Cb Connect 2018 | Power of You | Register Now


As EMV Deadline Approaches, Retailers May Be Distracted from Key Security Priorities

January 30, 2015 / Christopher Strand

Over the last few months, there has been much talk of the impending EMV chip-and-PIN technology deadline issued by the major card brands and supported by regulatory standards organizations, such as PCI SSC, and the U.S. government.

Any business that accepts credit cards via point-of-sale (POS) devices must implement EMV chip-and-PIN technology by the established deadlines or risk increased financial liability (as well as being unsecure.)

Many industries are getting on board in recommending EMV as the one sure way of defending card transactions against the litany of attacks that have successfully targeted POS systems over the last year. But they may be too focused on that issue.

With the recent threat activity around POS systems, and the responsibility to meet the pending EMV chip-and-PIN deadline, many businesses may be getting distracted from the other growing security threats to payment systems.

The ability to process credit card transactions is critical for retailers and many other types of businesses. But with such an intense focus on implementing EMV technology, are businesses failing to address the compliance and security of their POS devices and other core payment systems?

Focusing too heavily on EMV or, worse, viewing it as a panacea, presents serious risk to the security posture of any organization, and there are a few considerations to take into account to ensure businesses recognize the situation:

1 – Adoption rates of EMV are going to be slow across retail. They may get to chip-and-signature but fail to implement full PIN pad transactions by the looming July through October 2015 deadlines. There is a good chance that many retailers will not be able to institute full chip-and-PIN by the end of this year. This will cause them to miss the deadlines and also leave other important systems at risk.

In fact, some research indicates that it is going to be impossible to meet industry-wide EMV chip-and-PIN implementation for years to come. This represents a problem for retail PCI compliance—and, of course, security—as it leaves the merchant systems exposed on many levels within the payment transaction.Retailers will need to ensure that they have adequate defense mechanisms on top of EMV chip-and-signature or any implementation combination of EMV to ensure the protection of their entire payment ecosystem and the transactions cycling within.

2 – EMV is only going to minimize the threat window on the front end and will not protect the entire payment transaction process: EMV is designed as an authentication technology and not a data security technology. A full implementation could add to the valuable information sent within the payment process. For EMV to function, some information is sent through the system in clear text at certain points within the transaction.

This creates new problems for merchant payment systems since it opens another potential compromise point—the POS system could be compromised at other points in the transaction due to the increased exposure of sensitive data.

We are actually sending more data up to the POS. On top of that, EMV implementation progress will still do nothing to help protect payment processing servers and systems, which often are an overlooked, but critical, component of the payment process and in full scope of regulations like the PCI DSS.

3 – EMV will do nothing to help with the shift to “Card Not Present” transactions such as eCommerce, and other payment systems. Many retailers are making a gradual shift to other forms of payment systems and cannot discount the threat to those systems. Solutions need to be in place that will protect these systems adequately to guarantee the security of the critical data used in transactions.

I discussed this notion, as well as the move to EMV technology, during a recent webcast with two other industry leaders: One from a prominent international airline, and the other from the PCI council.

I’ll dive more deeply into each of these distractions in subsequent posts. In the meantime, I encourage you to read my recent post about the considerations and limitations of EMV technology.

TAGS: Carbon Black / chip and pin / EMV / point-of-sale / security