EMV is an acronym for Europay MasterCard Visa. It is a global payment system that will replace the magnetic stripe (“mag-stripe”) on the back of all debit and credit cards with an embedded microprocessor that will be more difficult to counterfeit and, in most cases, very difficult to extract sensitive payment card information. The mag-stripe that is affixed to current credit cards contains the Payment Account Number (PAN) and other sensitive information and is easily readable by simple technology.
The purpose of EMV is to fight back against the rising cost of fraud. EMV is implemented in most of the developed nations around the global and is scheduled to be implemented in the U.S. in October 1, 2015. The EMV processor contains an operating system, applications and data, which will enable POS systems to read required information in order to apply financial transactions.
How EMV without controlling POS malware isn't going to solve the problem
EMV primarily impacts credit cards but merchants will have to purchase EMV chip-supported card readers and modify terminals to accept the new standard. Despite these new measures merchants will still need to maintain diligence for their checkout systems; some reasons being:
- EMV is a compatibility standard, not a security standard so it supports both secure and nonsecure authentication and transactions. It is possible, under certain circumstances, for an infected POS to read sensitive cardholder information from some types of EMV chips without the customer’s knowledge or authorization.
- EMV supports authentication by way of Personal Identification Numbers (PIN) that are usually 4-digit numbers that a customer enters during a transaction. The PIN is identical to the 4-digit password that a bank customer will enter when withdrawing money from an ATM. EMV supports secure PIN authentication in most cases but even aside from that, EMV cannot protect the customer if the PIN pad is infected with malware because the PIN must be unencrypted when entered by the customer.
- EMV supports, but does not mandate, encrypted transaction data transfer between the merchant and the payment service (e.g. Visa, MasterCard, etc.) In most cases the merchant is responsible for the secure transaction. In this case the PAN and other sensitive data would be transferred to the POS unencrypted which may give any installed malware a brief window of opportunity to access all of the necessary cardholder data. Tokenization will not protect against this form of an attack because the payment service must receive a valid PAN in order to assign an associated token to return to the merchant. Tokens protect merchants from breaches involving stored PAN’s after the transaction.
- The EMV processor, like any other computer processor, operating system or software, cannot be guaranteed to be free of zero-day vulnerabilities. Errors will always exist in computer resources and while EMV processors are rigorously tested for vulnerabilities it is impossible to test against all scenarios. It may be possible for an attacker to discover a zero-day vulnerability in the EMV processor and may be able to exploit that vulnerability through an infected POS terminal. Proper security requires a layered approach that means if an attacker manages to penetrate one security layer then the next layer would thwart the attacker’s chances of accessing critical data. Relying on one standard to guard against an attack is strongly discouraged.
There is precedence where attackers have discovered flaws that were not known to exist before and exploit those weaknesses for gain; the Heartbleed vulnerability is one common example.
Conclusion
Despite the security improvements EMV offers over mag-stripe merchants will still need to maintain a proactive security posture for their checkout systems. Attackers are always looking to exploit the “weak link in the chain” and any financial transaction process contains inherent risks. History has shown that the work needed to maintain a strong defensive posture consumes far less cost, time and labor than suffering and recovering from a massive data breach.
The desire for illicit financial gain will always exist and intelligent criminals tend to quickly adapt their techniques to stay ahead of innovation.
One thing is certain: EMV is being touted as a strong security standard so if criminals manage to bypass this new standard to steal money and/or data from merchants; aside from the actual loss that merchant will have the unfortunate distinction of being the “first to be breached under EMV.” Don’t be that merchant.
The Author
He's also active in: