Stealing Payment Card Data “Dead Easy;” “Quickchip” Comes to NorCal
Introduction To Payment Card Data Security
It’s a yin/yang, up-and-down week in payment and security news. Though to be sure, the downside hasn’t been “overly” down, in terms of major breaches or security hacks (though if you have a Yahoo account, you may want to consider changing the password — again) with quickchip upgrade.
The Sobering Side
The sobering side of the news comes from PC World magazine, reporting on a recent digital security conference in Las Vegas. The article reminds us that POS devices “are specialized computers. They typically run Windows and have peripherals like keyboards, touch screens, barcode scanners and card readers with PIN pads. They also have specialized payment applications installed to handle transactions.”
Unfortunately, in a demonstration at the same conference, on top of the types of compromises already afflicting such devices — particularly of the “malware” variety — two researchers showed “a stealthier and more effective attack technique that works against most ‘payment points of interaction,’ including card readers with PIN pads and even gas pump payment terminals.”
“The main issue shared by all of these devices,” the article continues “is that they don’t use authentication and encryption when sending data back to the POS payment software. This exposes them to man-in-the-middle attacks through external devices that tap the network or serial connection or through ‘shim software’ running the POS system itself.”
Additionally, “attackers can also simply modify a DLL (dynamic-link library) file of the payment app to do the data interception inside the OS itself, if they get remote access to it. “ The emphasis is ours, but it’s a reminder to constantly check your security and OS upgrades, the question of who has access to your company’s devices, and whether your POS machines are connected to the web at large.
Meanwhile, the article suggests that “consumers should never, ever, re-enter their PINs on a PIN pad if prompted to do so. They should also read the messages displayed on the screen and be suspicious of those that ask for additional information.”
EMV and the Slow Switch
The introduction of EMV chips on cards aimed to address this issue to some extent. However, the transition to the EMV standard has been sluggish, especially among merchants. They have concerns about the potential “slowing down” of the checkout process, even though stolen credentials could still lead to the unauthorized use of stolen card data.
However, now comes the news that the New Leaf grocery store chain in the S.F Bay Area is becoming the first U.S. retailer to use Visa’s recently announced “QuickChip,” as well as the MasterCard version, M/Chip Fast.
QuickChip is a free upgrade for processors and acquirers, and the PaymentsSource website calls this “welcome news to an industry that has faced plenty of challenges with EMV implementation,” and quotes Thad Peterson, senior analyst with Boston’s Aite Group, as saying “the latency of the transaction at the point of sale was raising a real concern about the value of the transaction in the minds of consumers and merchants. Because QuickChip converts an EMV transaction experience to one similar to swiping a mag-stripe card, everyone involved should find it more appealing,” adding “from that perspective alone, it’s a major enhancement,”
However, you can contact your AVPS rep right now, and begin “enhancing” right away — whether for EMV upgrades, increased ease or security for your customers, or anything else to get ready for not only the 21st century, but even the holiday season, that’s right ahead.
Meanwhile, we’ll see you next week, while we still have August!