What EMV is and what it means for credit card fraud

August 13, 2015 | Larry Moore

EMV is an acronym for Europay MasterCard Visa. It is a global payment system that will replace the magnetic stripe (“mag-stripe”) on the back of all debit and credit cards with an embedded microprocessor that will be more difficult to counterfeit and, in most cases, very difficult to extract sensitive payment card information. The mag-stripe that is affixed to current credit cards contains the Payment Account Number (PAN) and other sensitive information and is easily readable by simple technology.

The purpose of EMV is to fight back against the rising cost of fraud. EMV is implemented in most of the developed nations around the global and is scheduled to be implemented in the U.S. in October 1, 2015. The EMV processor contains an operating system, applications and data, which will enable POS systems to read required information in order to apply financial transactions.

How EMV without controlling POS malware isn't going to solve the problem

EMV primarily impacts credit cards but merchants will have to purchase EMV chip-supported card readers and modify terminals to accept the new standard. Despite these new measures merchants will still need to maintain diligence for their checkout systems; some reasons being:

  1. EMV is a compatibility standard, not a security standard so it supports both secure and nonsecure authentication and transactions. It is possible, under certain circumstances, for an infected POS to read sensitive cardholder information from some types of EMV chips without the customer’s knowledge or authorization.
  2. EMV supports authentication by way of Personal Identification Numbers (PIN) that are usually 4-digit numbers that a customer enters during a transaction. The PIN is identical to the 4-digit password that a bank customer will enter when withdrawing money from an ATM. EMV supports secure PIN authentication in most cases but even aside from that, EMV cannot protect the customer if the PIN pad is infected with malware because the PIN must be unencrypted when entered by the customer.
  3. EMV supports, but does not mandate, encrypted transaction data transfer between the merchant and the payment service (e.g. Visa, MasterCard, etc.) In most cases the merchant is responsible for the secure transaction. In this case the PAN and other sensitive data would be transferred to the POS unencrypted which may give any installed malware a brief window of opportunity to access all of the necessary cardholder data. Tokenization will not protect against this form of an attack because the payment service must receive a valid PAN in order to assign an associated token to return to the merchant. Tokens protect merchants from breaches involving stored PAN’s after the transaction.
  4. The EMV processor, like any other computer processor, operating system or software, cannot be guaranteed to be free of zero-day vulnerabilities. Errors will always exist in computer resources and while EMV processors are rigorously tested for vulnerabilities it is impossible to test against all scenarios. It may be possible for an attacker to discover a zero-day vulnerability in the EMV processor and may be able to exploit that vulnerability through an infected POS terminal. Proper security requires a layered approach that means if an attacker manages to penetrate one security layer then the next layer would thwart the attacker’s chances of accessing critical data. Relying on one standard to guard against an attack is strongly discouraged.

There is precedence where attackers have discovered flaws that were not known to exist before and exploit those weaknesses for gain; the Heartbleed vulnerability is one common example.

Conclusion

Despite the security improvements EMV offers over mag-stripe merchants will still need to maintain a proactive security posture for their checkout systems. Attackers are always looking to exploit the “weak link in the chain” and any financial transaction process contains inherent risks. History has shown that the work needed to maintain a strong defensive posture consumes far less cost, time and labor than suffering and recovering from a massive data breach.

The desire for illicit financial gain will always exist and intelligent criminals tend to quickly adapt their techniques to stay ahead of innovation.

One thing is certain: EMV is being touted as a strong security standard so if criminals manage to bypass this new standard to steal money and/or data from merchants; aside from the actual loss that merchant will have the unfortunate distinction of being the “first to be breached under EMV.” Don’t be that merchant.

The Author

He's also active in:

Larry Moore

About the Author: Larry Moore, guest blogger

Larry Moore has over eighteen years of Information Security experience as part of his thirty year IT career. Larry has worded on diverse areas of Information Security including architecture, secure software development, penetration testing, server administration, project manager and executive manager. Larry has served at the State of Texas in their critical infrastructure protection and in the technical and financial sector. Larry graduated from the Florida Institute of Technology with a degree in Computer Science and began his work on various projects for NASA. His post-NASA work included applications, device drivers and kernel extensions on various operation systems such as OS/2, Windows and Unix variants. His work on the AIX security kernel included audit, single sign-on, PKI and a behavioral-based intrusion detection tool which was a precursor to his migration to the information security field. Larry recently served as the lead Solution Security Officer for Gemalto’s North American region where he ensured the proper delivery of security requirements for the company’s trusted platforms and mobile payment solutions for large and small customers. Larry has also audited, designed or modified the security programs for three of the company’s large data centers across the globe to enable customer mobile payment processing. Larry serves on the board at the Computer Science department at Parker University in Dallas and the Austin chapter of the International Systems and Security Association. Larry is also Vice-President and IT Sector Chief for the Austin chapter of Infragard and has given numerous presentations and written numerous articles on security architecture, threat intelligence and software development.

Read more posts from Larry Moore ›

‹ BACK TO ALL BLOGS

Get the latest security news in your inbox.

Subscribe via Email

Watch a Demo ›
Get Price Free Trial