Why EMV Isn't the Answer to Breach at Target

This post was written by Shift4's VP of Business Development, Bob Lowe.

By now, I’m sure most all of you have heard about the credit and debit card information breach at Target stores. If not, get caught up here and then this post will make more sense.

Likewise, you have probably seen the litany of articles published over the past two weeks speculating at how it happened and what security technologies may or may not have been in play. Now, we’re not prone to wild speculation or finger pointing, so we have kept out of the discussion until now, but we just can’t stand by as the self-proclaimed payment security experts publish absolute BS in the hopes of capitalizing on Target’s misfortune.

Case in point: there are articles out there that clearly say that EMV (chip and PIN) payment cards would have prevented this type of breach from occurring. This is absolutely untrue.

Why is that?
EMV is all about the interaction with the card and the device that reads the card. Most EMV devices still send clear text card numbers from the device to the POS, so the POS is getting the exact same information as when a traditional magnetic stripe PIN debit or signature card is used.

There’s also a lot of talk about whether unencrypted or encrypted PIN numbers were lost, and if Target’s PIN encryption key was strong enough. First of all, the processor that receives the transaction provides the encryption key, not Target. Also, the PIN encryption method is provided by the device manufacturer – and must comply with strict PCI regulations. The encryption takes place inside the secure swipe device and Target would not have the ability to decrypt it. So if the PINs are compromised, it’s not because Target had a weak key, it’s because the processor had a weak or compromised key.

When talking about PIN encryption, it’s important to realize that in most payment terminals, while the PIN number is encrypted, the card number and other information from the magnetic stripe of a card is not. We should also remember that PINs are not used with credit transactions, only debit.

P2PE Solution
One technology that actually could have made a difference in this case is point-to-point encryption (P2PE). This newer approach ensures that the card number and all the stripe information, not just the debit PIN, is encrypted. If Target had used P2PE, then they would not have had any sensitive cardholder data in their environment to lose – so even when they were hacked, the thieves would have gotten nothing of any value.

Some media have carried stories that suggest the encryption, while strong enough to thwart an amateur hacker, was not strong enough to beat the attack from serious cyber criminals. That’s where gateways like Shift4 add value. We take the P2PE-protected data, which already has a dynamic key that changes for each transaction, and encrypt it again using what we call “moving target encryption.” Even if the best cyber criminals were able to hack this double encryption, which is unlikely, they would only get one card number. Then they would need to repeat the cracking exercise for each additional card. With the cyber criminals selling magnetic stripe information for about $25 a card, the effort needed to steal one card number when these technologies are involved becomes unprofitable.

Why Didn’t They Have P2PE?
It is unfortunate that an existing technology – one that is readily available in the marketplace – could have prevented this whole situation had it been put in place. The challenge the payment industry faces is that being PCI compliant and being secure are not the same thing. An organization, like Target, can be deemed PCI compliant but can still be breached. And after an organization is breached, they will then be deemed to have been non-PCI complaint at the moment of the breach – even if they were PCI certified the day before! The problem is that PCI does not encourage or reward an organization for taking the additional steps and spending the additional money to invest in strong security technologies like P2PE and the other advanced security solutions companies like Shift4 offer – even when those technologies are readily available and proven in the real world.

Now that Target is struggling to restore public faith in its card acceptance practices and turn around the drop in revenues it experienced after the breach, it’s probably a good time to suggest that organizations that use P2PE and higher levels of security should be rewarded by being able to display a high-security badge at the point of sale. Much like when restaurants proudly post their “A” rating food safety sign from the health department to let customers know they practice verified, proper food safety protocols. This “high-security” badge for retailers and other establishments would become recognizable by the public as deeming the organization a safe place to shop. It would also give merchants a legitimate goal to shoot for, since we’ve clearly seen that “PCI compliant” really doesn’t mean anything.

Share |

Archived Comments

Jeff Hall (aka PCI Guru) wrote on 01/05/14 6:30 AM

Actually, Target does use a P2PE or E2EE solution from their POS to their internal transaction switch. The problem is that the attacker inserted their malware in between the terminal and that P2PE solution. This is why single use codes need to be used as the way to stop these sort of breaches.

Bob Lowe wrote on 01/06/14 10:05 AM

From what you saying, Target didn’t have encryption at head, which is what most people now think of as P2PE. Instead, they had clear text coming into the terminal and then encrypted that before sending to the switch. It's now a matter of record that this approach left the terminals vulnerable. The whole point of P2PE is that the encryption takes place inside a secured hardware swipe and it is not decryptable within the merchant environment. Sadly, although Target used encryption, they clearly had sensitive card data in their environment, and worse also had the encryption/decryption keys within their organization. So even if it had been encrypted data that was lost, it would still have constituted a breach.

This underlines the whole challenge the payment card industry has: organizations want to tick a box and say "I have P2PE" or "I have Tokenization" as these technologies are what they are hearing secure organizations use. Unfortunately, many of the implementations of these technologies fall short - too often because the solutions vendors offer as P2PE or Tokenization really are not that. (We refer to weak Tokenization solutions as TINO, Tokenization In Name Only to draw attention to this.)

Organizations need to recognize that if they have card data anywhere in their network they are vulnerable to attacks. The technology is readily available to reduce the existence of sensitive card data in a merchant's environment to just the inside of a tamper-proof payment terminal. Having card data anywhere other than that is just too much of a risk these days.

malllen wrote on 01/07/14 8:44 PM

Theres a much better way to do all of this. It wont work for everyone,but the fact is,I have my OWN data connection with me at all times. The more secure way to handle this is let ME make a secure connection over MY OWN data connection and instruct my bank to transfer money to target. Once target receives the payment,I'm good to go.

Thats the problem with most of these electronic transfer systems being implemented. THey say "pay with your phone" but really,it usually just the same old paradigm.I give some sensitive information to the merchant,who uses that to verify my identity and to verify that I have consented to pay.

There are various systems that would be highly resistant to attacks. Suppose for instance,I store my private key,under still more encryption,using a password. My thought is,a smart card embedded credit card with a keypad attached to the card itself.If credit cards were all manufactured like this,it would add little to the cost. If I don't give the pin or password,it wont decrypt it. If its stolen,its worthless without my pin.

So now,I go to pay. The merchants system sends a block of data to the card. That data block contains two halves,one half is the payment amount and information,the other half is a digital signature of the first. My card makes a digital signature of this data block and returns the information to the merchant who sends it to the payment processor. The payment processor then verifies the stores signature,and my signature and processes the payment.

So,if you eavesdropped on the data,you get nothing. You can go ahead and try to redo the transaction,but its already been done. All that was transferred was a digitally signed request to transfer,one single time,an amount from my account to the merchants account.

The processor would interpret that as "Check that I have not already completed this transaction,and if not,then do it" . But to change the system costs money,and they are happy with the fraud,becuase they can pass the costs to us in fees.

Nathan Casper wrote on 01/08/14 8:45 AM

Interesting idea, Michael. There are companies currently working on PIN-pad-embedded cards, as well as biometric scanners built into cards. It will be interesting to see if either makes it successfully to market.

The challenge with creating completely new ways of doing payments is the time it takes for all of the point of sale and cash dispensing (ATM) systems to be updated to accept the new payment method. The attraction of the current payment system is that its designed so that the payment instrument is acceptable at every merchant in the world.

Gary wrote on 02/18/14 2:32 PM

It seems to me that EMV would have helped prevent the Target Breach. Yes, even with EMV the fraudsters would have been able to get the card number, expiration date and other useful data. However, they would not be able to get the CVV and therefore, they would not be able to make counterfeit mag-stripe cards. Since EMV uses the iCVV which changes with each transaction, they wouldn't be able to make a fake EMV card either. Regarding Card Not Present situations, the fraudsters didn't get the CVV2 so they can't buy things online since most merchants check for this these days. That wouldn't change with EMV since the EMV data doesn't include the CVV2.

So, from what I can tell, with EMV the fraudsters could have gotten card numbers and expiration dates, but these woudldn't be much use. Without the CVV or CVV2, they would have difficulty doing counterfeit transactions.

Can you please let me know if my logic is incorrect on this?

Bob Lowe wrote on 02/18/14 4:46 PM

The issue is that from a PCI perspective losing the card number only is still a data breach. So if that information is sent in the clear, the risk for a merchant exists. It's true that in the criminal markets where card information is sold, a better price is realized when the full magnetic stripe image is available. But breached cards where only name on card, expiry and card number is available still sell.

After the introduction of EMV, the Europeans saw a shift from card-present to card-not-present fraud as there are plenty of Web sites that accept card transactions that still don’t require AVS or CVV as a validation.

So would EMV have prevented the Target breach? No! Would it have resulted in a lower level of resulting fraudulent card use? Yes. But even if a lower level of fraud took place, some fraud still would have occurred, and the forensic analysis would still have shown that 100 million cards were compromised, and the issuing banks would still have contacted the same number of card holders to tell them their cards had been compromised and needed to be replaced.

Steve Sommers wrote on 02/18/14 4:52 PM

Hi Gary,

You are correct in your statement about the iCVV, but you are making some invalid assumptions in your argument. As you mentioned, EMV only addresses card-present fraud related to card cloning, and like you mentioned it provides no protection to the PAN or expiration date. And with VISA championing non-PIN for the US merchants, the US implementation of EMV will not address lost or stolen cards - only card cloning.

EMV does not provide any additional protection to the static CVV2 value printed on the card. I mention this for two reasons. The first is the statement "most merchants check for this these days," while this statement may be technically correct, is not even close to 100% - probably closer to 50%. Try using your card on most any government site (DMV's, etc.) or subscription site and you'll find they don't ask for this information. On the other end, many card-present merchants ask for the CVV2 on transactions where the swipe fails and I don't see this changing for EMV - unless the merchants suddenly start turning away the customer based on damaged cards or readers.

EMV would not have prevented the Target breach. Assuming only the PAN and expiration data were stolen, no matter how valueless the data is, by today's breach standards the Target breach would still be considered a breach. The 70-120 million accounts stolen (depending on the report you read) would have still resulted in the same black eye, no matter how much Target screams "we only use EMV, the data stolen is useless!" While Visa apparently has no issue indemnifying merchants from PCI related fines if EMV is used, the remaining card brands are not as convinced that EMV is the silver bullet.

In writing this response, I now wonder if Target's "all in" enthusiasm for EMV might be related to Visa's indemnification promise -- this alone for this single breach might have paid for all the costs associated to Target's EMV conversion. I wonder if Visa knows what risk they are accepting with their EMV push? Hmmm.

Gary wrote on 02/19/14 1:41 PM

Bob and Steve, Thank you very much for your prompt responses. You both make some excellent points. I didn't realize that such a large percentage of online merchants don't check CVV2.

As you stated, EMV does nothing for Card Not Present. Therefore, in addition to mandating EMV, shouldn't Visa and Mastercard also mandate that all Card Not Present merchants use CVV2? If they did that, then the theft of EMV data such as with Target wouldn't be very useful. In that case the criminals wouldn't have the CVV or CVV2 and therefore they couldn't make a fake mag-stripe nor buy anything online. I think that would greatly limit the value of the card data, to the extent that they might not even commit the crime.

Does anyone know why CVV2 validation isn't required by the networks?

Nathan Casper wrote on 02/19/14 2:45 PM

Gary,

Many acquirers offer a slightly better rate to merchants that request CVV2 data, but that's as close as we've seen to any sort of standard.

What's unfortunate is that some merchants ask for the data (to qualify for the better discount rate) and then ignore the response that is returned to them. Why? Because to get the discount they only have to ask - they don't actually have to verify that the number entered matches the card.

Steve Sommers wrote on 02/19/14 3:35 PM

Worldwide acceptance of CVV2 is somewhat recent, probably less than 10 years. For a long time it was a US thing only -- much like EMV was a European thing only for many years. I'm kind of surprised that the card brands have not made it a required data element but in reality, it's security benefit is limited because it suffers from the same shortcoming as the magnetic stripe -- static data, once compromised is forever cloneable and valuable to fraudsters.

One promising technology I have read about is an EMV card with a LCD dynamic CVV2 code -- similar to the two-factor security tokens. If the card brands were to do a combined front and address both card-present and card-not-present at the same time, then they would have my support. Without addressing both fronts, the net result will simply be the migration of fraud to card-not-present and breaches will still be profitable to fraudsters.