As is being widely reported, another massive data breach appears to be on our hands with MasterCard and Visa suffering a serious processor breach. The alert sent out to banks across the country stated that the data taken could be used to counterfeit new credit cards. Exact details of how this breach occurred are still emerging although speculation, of course, is running rampant.
However, the possible harm that could be done from this breach leads back to the conversation of EMV migration in the US. More importantly, it brings to light the additional levels of protection that EMV chip cards provide. US issuers should more than consider accelerating their migration to EMV chip cards. If the US had an EMV infrastructure in place today then the compromised data most likely could not have been used to create counterfeit cards for use at POS and possibly help prevent other harm.
As most are in the security industry, we will continue to monitor this serious breach, learn how it occurred and discuss what the security industry as a whole can do in the future to prevent such breaches in the future. What is more than evident is that we need to look even deeper at EMV adoption now to help protect data and consumers.
The payments industry must move to a more secure infrastructure to devalue payment data for fraudsters. Various elements to improve the security include:
- EMV cards to replace magnetic stripe cards (combats the threat of counterfeit cards at POS)
- Use of the PIN as opposed to signature on both magnetic stripe and EMV cards (combats the threat of lost/stolen cards)
- Use of stronger authentication for CNP transactions
- 3 or 4 digit card verification code on reverse of card
- 3D-Secure - VbV/SecureCode,
- EMV Authentication – CAP/DPA
- ‘Display Cards’ – built in one-time-password (OTP) capability or equivalent
- Move from static to dynamic authentication for both face-to-face and online (CNP) transactions (a strong strategy message in the Visa/MasterCard EMV initiative for the US)
- Point-to-point encryption (P2PE) including HSM usage at the acquirer to provide a strong encrypted link between the card swipe/dip at the POS terminal (in the merchant store) to the secure decryption environment at the acquirer data center. This was a measure adopted by Heartland after its breach a couple of years ago.
These initiatives are consistent with the strategy of PCI SSC, EMV Co and the individual card schemes (Visa, MasterCard etc).