The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent “chip-and-signature” standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity.

emvkeyChip-based cards are designed to be far more expensive and difficult for thieves to counterfeit than regular credit cards that most U.S. consumers have in their wallets. Non-chip cards store cardholder data on a magnetic stripe, which can be trivially copied and re-encoded onto virtually anything else with a magnetic stripe.

Magnetic-stripe based cards are the primary target for hackers who have been breaking into retailers like Target and Home Depot and installing malicious software on the cash registers: The data is quite valuable to crooks because it can be sold to thieves who encode the information onto new plastic and go shopping at big box stores for stuff they can easily resell for cash (think high-dollar gift cards and electronics).

The United States is the last of the G20 nations to move to more secure chip-based cards. Other countries that have made this shift have done so by government fiat mandating the use of chip-and-PIN. Requiring a PIN at each transaction addresses both the card counterfeiting problem, as well as the use of lost or stolen cards.

Here in the States, however, the movement to chip-based cards has evolved overwhelmingly toward the chip-and-signature approach. Naturally, if your chip-and-signature card is lost or stolen and used fraudulently, there is little likelihood that a $9-per-hour checkout clerk is going to bat an eyelash at a thief who signs your name when using your stolen card to buy stuff at retailers. Nor will a signature card stop thieves from using a counterfeit card at automated payment terminals (think gas pumps).

But just how broadly adopted is chip-and-signature versus chip-and-PIN in the United States? According to an unscientific poll that’s been running for the past two years at the travel forum Flyertalk, only a handful of major U.S. banks issue chip-and-PIN cards; most have pushed chip-and-signature.

While US retailers struggle to keep up with the transition of mobile payment systems partly prompted by new technologies like NFC-based contactless mobile payment solutions (i.e. ApplePay in iPhone 6), they face an even bigger challenge, as US card issuers drag them into the new world of EMV-compliant (Europay, MasterCard, and Visa) chip cards.

Under a new mandate, Oct. 1, 2015 will mark a liability shift from banks to merchants. After that date, any fraudulent card transactions will be the responsibility of merchants who failed to hook up a new point-of-sales terminal that can read chip cards. But if a new terminal is in place, the merchant’s off the hook. Liability reverts back to the bank that failed to issue chip cards.

In short, the switch to EMV is pressuring merchants and financial institutions to add new in-store technology and internal processing systems compliant with new liability rules. Taking advantage of these profound changes in mobile payment is Kili Technology of San Carlos, Calif., a developer of secure, low-cost payment processing solutions. Kili is a spin-off of SecureKey, a Canada-based identity and authentication provider, which developed its core technology over the last five years.

While targeting the replacement market for legacy POS terminals, Kili is also eyeing the so-called “on-the-go” mobile payment solutions increasingly in demand among small retailers and individual business owners like plumbers. Mobile payment systems such as Square have been rapidly gaining popularity. However, they are currently capable of processing only magnetic stripe cards.

Massabki sees most of the company’s chip competitors, such as NXP Semiconductors, STMicroelectroincs, or Freescale, offering discrete solutions in the form of a family of devices such as NFC, smartcards, and security chips. In contrast, Kili takes pride in offering highly integrated mobile POS solution-on-a-chips such as K409B. Incorporated in the dual CPU core-based K409B are an NFC transceiver, a controller, a secure capacitive touch controller, an on-chip capacity touch analog front-end, memories, and analog power management.

I’m satisfied to search out a lot of useful info here within the submit,
we want develop extra techniques in this regard, thank you for
sharing. . . . . .

Attackers installed these RAM scrapers surreptitiously on the point-of-sale systems used to scan and process credit and debit card transactions at Albertson’s and Supervalu. The tools make it easy to steal card numbers by the millions as they pass through the system.

RAM scrapers—used recently in the Target and Home Depot breaches to net the hackers data on more than 100 million bank cards collectively—are not new. VISA issued a warning to retailers about their use in 2008. But they’ve become increasingly sophisticated and efficient at stealing massive caches of cards.

They’ve also become more ubiquitous as developer kits for building them—from a starter stub that is easily customized from a menu of features—have pushed scrapers into the mainstream and made them accessible to a wider swath of hackers. Need something to exfiltrate data from your victim’s network to a server in Minsk? Check. Want a turnkey solution for managing your command-and-control server in Mumbai? The kits have got that covered, too.

RAM scrapers can be installed remotely on a Big-Box retailer’s network and deployed widely to dozens of stores in a franchise.

Developments around “tokenisation” should help to “instil confidence in a payments environment challenged by more frequent data breaches” and fraud, according to a report released by the Federal Reserve Bank of Boston.

The June 2014 report from the US Federal Reserve’s Mobile Payments Industry Workgroup (MPIW), which was released on 24 September (16-page/320KB PDF), defined tokenisation as the process of “randomly generating substitute value to replace sensitive information”.

The report said: “When used for financial transactions, tokens replace payment credentials, such as bank account and credit/debit card numbers. The ability to remove actual payment credentials from the transaction flow can improve the security of the payment and is a key benefit of tokenisation.”

However, the report said some “hurdles” remain before tokenisation receives broad adoption by industry, “particularly around standards and coordination of the different solutions”.

According to the report, “the key goal of tokenisation” is to protect the 13 to 19-digit primary account number (PAN) embossed on a plastic bank or credit card and encoded on the card’s magnetic strip. “The PAN identifies the card issuer in the first six digits, known as the bank identification number (BIN), as well as the individual cardholder account (generally the final four digits), and includes a check digit for authentication.”

Tokenisation “eliminates the need for merchants to store the full PAN on their network systems for exception processing or to resolve disputes”