12 security problems that EMV and tokenization won’t solve

On Nov. 1 of next year, merchants that aren’t ready to accept chip-based cards instead of the current magnetic-stripe cards will become liable for fraudulent transactions that today are covered by the credit card companies.

That means that a lot of retailers will be switching to new, EMV-compliant point-of-sale terminals — and, while they’re upgrading, many will also roll out tokenization and end-to-end encryption as part of the package.

[ Chip and PIN: No panacea, but worth the effort – and the cost ]

This will dramatically increase security in the area of retail payments. But it doesn’t mean that the retail industry will instantly become bullet-proof. Here are 12 likely bumps in the road in the journey to credit card security.

1. The transition period is likely to have some problems

The next 12 months will be very interesting, says Stephen Cobb, senior security researcher at Bratislava, Slovakia-based ESET, LLC.

“If I was a bad guy I would be probing for gaps during the transition, and those are pretty much inevitable,” he said. “Whether it’s backwards compatibility, or just the kind of errors that occur when you transaction from one system to another. And some notorious hacks over the years have occurred when a system has been down for maintenance.”

And it’s not just the transition, period, either. With every technology there’s a gap between how it should be used in theory, and how its actually rolled out in practice.

Jeff Man, a PCI security evangelist at Tenable Network Security

“Time and time and again we’ve seen systems fail not because they have a flaw but because they were implemented poorly,” said Jeff Man, a PCI security evangelist at Columbia, Md.,-based Tenable Network Security.

2. Chip-and-signature isn’t as secure as chip-and-PIN

A PIN number is more secure than a signature, but the new EMV standards allow for a choice of verification methods.

“There’s not been a single documented case where PINs were compromised,” said Paul Kleinschnitz, senior vice president and general manager of cybersecurity at First Data. “It’s a requirement for the PINs to be encrypted in the terminal.”

Retail clerks are notorious for not paying attention to the signatures on the back of cards and rarely ask for identification.

“This is the only major market where it’s being brought in as EMV and signature instead of EMV and PIN,” said Sean Curran, director of the technology infrastructure and operations practice at Chicago-based West Monroe Partners, a business and technology consulting firm.

3. Tokenization and encryption aren’t actually a requirement

Depending on how merchants decide to roll out EMV, card data could still be transmitted through the merchant network unencrypted.

“Tokenization isn’t part of the standard, and not part of the requirement,” said Curran.

If a merchant rolls out EMV without anything else, most of their systems will continue to be just as vulnerable as they are today.

4. Move to tokenization might be slow, uncertain

Except for purely local tokenization systems, merchants have to wait for issuers and payment processors to offer tokenization before they can roll it out.

“As of now, standards have not yet been adopted and fully vetted by the industry and there is still little known about the cost barriers to wide use of tokens,” said Randy Vanderhoof, executive director at New Jersey-based Smart Card Alliance. “Because of these factors, that is more likely a two to five year window.”

5. Merchants still need to keep some customer data

There probably are small stores out there that do not collect any customer information at all.

“But larger merchants must have data for analytics, store planning, merchandising, up-selling and cross-selling,” said Suni Munshani, CEO at Stamford, Conn.,-based Protegrity USA. “It’s impossible for them to do all that without data, so they must store the data.”

Some companies have reasons to store part or all of the payment data, as well — say, to allow customers to keep payment methods on file, for convenience when shopping.

Protegrity’s solution is to leave the code books in the hands of the merchants, instead of outsourcing them to the payment processors.

“The merchant has to protect the de-tokenization process, since it’s all in the merchant’s hands,” he admitted. “But it means that the company is not wedded to the payment processor.”

6. Many companies still don’t have the basics down

So, for many of the above reasons, many merchants will continue to have credit card numbers and similarly sensitive information in their systems. And crooks will continue to go after them.

Some of those crooks will find it particularly easy to get at that data.

According to the Verizon 2014 PCI Compliance Report released earlier this year, 78 percent of breaches used tactics in the techniques in the “low” or “very low” difficulty categories.

Take for example, the Payment Card Industry Data Security Standard’s first requirement to install and maintain a firewall to protect cardholder data. According to the Verizon report, only 64 percent of companies had this in place.

The second requirement? Not to use vendors’ default passwords or security settings. Only 51 percent of companies met this requirement last year.

Retailers busy rolling out EMV should take care that they’re not so busy that they’re distracted from addressing these basic security issues.

7. Even with encryption and tokenization, the risk isn’t going away — it’s just moving next door

There are a couple of different ways to do tokenization, but the one that reduces liability for merchants to the biggest degree is where the merchant never actually sees or holds the real credit card number at all.

That’s the case with First Data’s tokenization product, TransArmor, which converts the valuable credit card information to a random token via a quick, encrypted communication right when the customers use their cards, and the token isn’t converted back to a real credit number until the transaction is finally processed by First Data.

The retailer only gets the token placeholder — meaningless to a thief without the codebook, and First Data holds the code book.

Chances are, the crooks aren’t about to give up and go home. Instead, they’re likely to focus their attention on the payment processing company, instead.

That’s nothing new, according to First Data’s Kleinschnitz. “We’re managing that risk already,” he said.

And the company is preparing to take on even more of that risk, he said, by investing a quarter of a million dollars a year in increased cybersecurity.

8. The public might not care who is liable

If a breach occurs and hackers steal tokenized data and are then able to somehow convert that data into usable form, customers might be just as likely to blame the merchant for the loss as it is to blame the payment processor.

“It’s a public perception issue,” said Tenable’s Man. “Will the public really care that it was really the data processor that was liable?”

In addition, just because it is hard to do something, doesn’t mean it’s impossible.

“It is a more difficult challenge,” said Man. “But a couple of years ago, harvesting credit card data one transaction at a time from a point of sale seemed a hard task for hackers. They’ve figured it out.”

9. Magnetic stripe cards will still work

Since not all merchants are going to upgrade their systems at once, new chip-equipped payment cards will still have to have the magnetic stripes, as well.

One problem that will result is that hackers will still be able to use stolen credit card numbers to create cloned magnetic stripe cards.

In other countries, when a shopper attempts to use a magnetic stripe card when the issuer has already switched to EMV, the card gets declined.

“But because this is a transitional period, there will be an ability to override that,” said West Monroe’s Curran. “So how do merchants act in this scenario? It’s suggested that it’s the merchant’s liability, even though the merchant has no way of being able to protect against it.

In addition, the new standards are coming into force just before next year’s big shopping season.

“If you’re a merchant and there’s a line 10 people deep and the card’s not working, you’re going to do whatever you can to keep that line moving,” he said.

10. Fraud will move to online channels

That same server could also just write down the numbers on the card — and then use them for online purchases, telephone shopping and other “card not present” situations.

“Retailers need to begin exploring alternate technologies to protect the card-not-present channels and mobile channels,” said Randy Vanderhoof, executive director at New Jersey-based Smart Card Alliance. “This is where fraud is most likely going to migrate to.”

Plus, online systems are themselves potentially vulnerable to cybercrime.

“While the focus has been on POS malware intrusions, there is still an awful lot of SQL-injection and cross-site scripting going on out there,” said Lev Lesokhin, senior vice president at France-based CAST, a software analysis vendor.

In Canada for example, EMV was rolled out in 2008, and annual counterfeit card fraud dropped by CA $134 million by 2013 — while card-not-present fraud actually increased by CA $171 million during the same time period, according to the Aite Group.

11. Criminals will broaden their sights

If the new security measures prove effective, and the value of stolen credit card numbers decreases, criminals will simply turn to other types of crime, said Stephen Cobb, senior security researcher at Bratislava, Slovakia-based ESET.

The value of Social Security numbers and other types of identity information could become relatively more important, for example.

“If I’m a bad guy looking to make money off data, that would be an area I’d look to,” he said. “Other areas of fraud that are not mined that much the moment might see more attention, such as billing fraud, fraudulent wire transfers, and medical fraud.”

12. Hackers will now focus their attention on cracking EMV

Criminals, just like anyone else, use their resources where they’ll have biggest impact.

As country after country switched to EMV, criminals focused their attention on the United States — a giant, ripe and swollen low-hanging fruit.

“I don’t think people are seeing all the real exploits and risks yet because the US was such a big market and so easily attacked,” said West Monroe’s Curran. “In the next two years, we’re going to see the EMV protocol itself being tested and potential risks being exposed that aren’t exposed today.”

We’ve already seen one vulnerability discovered, with the “pre-play” attack that leveraged badly implemented random number generators to, in effect, clone chip-based cards.