Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« The dilemma of measuring fraud in the U.S. payments system | Main | Who does what in fighting payments crimes? Explaining the acronyms and roles of agencies »

May 31, 2011

Stemming the rising tide of card breach incidents: PCI compliance or chip-and-pin?

Incidents of card data breaches continue to rise despite industry efforts to safeguard customer payment information in transactions with merchants. Arts and crafts retailer Michaels was the most recent target of a large data breach. The company announced on May 4 that several of its stores, including three in Atlanta, had been victimized by card-terminal tampering and that customer credit and debit card information might have been compromised. The tampering activity enabled card data skimming, a scheme used to clone cards to create new counterfeit cards or to make payments online illegally using the customer's stolen identity.

The Payment Card Industry (PCI) Data Security Council guidelines have promoted advances in the way the industry addresses card data security–but in many ways, the PCI guidelines are necessary, unfortunately, because of cards that use mag-stripe technology instead of the more secure chip-and-pin technology, a subject we've blogged on before. With this in mind, is it time to reexamine the long-term effectiveness of PCI guidance as a mitigation solution for payment card skimming fraud?

The growing incidence of skimming schemes
Many are the potential ways for criminals to gain access to card data from credit or debit card transactions today. For example, criminals use various forms of social engineering to install malware over the Internet on victims' PCs to gain access to personal and financial information that they can use to commit payments crimes. Another increasingly worrisome method is card skimming, a scheme that takes place at an ATM or a merchant's handheld or stand-alone point-of-sale terminal. The criminal either embeds an overlay device in the existing point-of-sale card reader to harvest card data or replaces the pin pad altogether by swapping it for a bogus reader to collect card data. Data-skimming breaches give criminals access to the card information necessary to commit identity theft, create counterfeit cards, or use the card information online for illegal purchases.

Bankinfosecurity.com describes the growing prevalence of skimming and payment fraud in an interactive 2010 timeline updated through October 2010. The timeline describes reported skimming events and how the businesses and financial institutions were attacked.

The PCI security standards council has developed guidelines for retailers to best protect point-of-sale card readers to prevent card skimming, including how to detect device tampering. As schemes become increasingly sophisticated, however, these guidelines will likely be less and less effective—a possibility that should give the industry pause to reconsider the value of PCI compliance guidance in light of risk mitigation alternatives, such as a migration to chip-and-pin card technology.

Mag-stripe technology and global crime rings: A perfect storm
The continued shift of retail payments from paper to electronic formats makes online channels attractive targets for sophisticated global crime rings. In fact, the 2010 Data Breach Investigations Report published by Verizon attributes 85 percent of compromised records to organized criminal groups. These groups have established their own illicit marketplaces and online forums that serve as social networks for exchanging black market data harvested in skimming schemes and information on criminal services. The development of this geographically expansive criminal infrastructure online presents global challenges to law enforcement charged with investigation and prosecuting these crimes. In the future, as credit and debit card data become increasingly valuable commodities for these black marketplaces, merchants and financial institutions will likely be challenged by more advanced skimming schemes and possibly more expansive data breaches.

Fighting skimming fraud is challenging but so is technology change
The vulnerabilities inherent in mag-stripe technology are expected to contribute to ongoing skimming attacks in the future, not to mention the associated credit and debit card losses. Other countries, including Canada and many in Europe, that have converted to the EMV chip technology standard have effectively mitigated skimming. (EMV technology relies on an embedded microchip for data storage on the card instead of the magnetic stripe.) As more countries employ EMV, skimming in the United States is expected to rise. In fact, according to a recent article from bankinfosecurity.com, "...skimming has become a staple of Eastern European criminal gangs, who recognize the U.S. is one of the last holdouts on chip and PIN."

However, as my colleague Doug King noted in an earlier post, "the bad news for the United States is that a coordinated effort to migrate to EMV would be very challenging" because of our large number of card networks and payment card issuers, as well as the multitude of acceptance locations in the marketplace. For now, market participants—and in particular, the merchants—will need to be on guard against increasingly sophisticated skimming schemes perpetrated by organized crime rings.

Cindy MerrittBy Cindy Merritt, assistant director of the Retail Payments Risk Forum

May 31, 2011 | Permalink


TrackBack URL for this entry:

Listed below are links to blogs that reference Stemming the rising tide of card breach incidents: PCI compliance or chip-and-pin? :


This is a refreshing, plain talking critique. It goes to the heart of the matter; the rewards for organised crime are simply so vast that a process and audit based security regime like PCI-DSS doesn't stand a chance. PCI (like policy based security generally) mitigates against accidental loss or amateur attack, but it is near useless against concerted sophisticated attacks or inside jobs.

We also need to look a little beyond EMV, because on its own, it still leaves the system open to CNP fraud. The experience worldwide is that organised crime turns to CNP when their skimming methods are throttled by chip cards.

If deployed artfully, chip cards from the EMV system can also thwart CNP attack by introducing strong asymmentric cryptography (digital signing) to Internet transactions.

While the US bricks-and-mortar retail environment faces major switching costs, e-merchants have a wonderful opportunity to foster the use of chip cards to secure payment data in online shopping, for the price of a smartcard reader for each customer. For precedent, online games providers like World of Warcraft already deploy smartcards and readers for their members.

Posted by: Stephen Wilson - Lockstep | June 1, 2011 at 04:21 PM

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search

Recent Posts



Powered by TypePad