No-one (at least no-one reading this blog) can have failed to have noticed the story that’s been running in US on the apparently industrial scale card-skimming that’s been going on there. It’s so bad that Citibank has blocked ATM withdrawals from some MasterCard accounts after a series of fraudulent cash withdrawals in the UK, Russia and Canada. Wells Fargo, similarly, blocked ATM withdrawals in the UK. Gartner say that this is the “largest PIN theft to date”. While it’s difficult to determine exactly what has gone wrong, the general opinion seems to be that it is not bank systems but third-party systems (a processor or a retailer) that have been compromised (yet again), enabling criminals to manufacture counterfeit cards on an large scale and then distribute them for use at ATMs.
This kind of thing is only possible because the cards are stripe cards: if a criminal gets hold of the card details and the PIN, they can make a fake card. In the UK, where the change to chip and PIN has been remarkably smooth, card fraud due to skimming fell by a quarter last year, because even if a criminal gets the card details and PIN they can’t make a counterfeit chip card (because the chips are much, much harder to counterfeit than the magnetic stripes are). So we can all feel rather smug.
So shouldn’t something be done about this? Well, the card schemes have actually been trying to deal with this for some time. Back in 2001, Visa and MasterCard created the Payment Card Industry Data Security Standard (generally referred to as PCI), which defines how card and cardholder data should be managed and processed to keep it secure. At the end of 2004, PCI was adopted by all of the major schemes (ie, Visa, MasterCard, Discover, American Express, Diners and JCB) as a common set of data security requirements for the industry. Here’s the MasterCard version.
I haven’t committed the entire standard to memory, but I’m pretty sure it says that retailers shouldn’t be storing PIN numbers, for example. Why is there a problem then? Payments News points to a Wall St. Journal article that says that only 17% of 231 large US merchants have actually complied with PCI. It’s a similar picture here in the UK where, as Penny points out, retailers are facing bills that could run into millions in order to update their IT systems to implement PCI. This money will need to be found from already stretched IT budgets. But are the costs and complexities of PCI compliance exaggerated?
A couple of months ago we worked on a PCI pre-audit and testing project for a very large European e-retailer. I asked our lead consultant on this, Tony Pickup, how hard it had been for the retailer in question to comply with PCI and he told me that it wasn’t especially difficult since the retailer had well-designed and well-implemented systems that already incorporated the best practice you would expect. So PCI shouldn’t be scary and it’s well within the capability of retailers to comply: but it’s not a magic bullet, as the well-known CardSystem case showed (as they testified to Congress, they were certified PCI compliant).
As an aside, I’d be curious whether people think the scale of the current problem will shift the business case for the introduction of EMV in the US? Not at POS, because there is just not enough fraud to warrant it, but at ATMs and for online transactions where the pressure for two-factor authentication is growing. Even Bill Gates says that industry needs to move to smart cards to secure online transactions.