ul - prevention is better than cure
TRANSCRIPT
Prevention Is Better Than CureEMV and PCI
Prevention is better than cure: EMV and PCI
Over the past couple of months, millions of consumers in the United States fell victim to
a so-called payment card data breach. A payment card data breach is the situation where
fraudsters are able to gain access – on a large scale - to the information stored on debit
or credit cards with the aim to sell this information on the black market or to directly
perform fraudulent transactions. Exactly how and when consumers become victim of
a payment card data breach depends on how attackers plot their attack. If a particular
merchant chain is compromised, all consumers that used their payment card at these
retail locations are at risk. Worse still, if a payment processing company is compromised
then the transactions at thousands of individual retail locations from a variety of chains
can be at risk. A payment card breach usually goes unnoticed to consumers until the
moment foreign transactions start to appear on the card statement.
The 'realistic worst-case scenario' Even though the way in which data
breaches are plotted and executed may
differ from case to case, the nature of
the (card) data that fraudsters are able to
exfiltrate is often the same:
• Fraudsters are able to obtain full Track II
data of every card that was swiped at the
compromised PoS device
• Fraudsters were able to record encrypted
PIN data for every card transaction that
was PIN-based, however…
• …fraudsters are however not able to
break the encryption and subsequently get
access to actual PIN numbers
What the fraudsters can and cannot do with the stolen dataFraudsters can use the stolen card
data to create a counterfeit copy of the
original card. However whether this card
can be successfully used in fraudulent
transaction, depends on the kind of card
that was compromised as well as the
usage environment where the fraudulent
card is used:
• Type of card compromised, and
• Usage environment where fraudster will
subsequently attempt to commit fraud
This yields the following matrix:
Prevention Is Better Than CureAn independent view on the effectiveness of EMV and PCI in case of large-scale card compromise.
page 2 1. In theory fraudsters can get access to actual PIN numbers by breaking DUKPT-based Triple DES cryptography, by installing spy cams, or
by attacking and breaking into PIN pad devices. However based on UL’s professional expertise, none of these attacks is viable enough for a large-scale, nationwide compromise of consumer’s PIN numbers.
1
Scenario 1: swipe and PIN trans-action was compromised. Fraud is attempted at Magstripe PoSdevice
This will be the most likely form of
fraud resulting from large-scale PoS
compromise. A fraudster is able to create a
copy of the compromised card and to use
in Card Present situations using his own
signature. Issuer will have no way of telling
The use of EMV technology
in ATMs, PoS devices, and
cards makes transactions
less susceptible to fraud
through skimming and
‘digital pickpocketing’. Until
the moment where all ATMs,
PoS devices and cards have
been made EMV compliant,
the industry is still at risk. The
extent of this risk is shown
here, where a payment
card (as shown horizontally)
falls victim to digital
pickpocketing at a non-EMV
compliant PoS device.
Depending on the usage
environment of the stolen
card data (vertically), there
may be a certain degree of
risk involved.
page 3
Prevention is better than cure: EMV and PCI
page 4
Prevention is better than cure: EMV and PCI
the difference between a transaction
with the genuine card or with the cloned
card. Issuer will be liable for fraud, however
may seek to shift liability to the merchant
that was the source of the card data
compromise.
Acquirers can take additional measures
to limit exposure to this kind of fraud. For
instance, PoS software can be modified
to require merchants to enter the last
four digits of the embossed PAN prior
to authorization as this makes it more
difficult for a fraudster to create a cloned
card using compromised card data,
although it is relatively easy nowadays
for fraudsters to obtain embossing
equipment. Another fraud mitigation
method is to ask customers for photo-ID
to check against the name on the supplied
card, but of course, this can slow down the
transaction time and therefore a is a direct
cost to the business.
Scenario 2: swipe and PIN trans-action was compromised. Fraud is attempted at Magstripe PoS device In this scenario, the ability for the fraud-
ster to commit fraud depends on the card
type and issuer rules. As the PIN has not
been compromised, the fraudster must
use signature based, or no CVM, transac-
tions. Some issuers do allow their debit
cards to be authorized using signature, or
to be authorized without PIN or signature
(no CVM, for low ticket transactions). In
those circumstances, the transaction is at
risk.
Scenario 3: transaction with EMV card was compromised. Fraud is attempted at Mag-stripe PoS deviceIn this scenario, whether or not a fraudster
can commit fraud is determined by the
issuer of the card. The issuer will be able to
detect, based on the POS Entry mode data
element in Field 55, that the card is used in
a Magstripe-only terminal. Since this was
originally an EMV card, this transaction
may fall under the EMV liability shift
regime (depending on region). The issuer
may choose to decline the transaction,
in which case no fraudulent transaction
takes place. If the issuer chooses to
approve the transaction, fraud occurs and
local liability shift rules determine whether
issuer or acquirer is liable for fraud.
Scenario 4: swipe and signature transaction was compromised. Fraud is attempted at EMV com-pliant PoS deviceThis case follows the same rationale as
Scenario 2. The fraudulent card can be
successfully used, even though the PoS
device is EMV compliant.
Scenario 5: swipe and PIN trans-action was compromised. Fraud is attempted at EMV compliant PoS deviceIn this case, the same rationale as Scenario
1 applies, under the assumption that the
EMV compliant PoS device is still capable
of reading magstripe . Depending on the
allowed CVM’s on a debit or credit card,
transactions with a fraudulent card can
potentially be authorized.
Scenario 6: transaction with EMV card was compromised. Fraud is attempted at EMV-compliant PoS terminal Whether or not a fraudster is able to
successfully commit fraud depends on
regional fallback rules. To the EMV PoS
device, the fraudulent card will look like
an EMV card of which the chip is damaged
(service code on Magstripe Track II
indicates the presence of a chip. However
the PoS device is not able to read a chip,
hence the transaction may qualify for
fallback under appropriate fallback rules).
If fallback is not allowed, the fraudster will
not be able to complete the transaction.
If fallback is allowed, the transaction will
be authorized by the issuer – given there is
sufficient funds available on the account.
If fallback is going to be allowed in North
America during the initial stages of EMV
migration, scenario 6 should be colored
‘orange’ (potentially at risk).
Scenarios 7, 8, and 9 (ATM usage) The fraudster will not be able to
successfully use the cloned card at an
ATM as this requires a correct PIN number
to be entered. In theory, a fraudster has
three PIN attempts per compromised card.
Because of the impractical nature of such
attempted ATM fraud, it is fair to assume
that large-scale card compromise is not
going to cause an increase in fraudulent
cash withdrawals.
2. Issuers may have legacy fraud controls implemented, such as the time and geo-location at which two subsequent transactions with
the same card number take place. 3. In mature EMV markets, support for magstripe acceptance is sometimes no longer allowed. In
North America there will be a transition period in which acceptance devices will support magstripe as well as EMV technologies.
3
2
Scenarios 10, 11, and 12 (Internet – Card Not Present usage) In theory, the data that is stolen from
cards by compromising a PoS device
cannot be used for Card Not Present
– internet purchases .This is because a
compromised PoS device only gives access
to Magstripe Track II data, which does
not contain the so-called security code
(referred to as CVV2 or CVC2 data) printed
on the signature panel of the card.
However reality shows that under certain
circumstances, a fraudster will be able
to successfully commit fraud with the
data gathered through large-scale PoS
compromise:
• In some cases, the web merchant that
accepts card payments does not require
entry of a Security Code in order to
complete a transaction. A fraudster will be
able to successfully use compromised card
data for purchases. Since the merchant
does not provided all the data that it is
supposed to (CVC2), liability is with the
merchant in this case.
• Some issuers do not validate the value of
the CVC2 data. Also here, fraudster will be
able to successfully use compromised card
data for CNP purchases. In this case, the
issuer will have no means to shift liability
to another party.
• Also a statistical attack vector exists
in case of large-scale PoS compromise.
The CVC2 code is a three digit numerical
value, giving it 1,000 possible values.
Most issuers allow for three subsequent
CVC2 validation attempts before fraud is
suspected and authorization is declined,
which gives a fraudster a chance of
around 0.3% per card for a successful CNP
transaction. In case the data of millions of
payment cards is stolen, fraudsters have
a large statistical chance of committing
fraud in CNP environments. In this case,
the issuer is liable for transaction fraud
however will seek means to shift liability
to the merchant where the large-scale PoS
compromise took place.
Could EMV have prevented this large-scale compromise?
EMV is a digital transaction protocol and
as such is not a measure that prevents
fraudsters from gaining access to PoS
devices and installing malicious software.
The EMV transaction protocol however
introduces a cryptographically secured
means of determining authenticity of
debit and credit cards. PoS device and
/ or card issuer will always be able to
detect attempted card cloning. The EMV
transaction protocol takes place between
an EMV-compliant card (debit or credit)
and an EMV-compliant PoS device or ATM.
For reasons of backwards compatibility,
non-EMV compliant cards can be used on
EMV-compliant acceptance infrastructure.
For a similar reason, EMV-compliant cards
can be used on Magstripe-only acceptance
devices.
Therefore the following points are worth
noting:
• Merchants that have EMV-enabled their
PoS acceptance infrastructure can still be
a source of card data compromise in case
a fraudster manages to gain access to PoS
software code. EMV compliance provides
protection against EMV liability shift –
however EMV compliance does not provide
protection against card compromise
liability.
• Merchants that have EMV-enabled
their PoS acceptance infrastructure can
still – unknowingly – acquire card fraud.
See scenario’s 4, 5, and 6. As long as this
merchant was not the source of large-scale
card compromise, this merchant will not
be held liable for this acquired fraud.
page 5
Prevention is better than cure: EMV and PCI
What is the role of PCI here?
PPCI DSS controls have been designed
to prevent and/or detect a large-scale
compromise To commit any such fraud,
the criminals need a point of ingress to
allow for the wide-scale delivery of a
compromise, a known vulnerability in the
system to allow for the compromise, and
a point of egress for the exfiltration of the
collected data. These points are directly
addressed by the PCI DSS requirements,
and although compliance is not an
absolute guarantee of prevention of such
a compromise, it would not be unexpected
to find that any such compromise has
resulted from a lack of rigor around one or
more of the PCI DSS controls.
In case fraudsters manage to collect card
data directly from the PoS device, it can
be expected that use of encryption of all
cardholder data at the POI – the PIN Entry
Devices themselves, prior to the data being
passed into the PC based POS systems –
would have largely mitigated this form of
compromise. Therefore, compliance to the
PCI P2PE requirements or even just correct
use of SRED approved POI devices, to
remove all cardholder data from the POS
environment is likely the largest single step
that any retailer can take to protect their
customers’ card data.
Conclusion
As presented in this memo, an acquiring
infrastructure that is compliant with
applicable and up-to-date PCI standards
(PCI DSS, PA-DSS, PTS etc.) should provide
sufficient end to end protection against
card account compromise. In a similar
fashion, EMV compliance will ensure that
the card account information that flows
through such acquiring infrastructure is
genuine and can be authenticated. The
combination of PCI and EMV compliance
provides a robust framework against
card fraud in the card present as well
as card not present domain. In case
the US had already migrated to EMV,
the consequences of large-scale card
compromise such as the ones recently
reported would have been less severe (see
scenario 6).
For now, the US payments industry is
implementing remedial actions to avoid
fraud resulting from data breaches. UL
foresees (a combination of) the following
remedial actions:
• Reissuance of those cards that may have
been subject to fraud, plus blacklisting of
compromised card ranges (issuer action)
• Tightened spending controls for those
cards that may have been subject to fraud
(issuer action)
• Disabling Card Not Present
authorizations for those cards that may
have been compromised (issuer action)
• Requiring CVC2 entry for Point Of Sale
purchases (has impact on the issuing as
well as acquiring side)
• Requiring the merchant to enter the
last four digits of the PAN during a PoS
transaction (acquirer action)
• Requiring the merchant to verify the
(part of the) PAN which is printed on the
receipt with the PAN embossed – engraved
on the card.
page 6
Prevention is better than cure: EMV and PCI
Want to know more? UL's EMV, PCI and security experts are happy to assist.
Please visit our website for locations and contact details or email [email protected].