Stemming the Tide
It’s been three months since the news broke that a criminal attack on Target resulted in the loss of 40 million customers’ credit and debit card numbers, and card or other data from another 70 million shoppers. Word of smaller but similar attacks at Neiman Marcus and Michael’s followed, putting card security back in the headlines and renewing the debate over how to safeguard card data to protect consumers, retailers and banks from determined and sophisticated criminals.
As in the past, the incidents quickly turned into a blame game between retailers and banks. The finger pointing is starting to fade, however, and the attacks appear to have finally pushed the two industries toward an effort to work together.
Last month, NRF and other retail groups joined with financial service associations to announce a new partnership that will examine ways to share more information, improve card security and maintain the trust of customers.
“There is no single solution to the complex issues surrounding cyber security,” NRF president and CEO Matthew Shay said in announcing the partnership. “That is why it is important to bring stakeholders together as we seek answers, share solutions and implement programs that not only prevent hackers from breaching data systems but protect the consumer by shutting down these criminal enterprises.”
“We are committed to working together to ensure customer personal and financial information is secure and protected,” Financial Services Roundtable CEO Tim Pawlenty said at the time. “Exploring avenues for increased information sharing and collaborating on innovative technologies and safeguarding data will be critical in defending against common enemies.”
The group is made up of NRF and a dozen other associations representing bankers, retailers, shopping centers, restaurants and hotels. Over the next several months, participants will form working groups to look at solutions ranging from technological innovations to a uniform national data breach law.
The partnership builds on NRF’s position that retailers are willing to work with banks to address the issue, but that all stakeholders have a role to play.
“Retailers take the increasing incidence of payment card fraud very seriously,” NRF senior vice president and general counsel Mallory Duncan told the Senate Banking, Housing and Urban Affairs Committee at a subcommittee hearing in early February. “We have every reason to want to see fraud reduced, but we have only a portion of the ability to make that happen. We did not design the system, we do not configure the cards and we do not issue the cards. We will work effectively to upgrade the system, but we cannot do it alone.”
A nationwide standard
At the heart of the issue is the technology behind the typical credit or debit card. Since at least the 1980s, cards have carried the user’s name, card number, expiration date and other data in a magnetic stripe, and customers have signed a paper receipt or electronic pad to approve the transaction. But the magnetic stripe data is easy to copy and reproduce — equipment that can be used to make fake credit cards can be legally purchased for a few hundred dollars. Most consumers scrawl an illegible signature, and even provide a sample on the back of the card for criminals who want to make a good forgery.
Next generation chip-and-PIN cards replace the magnetic stripe with an embedded computer microchip that encrypts the card data and uses a dynamic code that constantly changes. More importantly, they eliminate the easy-to-forge signature and require shoppers to enter a secure personal identification number to authenticate that they are the legitimate card-owner and have approved the transaction. Chip-and-PIN cards are used in about 80 countries around the world; a study in the U.K. found they have reduced fraud by 70 percent.
A number of U.S. retailers have already installed the equipment needed for the new cards, and the two largest card companies have set an October 2015 deadline for merchants to accept their Europay Visa MasterCard brand of chip technology. EMV cards used in Europe require a PIN, as do most other providers’ chip-and-PIN cards. The EMV cards planned here would leave it up to individual banks to decide whether to require a PIN or allow use of a signature.
“We need PIN authentication of cardholders regardless of the chip technology,” Duncan says. Converting to chip cards without requiring PIN is “like locking the front door and leaving the back door open,” he says. “It would be a shame to spend all that money for a half-baked solution.”
Duncan says chip-and-PIN cards would also discourage data breaches because they make it harder for thieves to use stolen card numbers. While card numbers alone can be used online, thieves usually use them to create counterfeit stripe-and-signature cards that are then used to make fraudulent purchases at bricks-and-mortar stores. If chips make the new cards difficult to copy and PINs make them difficult to use, there is less incentive to steal card numbers.
U.S. retailers want a true chip-and-PIN system but see even the best chip-and-PIN only as a bridge to the next technology in the constant game of leapfrog between those who want to protect card data and those who want to steal it. Retailers are taking a “defense in depth” approach, exploring additional security layers like end-to-end encryption and emerging technology like mobile payments made with smartphones, which offer far more computing power than can be contained in a card-based chip.
In 2007, NRF asked the Payment Card Industry Security Standards Council that retailers be allowed to keep only an approval code for each transaction, with banks retaining all card data that could be used to commit fraud. The card industry has yet to make the change.
On Capitol Hill, NRF has called on the Senate to give final passage to the Cyber Intelligence Sharing and Protection Act, House-passed legislation that would make it easier for the commercial sector to share information about threats and ensure that cyber crimes are thoroughly investigated and prosecuted. NRF also wants Congress to replace the varying data breach notification laws currently on the books in 46 states and the District of Columbia with a single nationwide standard.
Removing weak links
Beyond chip-and-PIN, the security debate often centers on system-wide encryption. Retailers spend hundreds of millions of dollars a year to comply with PCI security standards that require encryption and other safeguards. But as Duncan pointed out at the Senate hearing, some payment networks are unable to accept encrypted data and PCI doesn’t require financial institutions to be able to accept it, leaving card data that retailers have carefully encrypted vulnerable at a crucial point between merchants and the card industry.
“Keeping sensitive data encrypted throughout the payments chain would go a long way to convincing fraudsters that the data is not worth stealing in the first place,” Duncan testified. “We need companies throughout the system to work together on achieving end-to-end encryption so that there are no weak links in the system.”
“Compliance hasn’t driven security,” says Sol Cates, chief security officer with software encryption firm Vormetric. “The bad guys know what PCI is like and what they have to do to work around it.”
Andrew Henwood, director of operations for data security provider Foregenix, says EMV cards are “very hard to clone” but even those that use a PIN encrypt only the PIN, not the card number and other important data.
“Looking back, it would have been better to require that not only the PIN but all of the card data [be] encrypted,” he says. If it was, “we would not have seen the amount of data theft we have.”
Regardless of the technology utilized in payment cards, Henwood says it won’t be effective in the card-not-present transactions of e-commerce. “The e-commerce guys are particularly vulnerable and it’s only going to get worse,” he says, noting that in his forensics work he sees hackers already moving from store-based retailers to online sellers by a factor of 10-to-1.
With some reports tying the Target breach to computer passwords stolen from a contractor working on heating and air conditioning, retailers need to ensure that there is an “air gap” between the computer systems that handle card data and those that run operational systems like digital signage or climate control, according to Kent Woodruff, chief security officer for CradlePoint, a provider of cloud-managed networking services.
Woodruff and Rod Rasmussen, president and chief technology officer for IID, agree that retailers need to share more information in order to work more closely together on security.
“Most of these breaches are being carried out with … intelligence traded on sophisticated criminal underground exchanges,” Rasmussen says. “We must form our own exchange networks for ‘good guys’ … or else this cycle will continue.”