Chip & Pin Payment Security

Chip and Pin vs. Magnetic Stripes for

Credit Cards

CRYPTOGRAPHY IN THE ENTERPRISE

CHIP AND PIN 05/04/2016

C. GulifordCIS 6323May 4th, 2016

What is EMV? EMV -- which stands for Europay, MasterCard and Visa -- is a global standard for cards equipped with computer chips and the technology used to authenticate chip-card transactions. In the wake of numerous large-scale data breaches and increasing rates of counterfeit card fraud, U.S. card issuers are migrating to this new technology to protect consumers and reduce the costs of fraud.


What is Chip and Pin? Payment cards that comply with the EMV standard are often called chip-and-PIN or chip-and-signature cards, depending on the exact authentication methods required to use them.


What are Magnetic stripe Cards? Card capable of storing data on a Magnetic Stripe The first modern charge card was issued by in 1950 Can be more easily copied Magstripe can be damaged over time

Magnetic cards can be easily used by everyone, whereas the new smart chip readers have a slight learning curve for merchants and customers.


Disadvantages of Magnetic Stripe Cards Magnetic stripes are easily cloned Terminals perform little or no risk assessment The authentication data is static Host cannot recognize cloned cards

If someone copies a magnetic stripe, they can easily replicate that data over and over again because it doesn't change.


Advantages ofChip and Pin Added peace of mind. Increased security against unauthorized use your card. Increased security against counterfeiting and skimming.


The Pro’s…To the Banks

Decreased liability for banks Reduced costs in authorization calls Security against counterfeit or ‘skimmed’ magnetic stripe cards Generally lower risks due to PIN Verification Protection against organized crime


The Pro’s…To the Consumer

Able to be present during card authorisationImproved customer experience at the point-of saleFaster AuthorisationMore Piece of mind


The Pro’s…To the Merchant

Possibility of reduced bank charges and charge-backsInsulates retailers from effects of fraud liability shiftIncreased sales conversion and improved efficiency due to authorization speedLess paperwork (Receipts)


PCI DSS v3 Payment Card Industry (PCI) Data Security Standard Developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. Provides a baseline of technical and operational requirements designed to protect cardholder data.The new 3.0 version requirement 11.3.4, effective July 2015, requires annual penetration tests to validate that the segmentation methods are “operational and effective.”


How this all relates to PCI DSS v3 and cryptography in the enterprise?

Compliance is required on systems including those that actually handle card data, all the unrelated systems that connect to the same network, and the systems that can affect their security (authentication servers, firewalls, web redirection servers, etc.).

This has been clarified and made explicit in the scope section of 3.0 and may come as a shock to merchants that have only addressed compliance on the systems that directly handle card data.


Conclusion There is a concern that ineffective segmentation can lead to a false sense of security and inaccurate scoping. The PCI compliance scope also involves any third-party that could affect the security of, or handles card data on the behalf of a merchant.


Thank You


References:

1.http://www.networkworld.com/article/2687097/security0/three-critical-changes-to-pci-dss-3-0-that-every-merchant-should-know.html2.http://www.creditcards.com/credit-card-news/emv-faq-chip-cards-answers-1264.php3.https://www.pcisecuritystandards.org/document_library

Retail

Chip & Pin Payment Security