Download Chip and PIN and the PCI Data Security Standard

white paper
Prepared by:
Jeff Hall
Director
Technology Risk Management Services
RSM McGladrey, Inc.
jeff.hall@rsmi.com
612.376.9280
www.rsmmcgladrey.com
white paper
The purpose of this document is to explain the issues with Chip
and PIN credit cards and their compliance with the PCI Data
Security Standard.
Background
Chip and PIN is a British government-backed initiative to
implement the Europay, MasterCard and Visa (EMV) standard for
credit cards with a built-in integrated circuit (IC), also known as IC
Cards or Chip and PIN. The purpose of Chip and PIN was to
reduce the amount of fraud in face-to-face credit card
transactions. Chip and PIN is a worldwide standard that has been
extensively implemented in Canada and Europe, but has not been
introduced into the United States or most of the Far East. With the
exception of Discover Financial, all of the other major card brands
(Visa, MasterCard, JCB and American Express) have adopted
various forms of the Chip and PIN technology.
How Chip and PIN works
Chip and PIN replaces the magnetic stripe and receipt signing
common in the United States. In Chip and PIN technology, the
information normally contained on the magnetic stripe is recorded
on an integrated circuit (IC) contained in the card. The data stored
in the IC is encrypted using the DES, 3DES, RSA or SHA
encryption algorithms. Rather than swiping the magnetic stripe,
the card is inserted into the payment terminal where the IC is read
and decrypted, and the transaction is generated for authorization.
If authorized, cardholders are required to enter their PIN into the
terminal, and then the receipt is generated and the transaction is
completed.
Chip and PIN terminals provide the capability of processing Chip
and PIN cards, as well as having magnetic stripe readers. Chip
and PIN terminals can operate over wired, dialup, 802.11 wireless
or cellular networks. In all connectivity environments, the
terminals use secure transmission technology to ensure the
privacy of cardholder data.
Potential security issues
While Chip and PIN has significantly reduced fraud in face-to-face
transactions, there are a number of issues regarding the security
of this technology.
The EMV specification is open source and available from a
number of sources, including EMVCo. Because of this, attackers
can obtain the specification to build their own hardware and
software for creating and processing Chip and PIN cards, as well
as creating attack methods to compromise the cards. This has
lead to a number of successful attacks to the Chip Authentication
Protocol/Dynamic Passcode Authentication (CAP/DPA) protocols,
resulting in cloned cards, as well as obtaining and computing valid
PINs.
www.rsmmcgladrey.com
Another concern is that the entry of the PIN can be bypassed by
the merchant. If bypassed, a receipt is generated and signed by
the cardholder — no different from a transaction performed with a
traditional credit card. While European banks have tried to
discourage this practice, this option is still available, which does
not provide any additional protection against fraudulent
transactions.
Theft of physical credit cards has risen since the introduction of
Chip and PIN technology. Criminals often hold victims hostage
and threaten them with bodily harm until they reveal their PIN,
which the criminals can confirm with a simple card reader. Card
readers are easy to come by, as a number of UK banks flooded
the market with card readers when the Chip and PIN cards were
introduced.
Banks encourage credit and debit card customers to take their
card readers along with them. The readers require the entry of the
PIN to get information displayed from the card. Security
researchers found four keys on the customer’s card reader that
were heavily used and worn which reduced the likelihood of
guessing a card’s PIN from 1 in 3,333 to 1 in 8.
Chip and PIN cards connected to PCs can generate
authentication tokens, but the CAP/DPA standards do not specify
how these tokens should be used in an online environment. In
addition, not all e-commerce sites and banks have implemented
this capability into their Internet processing environments. As a
result, additional security of online environments is not enhanced
by using Chip and PIN cards. Some banks will not allow their Chip
and PIN cards to be used online.
PINs are typically the same for both Chip and PIN cards and
ATM/cash cards, if a person has both types issued by the same
bank. As a result, if you know the PIN for one, you know it for
both. Offline entry of PINs is supported by certain cards in certain
countries. In offline mode, the PIN is not encrypted, so it can
readily be retrieved in plain text from the terminal.
A shift in attack strategy
The introduction of Chip and PIN technology has moved attacks
to the merchant terminal or integrated point of sale (POS)
solution.
In the case of terminals, the terminal is modified by the attacker to
record the information on the chip after it is decrypted (skimming).
Since most terminals use some form of high-speed network
connection, the compromised terminal periodically sends the
captured chip data to an attacker anywhere in the world.
For POS, attackers compromise the POS station and then obtain
the chip data by monitoring the program that processes the Chip
2
white paper
and PIN card. Again, since most POS terminals are on a network,
attackers have their capture program send the captured card data
to their computer.
A number of incidents involving the skimming of Chip and PIN
cards using tampered software or terminals have been
documented. Skimmed cards are typically sold in areas, like Asia
and the United States, where magnetic stripes are still used. The
incidence of compromised terminals and POS systems has risen
significantly since the introduction of Chip and PIN technology.
Prior to Chip and PIN, cardholders typically only entered their PIN
at ATMs. With the introduction of Chip and PIN, a cardholder’s
PIN is now entered in restaurants, supermarkets and anywhere
else these cards are accepted. As a result, security analysts have
complained that it is more likely that a cardholder’s PIN could be
compromised since it is provided in more venues. The credit card
industry has responded by changing the PIN pad standard to
include shielding around the keypad on the terminal to make
observing the entry of the PIN more difficult. However, the
shielding is not a perfect solution and PIN entry can still be
observed. In addition, terminals with the new shielding have only
been available since early 2007 and, given the cost of terminals,
the rollout of shielded terminals will take at least five or more
years to be completed.
functionality the same way regardless of the card used. At a
minimum, these backend systems process and transmit
cardholder data, but they may also store cardholder data. As a
result, these backend systems must comply with the PCI
standards.
Chip and PIN terminals are no different than their magnetic stripe
swiping cousins. They require proper configuration to ensure that
they mask cardholder data and transmit transactions securely, so
that they comply with the PCI Data Security Standard. They are
also required to comply with the PCI PIN Entry Device (PED)
standard.
Conclusion
Chip and PIN reduces face-to-face transaction fraud, but it does
not remove all of the risks involved in the use of a credit card. As
a result, there is still significant effort required to ensure that an
organization’s credit card processing infrastructure is secure and
complies with the various relevant PCI standards.
For more information, please contact Jeff Hall at 612.376.9280 or
jeff.hall@rsmi.com.
In addition to direct observation, with the amount of video
surveillance implemented by merchants and government entities
in Europe, there is a concern that this video surveillance contains
a significant amount of footage showing cardholders entering their
PINs. It is this video monitoring, coupled with skimming, that law
enforcement authorities believe leads to most of the cloned Chip
and PIN cards in Europe.
Because most Chip and PIN cards still have a magnetic stripe for
use outside of Europe, Chip and PIN cards’ magnetic stripes can
be cloned and then used anywhere. Chip and PIN cards that are
skimmed are typically used in Asia and the United States.
PCI compliance
The standards promulgated by the PCI Security Standards
Council are worldwide in nature. So, regardless of the type of card
used, all merchants and acquirers are required to comply with all
PCI standards. This is legally enforced through merchant and
service provider agreements between these entities and the card
brands. Agreements were updated worldwide over the last three
to four years to include addendums that require all parties to be
PCI compliant.
Though Chip and PIN cards and their terminals are different, the
integrated POS and the backend systems that authorize and
process transactions are not. These systems provide their
www.rsmmcgladrey.com
3
RSM McGladrey, Inc. and McGladrey & Pullen LLP have an alternative practice structure. Though separate and independent
legal entities, the two firms work together to serve clients' business needs. RSM McGladrey, Inc. is not a licensed CPA firm.
RSM McGladrey and McGladrey & Pullen serve clients’ global business needs through their membership in RSM
International, the seventh-largest worldwide organization of independent accounting and consulting firms (source:
International Accounting Bulletin), with 680 offices and 27,000 professionals in 65 countries.
To learn more, call 800.274.3978 or visit www.rsmmcgladrey.com.