Target Moves To Chip and Pin Cards To Boost Security

jfruh (300774) writes "U.S. retailers must accept chip-and-pin charge cards by the end of 2015 or become liable for fraudulent purchases made with chip cards. Target, still smarting from its recent embarrassing security breach, is moving to get ahead of that trend. The company will be installing chip-and-pin terminals in all its stores, and will also be issuing chip-and-pin versions of its own branded cards, which account for about 20 percent of Target sales. Will this move by a huge retailer push the U.S. into parity with the rest of the world?"

America is *finally* implementing chip-and-pin

[Lumpio-]

Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...

Re:America is *finally* implementing chip-and-pin

[welshie]

Today I saw an American in London trying to buy their lunch with their credit card. The cashier didn't know how to process swipe-and-sign cards, since they are exceedingly rare, they had to go and find a pen.

Re:America is *finally* implementing chip-and-pin

[Ol+Olsoc]

I can confirm this.

Only Netcraft can confirm this.

Re:America is *finally* implementing chip-and-pin

[93+Escort+Wagon]

I can confirm this.

Only Netcraft can confirm this.

Netcraft can only confirm that the street musician is dying.

Re:America is *finally* implementing chip-and-pin

[Jane+Q.+Public]

Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...

Not so fast.

Chip-and-pin is not a panacea. Every major chip-and-pin system in the world has known security flaws that haven't been fixed in years.

I would far rather have them fix the security flaws that already exist BEFORE adopting a new system with just more security flaws. It's an unnecessary expense and rather self-defeating.

This isn't why they had a security breach

[Karmashock]

They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.

That has nothing to do with chip and pin.

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and pin or not. Because by that point the data is prepared for processing. The only way chip and pin would be effective is if the security code were different for each transaction. That seems extremely unlikely but if you could some how pull that off then snagging the numbers might not get the thieves anything. Of course, how you'd get that to work with online retail is anyone's guess.

TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.

Re: This isn't why they had a security breach

[rkww]

exactly how do they charge the card then?

The vendor takes the customer's name, postal address and card number, and sends a message to their card processor (bank) saying "I want to charge this customer this amount for this transaction"; the bank sends back a url and the customer is redirected to that page.

The (secure) page (which displays a shared secret known only by you and the bank) asks for your online banking password; the bank processes the payment, and redirects you back to the vendor's thank-you page.

This has nothing to do with chip and pin.

But UK banks also hand out free one-time pad terminals which use your chip and pin card for online identitification.

Re:This isn't why they had a security breach

[Solandri]

They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.

That has nothing to do with chip and pin.

It has everything to do with chip and PIN. It would've prevented the security breach entirely because with chip and PIN, getting the card number by itself is useless. You need the smart chip on the card and the PIN to activate it before you can do anything with the card number. Since you can't use the numbers without the chip and PIN, there is no incentive for thieves to steal the card numbers - they are just numbers, not a magical way to access someone else's money.

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

You buy a card reader for your home computer.

TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.

I don't get why people keep trying to blame Target's security for this problem. The problem all along has been that you can buy stuff using nothing more than a plaintext sixteen-digit number that "belongs" to someone else. I'm not saying Target isn't at fault for failing to secure their network. But giving your credit card to a waiter at a restaurant makes your card just as vulnerable as Target's network was during their security breach. The current system is like telling your bank to authorize payment if someone gives them "your secret password." Then you proceed to give that very password out to every merchant you visit, so they can tell the bank and collect payment. Well if you're giving your password in plaintext to every merchant out there, it's not very secret is it? And anyone who steals the plaintext or overhears it or copies it can make charges to your account (whether it be a thief who stole them from the merchant, or an employee at the merchant, or the guy standing behind you in line who snapped a picture of your card with Google Glass).

The way I understand how chip and PIN works, you insert the card into the reader which powers up the chip. The merchant transmits the transaction info to the chip. You enter your PIN which gets transmitted to the chip. The chip then uses the private key embedded in it to encrypt those pieces of data. That encrypted data and the card number is sent to the credit card processor, who holds the card's corresponding public key. They look up the card number, find its public key, and decrypt the data. The card number is no longer the gateway to your money, it's just a reference number for looking up the public key. It's the public/private key pair safeguarding your money and authenticating the transaction, and using the private key requires physical access to the card's chip and the corresponding PIN.

Re: Chip and PIN

[jolyonr]

Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.

Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.

Fucking finally

[PvtVoid]

The U.S. is finally catching up with Bulgaria on this one.

Re: Chip and PIN

[number17]

but how will this changeover affect companies like square that depend on swipe and sign for most transactions?

Your card will likely continue to have a magnetic stripe for non chip and pin terminals. Canada's deadline for "liability shift" was March 31 2011 for credit.

Re:Not invented here

[PvtVoid]

Chip and Pin in the USA will go the same way Concorde did

Back and forth to Europe twice a day?

Nope

[mice7943]

We will not gain parity simply because Target said "make it so". Sadly the cheap and easy CC system the US uses is the easy thing to stay with. Expect an extension of the current system just before it expires in 2015. Nobody want to spend money to be more secure - "that won't happen to us" mentality rules here in the States...

Re: Chip and PIN

[Em+Adespoton]

Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.

Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.

Well, it really depends. Without chip and pin, the vendor assumes all responsibility for chargebacks. It will be a decision for each square user as to whether it is more profitable to assume liability or pay for the more expensive reader. upgrade.

If I wandered into the bank..

[TechyImmigrant]

My wife has a retail store and a credit card reader.

If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.

Target has more leverage, but small retailers have to take what the bank makes available.

For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.

Re: Chip and PIN

[AlphaWolf_HK]

I think your bank is probably more tired of it than you are as by law they are required to eat most of the liability. The good banks give you zero liability (as in, you aren't ever responsible for losses.)

I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers (wouldn't bother me, but buying things via smartphone or tablet will need some revamping.)

Re:Late on all fronts

[jjhall]

It isn't the merchants dragging their feet. Chip and Pin has not been available to merchants in the US. The thing most people don't realize is that credit card fraud is a profit center for Visa/Mastercard/etc. Do you think Visa is eating the cost of a fraudulent transaction to cover the "$0 Fraud Liability" they offer to their customers? Of course not. It goes right back on the merchant. Now the merchant is out their merchandise, out the money they would have received from the sale, and they are hit with a fee (that goes to Visa) for the chargeback. Have a massive breach like Target? Now there are big fines to pay to the card companies on top of it all.

The entire security of the credit card system is based on keeping a 16 digit number secret. That same 16 digit number you have to share with everyone you give money to. Making it TONS more secure would be cheap and easy, and most merchants are already set up to handle it... A simple rotating PIN that is only valid for a length of time is all it would take. Have merchants run all transactions as Debit, and give the customer an app on their phone (or even a periodic SMS with a new PIN.) The card companies could use the fraud liability as an incentive to use the system. No rotating pin? $1000 fraud liability. Monthly? $500. Weekly? $100. Daily? $25. Rotating PIN app or new SMS after each transaction? $0. This would also secure online purchases as well.

Every time I see a story relating to credit card security, I laugh to myself over how much more secure my World of Warcraft account is than my credit card accounts.

Re:Late on all fronts

[OneAhead]

Why is it always reactionary in American business?

FTFY. As to answer the question: it used to not be that way, but the companies discovered that if they gave enough money to the politicians, the regulator would let them get away with making arrangements like: "if none of us makes the first step to innovate, the others won't be force to follow, and we all can save ourselves the financial investment of the innovation".

Re: Chip and PIN

[lgw]

Other than that, it's about fucking time!

Sick of finding out every other month that some retailer that I frequent has been hacked.

That won't change in the long run. In the short run maybe some benefit, while the crooks come up to speed, but chip and PIN is also hackable. It's not as easy, to be sure, but technology marches on and both PIN harvesting and stolen card use are both happening in Europe today (though not with the frequency of the US problems yet).

One place we might gain advantage form our late start is that no one will have the older-tech cards where PIN-extraction from stolen cards is possible (and done) due to flaws.
 

Re: 'Bout time

[AlphaWolf_HK]

The US almost always suffers from the early adopter problem. That is, we get the earlier versions of standards merely because we adopt them first, and by the time Europe gets around to adopting them the technology has improved based on what was learned in the US. Note similar things like T1 equivalent E1 being faster, and given that superseding technologies (such as optical carrier) are sold in multipliers of T1 speeds, the Europe versions tend to be speced higher.

Broad adoption of standards is like a marriage: You're stuck with it, flaws and all, and changing to another incompatible one requires a lot of pain and sacrifice, with there being more pain the longer the marriage has lasted. For another perspective on this, look how much of a PITA it was to switch to digital TV, which the US actually did faster than most of the world.

And yes, I know Europe also had magnetic stripe. But like the marriage analogy they didn't have it for as long nor was it adopted as broadly before chip and pin came along, likewise switching wasn't as difficult.

There is a silver lining to our system though:

One time I saw somebody commenting on how much he hates chip and pin because it was supposedly only being pushed so that banks can force you to pay for fraudulent charges, whereas magnetic stripe they supposedly can't. The article was referring to the US adoption, and so I told him that we already have laws that strictly limit liability for consumers that mostly just make banks liable, and they aren't going away. He then lambastes me that "the rest of the world" doesn't do it that way, therefore chip and pin is evil, and I'm a stupid ignorant American for thinking that, even though the article was specifically about the US where such a problem doesn't exist.

Why doesn't it exist? Well, because us backward Americans have been on magnetic stripe for so long, that it was born out of necessity. (Which by the way, looking in his profile revealed he lived in Europe, which isn't "the rest of the world" as other non-European countries do have similar laws to the US, for the same reasons.)

Chip and Signature, not Chip and PIN

[weave]

Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.

I have one of these Chip and Signature cards and on my last trip to UK it was a real PITA, especially at self-checkouts. Like at ASDA there was a signature signing pad but I had to wait for a clerk to come over to give me the pen and then she checked my signature real closely. Same thing at the duty free at the airport. The self-checking stopped and alerted the clerk to come over to check my signature. Then at other stores the clerk couldn't find a pen, or was surprised when paper spit out and had to ask a manager what was going on.

(I had one clerk hand me the slip to sign, checked my signature, then put the signed slip into the bag with the receipt! If I was an "arse" I probably could have disputed the charge and gotten away with it because they couldn't produce a signed slip)

At the ASDA (far away from where tourists usually go) the clerk remarked it's been years since she saw someone have to sign for a charge. I apologized, said I was an American, and that our banks think we are too stupid to remember a PIN. She got a good chuckle out of that...

Re: Chip and PIN

[Mattcelt]

I still have a Target-branded chip-and-pin card and USB reader from 10+ years ago from an early pilot they did with a well-financed crypto startup. I would imagine some of their executives are kicking themselves now for having shut the project down then.

It's nice to see the US finally catching up with what Europe has been doing for a very long time.

if that card is Chip and sign, you're boned

[YesIAmAScript]

It still has to be swiped in Europe.

You need a Chip and PIN card. Wells Fargo issues them now. And Chase does for some cards too. You really should be getting one of those before you go.

If you don't have the PIN for your card, you don't have a Chip and PIN card and you'll be in a slightly worse boat in Europe than a card that doesn't have a chip because you'll usually have to tell them "ignore that chip, you have to swipe that" every time you use the card.

Re: Chip and PIN

[tlhIngan]

My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.

That exists right now - it's called a "Card Not Present" transaction and the transaction fees ARE higher as a result. I believe Square charges like 3.5% instead of 2.5% for those kind of transactions. because of the increased risk.

Paypal fees mirror the credit card processing fees, so Paypal knows how to do Card Not Present transactions (and they do tons of verification as well that reduces their risk).

Good I guess

[koan]

I'm still waiting for the metric system to catch on =)

Re: Chip and PIN

[Jarik+C-Bol]

As a US citizen who has never seen a vending machine with a card swipe option, I feel left out.