Chip & PIN Needs PCI
Interview with Jeremy King, European Director of the PCI CouncilDuring the PCI Security Standards Council's North American Community Meeting in Orlando, Fla., the council discussed a number of emerging technologies, including EMV -- the payments card standard that has become the norm throughout most of Europe. U.S. merchants and financial institutions may soon follow suit, as security vulnerabilities related to the magnetic stripe increasingly expose cardholders to skimming attacks.
But EMV alone is not enough, says Jeremy King, the PCI Council's European director. Layered security and compliance with the PCI Data Security Standard must be part of any EMV rollout, King says.
"EMV was created to try and authenticate the cardholder, and therefore the security is around the authentication, rather than the actual transaction," King says. "So when the transaction is on the way, certain aspects off that transaction data will still be sent out in the clear, to enable the transaction to be correctly routed through the system. Now, when you look at those data items, you can find that they can include the cardholder's name, the primary account number, and the expiry dates." That open or "in-the-clear" data gives fraudsters the ability to create cloned magnetic-stripe cards, King says, and that's the EMV weakness.
But EMV has helped to curb incidents of card fraud, such as those related to pay-at-the-pump skimming attacks; and the council, in version 3 of the PIN Transaction Security requirements, released in May, addresses security at unattended payment terminals, including pay-at-the-pump.
"We've realized that there has been an issue related to a wide range of unattended payment terminals, of which the fuel pump is one," King says. "The council reacted to this by actually creating and releasing what was at the time the Unattended Payment Terminal set of requirements, which looked at how to improve the security of this type of terminal. As we've moved into version 3 and created the PTS standard, a whole section about unattended terminals is being incorporated into the document."
Pay-at-the-pump terminals, King says, are designed to provide fuel, with payment being an added feature. The council is responding by providing recommendations on how to upgrade existing pay-at-the-pump terminals to make them more secure. "If you do not want to change your whole fuel pump, then there are now going to be solutions that will enable you to make the payment aspect more secure and up to the standard of PCI PTS."
EMV alone is not enough, Jeremy King, the PCI Council's European director, says in an interview with the Information Security Media Group (transcript below). Layered security and compliance with the PCI-DSS must be part of any EMV rollout, King says.
King is the European regional director for the PCI Security Standards Council, leading the SSC's efforts to increase adoption and awareness of PCI security standards in Europe. King's responsibilities include gathering feedback from the merchant and vendor community, coordinating research and analysis of PCI SCC managed standards in European markets, and driving educational efforts and council membership through involvement in local and regional events. He also serves as a resource for approved scanning vendors and qualified security assessors. Before joining the council, King was the vice president of the Payment System Integrity Group at MasterCard Worldwide, where he played an integral role in developing payment terminal and chip-card security programs. He also spent more than 14 years working in the United Kingdom semiconductor industry and has a strong background in emerging technologies, including contactless cards, encryption and mobile payments.
PCI-DSS and EMV
TRACY KITTEN: The PCI Security Standards Council is reviewing a number of new technologies. One of which is EMV, commonly known as chip and PIN or chip and signature. But the PCI Council said during its Community Meeting in Orlando, Fla., that EMV alone is not enough. The payments industry must continue to embrace a layered security approach, one that incorporates the PCI-DSS.JEREMY KING : EMV was created to try and authenticate the cardholder, and therefore the security is around the authentication, rather than the actual transaction data. So when the transaction is on the way, certain aspects off that transaction data will still be sent out in the clear, to enable the transaction to be correctly routed through the system. Now, when you look at those data items, you can find that they can include the cardholder's name, the primary account number, and the expiry dates. A correctly implemented EMV solution will not allow a criminal to take the data and create a magnetic stripe cloned card; but there are other alternatives that they can use this information for. There is sufficient data there that would enable them to use it in a cardholder-not-present transaction. Therefore, this type of fraud is increasing, whereas the face-to-face fraud, which EMV is very good at giving protection for, is on the decrease.
PCI and Pay-At-The-Pump Skimming
KITTEN: We've talked quite a bit about PTS and I asked you about "pay at the pump" vulnerabilities and what the council could do or what the PCI-DSS could do to improve physical security at "pay at the pump" terminals. This is actually something the council has already released some guidance on. Could you give some ideas about how "pay at the pump" terminals fall into that fold, and how it would help to cut down on some of the skimming incidents that we've been seeing?KING : We've realized that there has been an issue related to a wide range of unattended payment terminals, of which a few fuel pump is one. The council reacted to this by actually creating and releasing what was at the time, the Unattended Payment Terminal set of requirements, which looked at how to improve the security of this type of terminal. As we've moved into version 3 and created the PTS standard, a whole section about unattended terminals is being incorporated into the document, the PTS document. As we go forward, there are specific requirements designed for this type of terminal.
Another important aspect of the PTS standard that is coming into play here is that the cost of changing fuel pumps is quite significant, and the fuel pumps themselves are really designed to provide fuel, with payment being an added feature. So one of the options that was introduced with PTS version 3 is this option called an OEM (original equipment manufacturer) pad. This is basically a payment unit that is enclosed in a secure box, which is designed to be retrofitted into existing fuel pumps. If you do not want to change your whole fuel pump, then there are now going to be solutions that will enable you to make the payment aspect more secure and up to the standard of PCI PTS.
You can have new pumps developed with the security as the bedrock, or there are options to retrofit OEM pads into existing pumps to try to and improve the security and reduce the amount of fraud that is happening at the fuel pumps.
PCI and Varying Global Payments Flavors
KITTEN: You noted regional differences, so we can't look at pay-at-the-pump across the board, from a global perspective. You mentioned Canada. Could you give us a little clarification about the differences between Canada and the U.S.?KING : Yes, that is correct. In Canada, the Interac payment authority has introduced specific requirements for securing transactions at pay-at-the-pump, generally based upon similar rules and requirements that we've put into place with the unattended payment terminals. The rules are really giving better protection during the transaction process. In Europe, with the rollout and the maturity of EMV, we've moved to sort of a smart card chip-payment solution at the pump. These chip and PIN solutions are PCI compliant. So, again, the payment side in that region is significantly more secure. So it varies from region to region regarding good levels of security.