EMV: Payment Security Endzone? September 29, 2012
Posted by Heather Mark in Industry News, PCI DSS.Tags: 2010 Outback Bowl, Chip & PIN, College Gameday, Dr. Heather Mark, EMV, mark consulting group, PCI DSS, Western States Acquiring Association
trackback
As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen. As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines. Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post. Mission accomplished.
On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach. It was well-attended and had a number of interesting sessions. Not surprisingly, much of the talk centered around EMV, of Chip & PIN. Some wondered whether EMV meant the end of PCI DSS. Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies. (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here. Simply adding additional layers of authentication doesn’t change the type of data that is collected. In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.
Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought. Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology. Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data. That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be. Even the best defensive line sometimes gives up the big play.
So – to the question in the title – does EMV represent the winning score? My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern. After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line. It was a long, brutal game and you really couldn’t tell who was going to win. You just gotta keep putting your best players on the field and keep those trick plays coming.
What do you think of EMV? Touchdown, fumble, or forward progress?
Global Security, Privacy, & Risk Management 
In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.