The nationwide adoption of EMV (Europay, MasterCard, and Visa) for credit and debit cards has been a rocky road, to say the least. These new cards are equipped with computer chips and technology that are used to authenticate chip card transactions. After a number of large-scale data breaches in the past three years including Target and Home Depot, card issuers are moving to this more secure payment option to help protect consumers. Regulatory and liability shifts have essentially forced retailers to adopt the new, security-oriented technology.
However, how safe are these new chip-based cards? There has already been debates about the “chip and signature” process being implemented versus “chip and PIN” which at least on the surface is more secure. More recently, during a Black Hat security convention this past week, researchers from NCR, a payment technology company, shared more flaws that they have uncovered in these new EMV chip cards. Patrick Watson from NCR explained how hackers can ultimately re-write the magnetic stripe code to make it appear as a traditional chipless card, allowing hackers to counterfeit over and over again, and bypass the security offered by the chip. This leaves the EMV card just as vulnerable as traditional credit or debit cards. On traditional credit and debit cards, the magnetic stripe contains unchanging data, which makes them a prime target for counterfeiters. With the new EMV chip cards, the data changes for each transaction. If hackers are allowed to rewrite this magnetic stripe code, then it will appear that these cards are just as vulnerable as they have been.
This new discovery has retail shop owners furious as they have already been complaining about the upgrade that was forced upon them by banks. The National Retail Federation has been making claims against the new EMV cards, which is estimated to cost American retailers $25 billion alone.This new finding describes how retailers are spending millions of dollars on upgrading to EMV yet their customers are still at risk. For the time being, we would advise all retailers to encrypt everything when dealing with a transaction until these flaws can be worked out. Of course, POS vendors do offer encryption for their terminals, just at another additional cost to the retailer.
If you have any concerns about your POI system or security questions regarding EMV cards, contact our certified security consultants.
Related articles
Change Healthcare Attack: Ransomware Protection Measures for Healthcare Organizations
In light of the Change Healthcare attack, we explore why hackers target healthcare and how healthcare can defend against ransomware.
GraVoc Recognized on CRN MSP 500 List for Second Year in a Row
For the second year in a row, GraVoc has been recognized on the CRN® MSP 500 list in the Pioneer 250 category!
PCI SAQ Types: Which SAQ is Right for Your Business?
In this blog post, we provide an overview of the SAQ types for PCI DSS v4.0 and how to select a PCI SAQ that’s right for your business.