point Encryption method PCI approved,

        I am not a lawyer, i am an engineer. I have seen the evolution of the payment industry evolve since we started electronic payments and have been on the acquiring side and the merchant vendor side of this business. As I stated in my first post, Point of Interaction vendors have had encryption technology that could be used for encrypting card holder data for over 20 years. There have been a countless number of attempts to secure all transaction data from the Point of Interaction side of the transaction. The cost of implementing the solution has always been the issue. It is not just the cost of decrypting equipment, but also includes the cost of transaction processing times, proper key management procedures and compliance audits, to just list a few of the additional costs that has to be incurred.

        And again, merchants can do everything to attempt to secure transactions, still breaches can occur. And the attitude of the PCI SSC, in regards to the PCI DSS, is that a merchant is complaint until there is a breach, so obviously at that point of time they are not complaint. Lawyers file class action suites and fines are levied.

        With all the security bank branches have, there are still successful bank robberies. The crooks will always be looking for away to steal money and some will succeed. It is time that all entities involved in this industry work together to solve this problem, which should start from the card brands issuing interoperable security specifications instead of rules and regulations. The EMV migration in the United States will not help in this area without a unified EMV implementation, driven by the companies that create the payment products.

Comments are closed.