By Michael Ryan

It’s the time of year.  Ghouls and ghosts come out to play making most of us quake in our boots.  Some of us love it, others put up with it just to get the goodies and treats.  So in the spirit of Halloween, I’ve pulled together a list of myths for the week that may have merchants a bit confused.  As a treat, I will address these myths and provide our readers with more insight so that they can put these spooky myths in their graves for good.

Today, we’ll take a look at transaction security.  With the number of breaches that have occurred in the retail industry, this myth should really have you quivering in fear. The last thing any merchant wants to see is their name splashed across a news story pointing to the loss of thousands of customers’ credit card data.

Spooky Myth of the Day: EMV is all the transaction security I will need.

For those of you that don’t know, EMV comes from the letters of Europay, MasterCard and Visa, who are the three companies that developed this card standard for authenticating credit and debit card transactions at point-of-sale (POS) terminals and automated teller machines (ATMs).

When I am talking to merchants, I hear it all the time, “Won’t it be great when we have EMV in the US and my transaction security woes will be over?”  This is often followed by a debate over the time frame in which we’ll see this revolution.

But don’t be fooled by this myth.  The truth is that while several studies have shown how EMV has been effective in preventing fraud at the point of sale in brick and mortar environments it really only addresses counterfeit card creation and usage.

EMV transactions still transmit sensitive cardholder data in the clear so it does very little to mitigate PCI. Merchants processing EMV must still limit data storage and protect data that is stored.  EMV does not eliminate potential fraudulent activity with Mail Order or Telephone Order (MOTO) payment processing or with online transactions.

So while EMV may help us prevent fraud committed with counterfeit cards used at the physical point of sale, the data is not automatically secured in-flight or at rest and may be stolen and used to commit fraud in other ways. It is important to remember as well that the data only needs to be stolen (not used) for a merchant to face significant penalties and damage to their brand.

Don’t let these myths fool you.  Understand the limitations of EMV and ensure that you have a layered security approach that can secure data in-flight and at rest.

Visit us later this week for the next spooky myth.  If you have other myths that you’d like to add, include it in a comment below.

Comments

There are 4 comments for this post.

  1. David Griffiths on October 27, 2010 1:45 am

    Just call me Mythbuster Griff:

    it troubles me that people like Michael Ryan deliver this kind of rubbish (there really is no other word for it) to frighten non-technical (‘cos it really is quite technical) people into believing what amounts to nothing more than poor and unconsidered sensational twaddle. Here’s why it’s rubbish, and I am open to any challenge, at any time.

    EMV has solved most of the problems associated with card payments, but not all. However, where problems remain, it is generally because other transaction rules are being ignored and not because EMV is weak. Happy to expand, but haven’t got the space here.

    EMV transactions transmit “sensitive data” only because it is defined as “sensitive data” within PCI. There is absolutey nothing sensitive about a PAN, for heavens sake, it’s embossed on the front of the card. EMV transmits data in the clear because the data really doesn’t matter, it is transaction specific and cannot be re-used, re-played or used to re-build the original card. Intercepting EMV card data is like stealing used cheques!!

    Michael is correct whan he says that EMV does not eliminate MOTO fraud. However, if merchants actually followed the rules, which they generally choose not to (see Amazon), the fraud would disappear. The problem isn’t EMV (to be fair it isn’t even PCI), but the problem isn’t actually that big either.

    It is not surprising that merchants are fearful, as they are fined for loosing data rather than loosing useful data! A subtle difference but does it matter if the retailers, the public and the press don’t understand. To them, a breach is a breach, and it makes good headlines.

    I have been asking MasterCard to justify the expense of PCI-DSS since June, all the way up to Bruce Rutherford – main man in MasterCard and PCI!!! Would anyone be surprised if I said that the only response I have is six lines of circular nothing, which isn’t even worth repeating here. I would have thought that their answer would have been immediate and compelling – no such thing – but they will fine you and maybe stop you accepting cards if you don’t comply.

    Card fraud in the UK is at a ten-year low, and still falling, card fraud in the US is rocketting. One of the biggest frauds that we suffer in the UK is on cloned US cards, which the PCI-DSS in the UK will NOT prevent, but EMV in the US would. So why is it that the rest of the world being forced to implement the PCI-DSS to “protect” the US when the US can’t be bothered to protect themselves? It makes no sense, and it is reckoned that EMV in the US would pay for itself in 11 months.

    So … you have got to do the PCI-DSS because the PCI-DSS defines the PAN as “sensitive data”, and you must protect sensitive data, and if you don’t protect sensitive data, then when you are breached they will fine you and you will look stupid in the press, and that won’t be good. They migh even fine you if you aren’t breached.

    At the end of the day, you have to take the pragmatic approach, and do it, but don’t let the idiots fool you.

    I am still open to any challenge, find me on Linked-In.

  2. Michael Ryan on October 27, 2010 6:17 am

    Mythbuster Griff – nice to meet you and thanks for reading. Obviously we are having a bit of fun with these myths since it is almost Halloween but in reality, what you said in the last part of your email was what I was trying to convey. As long as the council says PANs are sensitive data they must be protected. By itself EMV does not provide that solution and a layered approach will be required to comply with the regulations. And I agree with you, merchants must be pragmatic and go beyond compliance to secure all their assets.

  3. David Griffiths on October 28, 2010 9:03 am

    Hi.

    I think you miss the point a bit, but I forgive you. :o )

    If you read carefully the last paragraph again you will hear the irony. But for the hard of understanding: the council says that PANs are sensitve and must be protected – this is complete and utter nonsense!!! PANs are NOT NOT NOT sensitive data. For heavens sake, they are embossed on the front of my cards …

    EMV does not provide the complete solution, as it’s not particularly good at preventing telephone fraud, but if it’s part of the layered solution to which you refer, then you must be thinking along the lines of PCI filling the security gap, but hey, the card number is embossed on the front of my card, so how’s that going to work?

    EMV limits most of the security vulnerabilities because it renders all transaction data relevant only to the current transaction. It matters not that you know my PAN because you can do nothing with it.

    I say again and again that all of the so-called “vulnerabilities” you refer to as a means of highlighting the “weakness” of EMV could be solved by simple MOTO rule enforcements – the rules exist, they are just not enforced. They do not require PCI, and PCI won’t prevent them.

    The spooky myth is that retailers should be responsible for transactional card data. The spooky reality is that in the world of EMV, they are NOT! They are not because they do not need to be. If you are a retailer reading this, dont be spooked by the PCI spooks; once you have implemented PCI, you will still have to implement EMV – if you don’t believe me, look on the MasterCard merchant website.

    The pragmatism in the last paragraph was bordering on the ironic: I meant that the merchants must be pragmatic and accept that the idiots bleating on about PCI are not going to change their minds any time soon, because they are idiots bleating on about PCI and agreeing with each other. I absolutely did not, for the sake of any confusion, mean that the merchants should be responsible for securing “their assest” (or card data as we call it in the UK). The merchants should do PCI because if they don’t, the idiots will fine them – now that is pragmatism!

    I challenge you to stop wasting time and effort in support of the unsupportable, and explain to me and the thousands of other people involved in the pointless implementation of the PCI-DSS at a collective cost of hunders and thousands of millions of dollars (that’s even more than £25) why it is necessary?

    No circular arguments please.

  4. Merchant Link SecurityCents :: Encryption PCI Compliance Tokenization :: A Ghostly Myth Disappearing on October 29, 2010 5:01 am

    [...] myths that merchants face today.  Earlier this week, we shed some light on the common myth that EMV will cure all credit card security woes.  We also provided some clarity on a common myth that [...]

Write a Comment