We all know that come next year – or maybe the year after that…or the year after that…but eventually – retailers, banks and consumers will need to have hopped on the EMV bus. And while EMV will help protect the card and the consumer, a smoking security gun it is not.
When the Target breach was first reported late last year and “chip” and PIN (EMV) became a household name, thanks to the multitude of news channels reporting the breach, you would have thought that EMV was the security savior. What if it had been implemented at Target? Well now, we could have avoided all of this!
The dust has settled since that first breach. Because of the nature of the Target intrusion (and others since), it is now clear to the majority of retailers, banks, analysts and processors that while EMV would have helped curb fraudulent usage of the cards once the PAN and other card information was stolen (i.e., prevented white-labeling), EMV would not have prevented fraudsters from getting into the system in the first place. And it would not have prevented the fact that once in that system, there was clear-text cardholder data available for them to steal.
Let’s take the Supervalu breach reported last week and now the subject of a lawsuit. EMV authenticates the card used and the consumer using the card. It certainly doesn’t prevent unauthorized access to a system – nor when in that system does it secure the actual cardholder data which, if it wasn’t in the clear, would be of no value when a fraudster broke into the system to begin with.
“In the suit, which was filed in the U.S. District Court for the Southern District of Illinois, the plaintiffs claim Supervalu failed to abide by best practices and industry standards concerning the security of its payment processing systems… The supermarket chain said Aug. 15 that it was investigating a network intrusion that may have resulted in criminals compromising customer data from its point-of-sale systems. Supervalu says unauthorized access to its systems began not before June 22 and lasted until July 17 at the latest, and may have resulted in the theft of data from 180 Supervalu grocery stores – including franchised stores – as well as standalone liquor stores across seven states.”
EMV is not a smoking gun for data loss prevention – and neither is any other single technology. As much as we all may want one solution to secure the POS, it does not exist and it probably never will.
In April 2014, after we introduced the first PCI-validated Point-to-Point Encryption (P2PE) solution in March, our Chief Innovation Officer, Ruston Miles, hosted a webinar on PYMNTS.com on what we see as the most holistic security approach to secure the retail point of sale: Point-to-Point Encryption (P2PE), EMV and Tokenization. And we also recently released a white paper on this topic. But on the most basic level:
P2PE – This is your card data protection. Traditional payment systems allow Cardholder Data (CHD) to exist somewhere within the merchant environment in an unencrypted form. A PCI P2PE Solution, like Bluefin’s PayConex P2PE, prevents this by encrypting payment data in a tamper resistant device (known as the Point-of-Interaction or POI) at the time of swipe or key entry. Decryption of this data is not possible until it is in Bluefin’s hardware security module (HSM).
EMV – This is your card present fraud protection. Credit and debit card will be outfitted with a chip, which the point of sale device will “read” (note that the implementation of this technology requires the issuance of all debit and credit cards in the U.S., as well as the issuance of all new payment terminals) and along with a PIN that the consumer enters, will validated the authenticity of the card and that it is the consumer using the card.
Tokenization – This is your payment card storage functionality. Tokenization’s primary security goal is to remove the value of the Primary Account Number (PAN) and end up with a tokenized value that can be safely stored for future transactions. However, tokenization only protects CHD at rest (i.e., stored) not CHD in transit (hence the need for P2PE).
So our question certainly isn’t “if” we will EMV, it’s what else are we going to do in addition to EMV?