Thursday 23 January 2014

PCI London: How the Payment Card Industry could kill PCI DSS

Today (23rd Jan 14) I was a panellist at PCI London 2014, quite a few people were interested in what I had to say, on removing the need for PCI DSS compliance completely by securing the payment cards further. What I said was nothing new, I have been bleating on about this since attending the first PCI SSC meeting back in 2007. Still it is a bold thing to say, especially at a conference where Visa Europe and the PCI Security Standard Council are promoting PCI DSS compliance in the UK, and with event sponsoring vendors promoting their PCI DSS compliance servicing wares.  I'll summarise the views which I expressed at PCI London, which I believe could draw an end to PCI DSS compliance.
Introduce Global Chip & Pin (EMV)
Chip & Pin provides two-factor authentication, this means in order for the cardholder to make a payment,  the cardholder requires knowledge of a 4 digit number, and possession of the payment card. This is known as a 'cardholder present' transaction, typically these are 'over the counter' or 'check out / tills' payments. The UK introduced 'Chip & Pin' in 2006, since then the payment industry has seen a drastic cut in face to face card fraud transactions. However the US have been dragging their heals for years, resulting in breaches like Target, where the bad guys only need to steal the magnetic stripe and obtain the cardholder data, giving them ability to commit fraud with thousands of payment cards.
Remove the Magnetic Stripe from the Cards
The magnetic stripe makes it easy for card fraudsters to clone cards, they can simply create usable cloned cards by copying stolen magnetic stripe information onto new fake cards. There is nothing to prevent anyone from reading the details held on a card's magnetic stripe, while writing to a magnetic stripe is a simple and cheap process. The magnetic stripe holds all cardholder data (track 2 data), but it is a 1970s technology and has not evolved since it was introduced. The chip technology is different, it is far more secure because the details held on the chip are encrypted, chips are very difficult to clone and it is a technology that is always evolving.
A Magnetic Stripe, A Card Fraudsters Delight

Introduce Two-Factor with cardholder not present payments (Telephone & Ecommerce)
A 'cardholder not present' transaction is where you cannot be sure the actual owner of payment card is making the payment, you can't see him or her.  These are typically internet (ecommerce) payments and telephone payments (MOTO). Most of the card fraud occurs with these types of transactions, certainly nearly all of the UK card fraud occurs here. 

To secure cardholder not present transactions, just as with cardholder present transactions, the solution is simple, introduce a two-factor authentication system. There are several ways this can be achieved, with many examples of concept payment cards which include a pin entry and number return on the plastic, just as we find with remote access tokens supplied by most banks. So the technology is available, yet there are no plans by the payment card industry to role this out on mass.

Two-Factor Payment Card

Summary
In taking these steps, cardholder data would no longer require any protection, as having possession of the 16 digit number, expiry date and security code (if needed any more), would not be enough for a fraudster to be able to commit card fraud. This is due to the second factor requirement, namely the cardholder knowing their 4 digit number. Cardholders already have and know a 4 digit number, as pretty much everyone uses ATMs. So in conclusion, if cardholder data no longer requires protecting, then complying with PCI DSS is no longer required. 

The reason we do not have a more secure payment cards and payment processing systems today, is because the card industry is not prepared to invest in improving security. They are standing still on security, and through PCI DSS compliance, they are asking someone else to foot their security bill, protecting their outdated card security, the magnetic stripe is testament to this, as it is a 1970s technology which has not changed, and makes every payment card in the world insecure.

PCI DSS is about protecting someone else's data, my view is the card brands and issuers should not be passing this risk and liability over to their 'customers' to deal with, but they should be dealing with the problem themselves. Chip & Pin has been proven to drastically cut payment card fraud, it is about time the payments industry got their finger out, and stop standing still with the plastic card security, and finish the job in securing cards to a standard acceptable in the internet age.

No comments: