jump to navigation

EMV: Payment Security Endzone? September 29, 2012

Posted by Heather Mark in Industry News, PCI DSS.
Tags: , , , , , , ,
trackback

As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen.  As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines.  Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post.  Mission accomplished.

On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach.  It was well-attended and had a number of interesting sessions.  Not surprisingly, much of the talk centered around EMV, of Chip & PIN.  Some wondered whether EMV meant the end of PCI DSS.  Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies.  (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here.  Simply adding additional layers of authentication doesn’t change the type of data that is collected.  In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.

Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought.  Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology.  Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data.  That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be.  Even the best defensive line sometimes gives up the big play.

So – to the question in the title – does EMV represent the winning score?  My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern.    After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line.  It was a long, brutal game and you really couldn’t tell who was going to win.  You just gotta keep putting your best players on the field and keep those trick plays coming.

What do you think of EMV?  Touchdown, fumble, or forward progress?

Comments»

1. Grace Cubillas - March 20, 2013

In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: