Tag Archives: chip card

Credit Cards

Can Chip Cards Stop the Hax? [2023 Update]

Leave a reply

The massive data breach at Target is a big shining beacon illuminating exactly how behind the times the United States remains when it comes to credit card security — namely EMV® chip technology.

EMV is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

In fact, KrebsOnSecurity, the website that broke the news of the Target hack, has reported that the card information stolen in the Target Data Breach has been showing up on the black market. Credit and debit card accounts stolen during the security breach have reportedly flooded underground black markets, going on sale in batches of one million cards. The cards are being sold from around $20 to more than $100 each.

Over the last decade, most countries have moved toward using credit cards that carry information on embeddable microchips rather than magnetic strips. The additional encryption on these aptly named smart cards has made the kind of brazen data thefts suffered by Target almost impossible to pull off in other countries. Which is why as of Q4 2012, there were roughly 1.62 billion EMV cards in consumers’ hands and 23.8 million terminals deployed throughout Europe, Asia, and Africa. About 80 countries have adopted the technology as a standard. By comparison, about 1% ofcredit cards issued in the U.S. contain such technology, making the United States a tasty target for hackers.

“The U.S. is one of the last markets to convert from the magnetic stripe,” Randy Vanderhoof, director of the EMV Migration Forum told the LA Times. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”

The credit card industry reports the U.S. accounted for only 24 percent of global credit card payments by volume in 2012, but it accounted for 47 percent of the fraud.

So Why No Chips in the U.S.?

According to experts the reasons the U.S. lags so badly in adopting smart cards are complicated. In part, there hasn’t been the political will to demand that businesses and financial institutions make the change. One might think the Target data breach would spur politicians to action or at least get consumers to light a fire under those politicians. But the Target hack is just one in a growing list of data breaches, and the 40 million compromised cards are rather mundane.

In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month. In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

If neither of those data breaches could spur on the adoption of EMV cards, it’s unlikely the Target hack will move the needle. The inertia built up against the smart cards then must be due to some other reason Analysts also say the payment processing system in the U.S. is more complicated, with merchants, credit companies and banks reluctant to spend the big bucks it would take to convert a system with 1 billion credit cards to EMV from magnetic stripes. But that’s still too murky.

The primary reason such technology has taken so long to make its way into the U.S. is far more simple: Chip-embedded cards are more expensive to produce. Each merchant would have to purchase new equipment to hand them.

What the Future Holds …

The good news for consumers is that the U.S. is indeed moving to embrace smart credit cards. The Official Merchant Services Blog reported almost two years ago that the United States was moving slowly but surely toward adopting chip cards. Visa took the lead in the U.S. push, reporting that as of December 31, 2011, the credit giant had issued more than 1 million credit cards that use “chip” technology to store consumer payment information. Visa made an announcement in August 2011 hat it planned to start issuing more EMV — Europay, Mastercard, Visa — smart cards to push the industry toward better security and an easier transition to mobile payments.

In the last couple of years major card issuers have laid out road maps for upgrading the card technology, and many have set out to achieve this by October 2015.

TransFirst, Host Merchant Services’ acquirer and one of the premier providers of transaction processing services and payment processing technologies in the U.S., issued a mandate in response to the EMV push. TransFirst said that Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Visa also intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale transactions effective October 1, 2015, and for fuel-selling merchants by October 1, 2017.

Ocotber 2015 was chosen because at that point major credit card companies will change their rules about who is liable for fraudulent purchases caused by security breaches. Under the new rules, the entity in the payment chain — merchant, credit card, banks — deemed to have the weakest security will be liable. Credit card companies can’t make anyone adopt the technology, but they’re giving them a hard nudge.

The Bottom Line

While the Target Data Breach once again brings up the topic of credit card security, it seems like the U.S. is still poking along with its slow adoption of EMV chip cards. Hackers will still continue to target the low hanging fruit that the largely magnetic stripe based U.S. credit card industry still works with. But EMV chips and increased digital security of cardholder information is coming. October 2015 looms closer and closer.

What is EMV Chip Card Technology?

Leave a reply

EMV® is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal.

How it works

The transaction has a built in verification system that requires both the chip in the card and a PIN number the customer enters. This extra step verifies that the person with the card is in fact authorized to use it. This is just the first facet that makes these transactions more secure. Each chip contained in the card generates an original and unique code for each transaction. This unique identifier makes it easier to track transactions and identify fraud.

Comparison to Existing Magnetic Stripe

Everyone knows the magnetic stripes exist on almost every single card in the U.S. currently. These pass very simple data through the system at the time of the swipe, mainly just card number and expiry data. The data passed back and forth between the terminal and chip card is much more sophisticated and encrypted for added security. Another downside to the magnetic stripes is their shelf life. Many frustrated clerks can tell you that a card that is used often does not usually make it to its expiration date. Merchants should know that they need to swipe the card to get the lowest interchange rates for most cards. Often times, front line workers do not know that the business is paying a higher rate if the card is keyed as opposed to swiped.

Future Growth

EMV is already widely used worldwide. As of Q4 2012, there are roughly 1.62 billion EMV cards in consumers’ hands. Combine this with the 23.8 million terminals that have been deployed throughout Europe, Asia, and Africa and it’s easy to see that this technology is here to stay. HMS fully supports EMV processing and works with merchants to offer this to their customers. With Visa and MasterCard poised to really step on the gas concerning U.S. migration, merchants need to be up to speed on the new processes and technologies.

EMV-chart

This upgrade in technology will have an impact on a wide range of hardware including:

  • ATMs
  • Existing POS machines
  • Vending machines
  • Automated fuel pumps
  • Ticketing kiosks
  • Etc.

While replacing the vast amounts of existing hardware might seem daunting on a macro level , the time and capital committed to this migration is absolutely worth it when you consider the upside. The combination of both new terminals and chip cards will reduce risk for both consumer and business. Also, by making chip cards more universal, American tourists who travel abroad will have a consistent experience and won’t need a “special card” for overseas trips. This point is even more powerful when you consider that there are roughly 56 million trips outside the country by U.S. citizens just in 2012. So send us an email or better yet just give us a call at 877-517-4678 to discuss how Host Merchant Services can help your business stay ahead of the EMV curve.

1 Step Forward, 2 Steps Back [2023 Update]

Leave a reply

We’ve been covering Mobile Payments here at The Official Merchant Services Blog since the very beginning. In fact, the Article Archive at Host Merchant Services has extensive coverage of the topic as well. It’s just too sexy a topic — everybody loves the allure of gadgets — and too fascinating a financial prediction — folks in the know are predicting Mobile Payments to boom in the billions between now and 2015-ish — to not continually cover Mobile Payments.

But I keep picturing a scene from the 1992 women’s sports movie A League of Their Own in my head every single time I look at the state of Mobile Payments in the U.S. The scene that resonates with me is the one where Marla Hooch — fearsome and uniquely striking power hitter for the team — is about to step into the batter’s box. But she’s getting confused. She steps into the box. Then back out of the box. The reason for her confusion? She’s getting contradictory signals from her Manager and her teammate. One wants her to swing away and unleash the fearsome potential of her staggering offense. The other wants her to play it safe and move the runner over for a better chance to score an efficient run. So there she goes, Marla Hooch, the powerhouse of the league. One foot in the box. Then out of the box. It’s the exact problem Mobile Payments currently faces. The power and potential of what it can do for commerce keeps getting highlighted in story after story, research after research. And then the biggest obstacle it faces keeps getting thrust in front of its face: Security.

Step Out of the Box

Google Wallet, one of the biggest lynchpins in the mobile payment industry’s bid to effectively take hold in the U.S. market was recently plagued by a security problem. This article from ExtremeTech notes the issues that happened to Google and its mobile payment system in a piece that discusses the pitfalls of its beta testing. A pair of bugs forced Google to shut down its pre-paid cards and Google Wallet took a huge hit on the nose in the press. This reinforced the public’s view that mobile payments are a bit scary because people think that their personal information — account numbers, social security information, credit card numbers — will get swiped from them out of thin air. The thought process being that if all they have to do to pay for an item is wave their phone in the air at a cash register, some sneaky net ninja can pluck the data right out of the very same air.

The article sums up the problem: “In the last week, there have been not one, but two exploits that could give a malicious individual access to your Google Wallet mobile payment app on Android. While the first is a root-only hack that Google couldn’t really be expected to plan for, the second affects all Android users and is simple to do.”

It goes on to suggest these bugs popped up due to a core problem with how google beta tests things.

Since that story broke, Google has gone on the offensive, and is now stating that the bugs are fixed. As this cnet article says: “Google has patched a hole in Google Wallet that could’ve allowed someone to access a user’s funds simply by resetting the PIN and using a prepaid card. The company said yesterday it has issued a fix that now prevents a prepaid card from being re-provisioned to another person. It has also restored the ability to issue new prepaid cards following a move on Monday to disable the use of such cards.”

These bugs were a major setback for more than just Google. The Mobile Payments landscape is bubbling with interest but it’s also saturated with variety. There are multiple avenues businesses are considering for their entry point into what research firms like Gartner predict will be big money very very soon. One of those avenues is Near Field Communication (NFC).  The underlying technology of NFC is described as: Near field communication (NFC) is a set of standards for smartphones and similar devices to establish radio communication with each other by touching them together or bringing them into close proximity, usually no more than a few centimetres. Present and anticipated applications include contactless transactions, data exchange, and simplified setup of more complex communications such as Wi-Fi. Communication is also possible between an NFC device and an unpowered NFC chip, called a “tag”.” 

This is the technology that Google tagged to be their entry into Mobile Payments. And so these bugs are a major hit for Google and NFC as a whole, taking one of the most hyped aspects of Mobile Payments down a peg in the industry.

Step Into the Box

In the midst of NFC taking it on the chin, Visa and MasterCard unleashed its EMV initiative — as The Official Merchant Services Blog reported on February 7. This is, in my mind, the Mobile Payments Marla Hooch being told to step into the batter’s box and knock it out of the park. Visa is invested heavily into Mobile Payments, and is prepared to drag the industry kicking and screaming into the future of profits that are being predicted for Mobile Payments. The EMV initiative hinges on chip technology being attached to cards, and for Mobile Payment evolution also being attached to smart phones. What Visa’s investment in this avenue brings is added security. This is huge. The security advantage addresses the biggest fear people have for mobile payments. Visa, much like Tom Hanks, wants Marla Hooch to get in there and swing away.

Going Sci-Fi

This article from Asia One adds another wrinkle into payment processing, and possibly the future of mobile payments: Biometrics. The article cites The Monetary Association of Singapore (MAS) as researching ways to make Debit card transactions more secure. And one of the avenues of research has been biometrics. This could really lead to a breakthrough in the march towards a cashless society, including the use of smartphones for mobile payments. Having biometric security measures on your phone would work in tandem with the chip technology that Visa is pushing, making both the unit you use to store the information — your phone — attuned to your own physiology; and the transmission of your transactions — the swipe of said phone in the air — attuned to a secure chip. Identity thieves and card fraud masters would be stymied on multiple ends and have to work very hard to stay ahead of that security curve in their mission to steal your information and then your money.

The Bottom Line

So What’s Marla Hooch going to do? It looks like Google is sticking with its plan and dedication to NFC. They sort of have to due to how invested they are into the technology already. And it’s no secret that Visa is very much tied into the future of mobile payments, chip card technology, and payment processing security. Both entities are full steam ahead. And with that much tech and finance industry strength behind the initiatives, Mobile Payments will get its chance to swing for the fences. We look for the Google Bugs to blow over and not really hinder Mobile Payments growth much at all in 2012.

For more information on Mobile Payments you can read from Host Merchant Services:

The Official Merchant Services Blog will continue to keep you up to date on the latest advances in Mobile Payments technology.