No-one (at least no-one reading this blog) can have failed to have noticed the story that’s been running in US on the apparently industrial scale card-skimming that’s been going on there. It’s so bad that Citibank has blocked ATM withdrawals from some MasterCard accounts after a series of fraudulent cash withdrawals in the UK, Russia and Canada. Wells Fargo, similarly, blocked ATM withdrawals in the UK. Gartner say that this is the “largest PIN theft to date”. While it’s difficult to determine exactly what has gone wrong, the general opinion seems to be that it is not bank systems but third-party systems (a processor or a retailer) that have been compromised (yet again), enabling criminals to manufacture counterfeit cards on an large scale and then distribute them for use at ATMs.
Technorati Tags: credit cards, debit cards
This kind of thing is only possible because the cards are stripe cards: if a criminal gets hold of the card details and the PIN, they can make a fake card. In the UK, where the change to chip and PIN has been remarkably smooth, card fraud due to skimming fell by a quarter last year, because even if a criminal gets the card details and PIN they can’t make a counterfeit chip card (because the chips are much, much harder to counterfeit than the magnetic stripes are). So we can all feel rather smug.
So shouldn’t something be done about this? Well, the card schemes have actually been trying to deal with this for some time. Back in 2001, Visa and MasterCard created the Payment Card Industry Data Security Standard (generally referred to as PCI), which defines how card and cardholder data should be managed and processed to keep it secure. At the end of 2004, PCI was adopted by all of the major schemes (ie, Visa, MasterCard, Discover, American Express, Diners and JCB) as a common set of data security requirements for the industry. Here’s the MasterCard version.
I haven’t committed the entire standard to memory, but I’m pretty sure it says that retailers shouldn’t be storing PIN numbers, for example. Why is there a problem then? Payments News points to a Wall St. Journal article that says that only 17% of 231 large US merchants have actually complied with PCI. It’s a similar picture here in the UK where, as Penny points out, retailers are facing bills that could run into millions in order to update their IT systems to implement PCI. This money will need to be found from already stretched IT budgets. But are the costs and complexities of PCI compliance exaggerated?
A couple of months ago we worked on a PCI pre-audit and testing project for a very large European e-retailer. I asked our lead consultant on this, Tony Pickup, how hard it had been for the retailer in question to comply with PCI and he told me that it wasn’t especially difficult since the retailer had well-designed and well-implemented systems that already incorporated the best practice you would expect. So PCI shouldn’t be scary and it’s well within the capability of retailers to comply: but it’s not a magic bullet, as the well-known CardSystem case showed (as they testified to Congress, they were certified PCI compliant).
As an aside, I’d be curious whether people think the scale of the current problem will shift the business case for the introduction of EMV in the US? Not at POS, because there is just not enough fraud to warrant it, but at ATMs and for online transactions where the pressure for two-factor authentication is growing. Even Bill Gates says that industry needs to move to smart cards to secure online transactions.
The PCI process is not a catch all test of retailers systems. It is an audit and limited test process to highlight the security issues that may need to be addressed by retailers and their systems providers.
If the retailer or their systems provider hides key details from the PCI audit then the 3rd party testing can not be expected to find every breach in security that could be exploited.
I am unsure if this shifts the business case for EMV in general but it may strengthen the case for Dynamic Authentication methods for Internet transactions. based on EMV in the US. Again, EMV based Dynamic Authentication will not solve all Internet transaction issues but may well help to protect customers, retailers and the banks.
As with EMV, there are still quite a lot of retailers who can’t see why this is their problem and why they should have to fork out money to deal with it. At European Card Review, we looked at this issue a few months ago and found very little evidence that UK retailers were doing much about PCI. As a result the original associations’ deadline for implementation of end June 05 slipped to end December 05 and now, according to Visa at least when we last spoke to them, doesn’t exist and quite possibly never existed at all.
It’s a bit like what happened in Malaysia a couple years ago with their debit card fraud. Apparently there were security breaches which sound similar, as well as things like pin hole cameras placed above ATM’s, and other innovative ways to obtain the debit card details and PIN. They solved the problem by moving to chip and making it impossible to create fake cards. The US banking industry will probably spend a great deal of effort and energy trying to kill all the various sources of the problem, but since there are so many of those, they will finally have to move to chip. Even at the POS. We’ve seen recent articles on Las Vegas hookers caught with mag stripe hotel keys loaded with credit card information, turning simple hotel keys into cards used to pay at POS terminals run by merchants who let the customer swipe the card, which has become a common practice over the last few years.