jump to navigation

EMV- CHIP & Choice..not Chip & PIN…Start Moving! March 23, 2015

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , , , ,
add a comment

platinum11chip_fr_h_1987After deviating from my ‘security’ theme, I am back to talk about InfoSec.  Last week I had the opportunity to attend Visa Accredited EMV Consultant Training at Visa’s Headquarters in Foster City, CA.  As always, Visa put on a top tier program with numerous experts in Payment Card ‘chip’ technology.  Since the topic was EMV most of the experts were from Across the Pond.  Thanks to Mark, Chris and the others for great training!

For those who are new, EMV or “Europay, MasterCard, Visa” is a technology where a microprocessor ‘chip’ is embedded in a payment card (credit card, debit card, etc.).  It is often erroneously referred too as “Chip & PIN” but EMV really only applies to the Chip technology.  If a region or issuer wants to prefer PIN, they are able.  Visa has a “Chip and Choice” model where they allow Chip with signature, no signature, or PIN depending upon the issuer, the risk and type of transaction (ie. Debit for Cash or ATM require a PIN).  There was too much information over 2 days to talk about in this post but there was one point I learned and wanted to pass on..

In October 2015, Visa is offering a ‘liability shift’ for merchants who adopt EMV.  My belief (it was wrong) until I attended the training was that the EMV liability shift only affected those merchants who 1) accepted a ‘chip’ card and on ‘chip’ transactions.  These are known as ‘chip on chip’.  It is critical that Merchants understand that the liability shift occurs for merchants who accept transacitons over a dual interface terminal (Chip and NFC) who accept transactions of ANY form.  As an example, if you accept 99% mag stripe transactions but you have dual interface terminals…the fraudulent transacion due to counterfeit have liability shifted to the issuer!  It does NOT have to be a Chip on Chip transaction.

The Second important point to remember is that Visa is offering a Technology Incentive Program (TIP) that states if a Level 1 Merchant accepts 75% of transactions over a Dual Interface terminal, they do not have to validate compliance with an onsite assessment.  There are some caveats to this so make sure you read the rules!

To get ready for implementation, ensure you download the Visa Merchant Readiness Acceptance Guide here.

EMV: Payment Security Endzone? September 29, 2012

Posted by Heather Mark in Industry News, PCI DSS.
Tags: , , , , , , ,
1 comment so far

As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen.  As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines.  Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post.  Mission accomplished.

On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach.  It was well-attended and had a number of interesting sessions.  Not surprisingly, much of the talk centered around EMV, of Chip & PIN.  Some wondered whether EMV meant the end of PCI DSS.  Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies.  (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here.  Simply adding additional layers of authentication doesn’t change the type of data that is collected.  In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.

Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought.  Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology.  Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data.  That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be.  Even the best defensive line sometimes gives up the big play.

So – to the question in the title – does EMV represent the winning score?  My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern.    After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line.  It was a long, brutal game and you really couldn’t tell who was going to win.  You just gotta keep putting your best players on the field and keep those trick plays coming.

What do you think of EMV?  Touchdown, fumble, or forward progress?

%d bloggers like this: