18 April 2014

44975

Retired Member

83 | posts 240,049 | views 136 | comments

The War On EMV - part 2

25 December 2013  |  2805 views  |  0

OMG ... it is Christmas Eve and we have another charlatan's friend EMV 'expert' claiming that EMV is not the answer to Target data breach in the following article

http://pciguru.wordpress.com/2013/12/21/emv-and-the-target-breach/

Well let me tell you again ... EMV IS THE ANSWER as much as 'experts' such as these claim otherwise. It has NOTHING TO DO WITH ENCRYPTION of card data (although this doesn't hurt of course). It has EVERYTHING TO DO WITH DYNAMIC CARD AUTHENTICATION as part of the EMV compliant transaction processing.

YES of course, and unfortunately, the EMV compliant cards and mobile phones (ones having NFC capability) would still provide the card number, expiry date and CVV in CLEAR to the EMV compliant terminals, and therefore ultimately to the merchant systems. Those card data can be stollen if the merchant isn't taking care of them. That's all true. But if this card data is made effectively useless then it simply would not matter.

To refresh our collective EMV knowledge here is the simple fact - the transaction between EMV compliant card and the EMV compliant and certified POS terminal / ATM could be approved (and consumer account charged) ONLY AFTER either

1. in offline transaction - the EMV compliant terminal / ATM fully authenticates the card by verifying dynamic data authentication (DDA) / combined dynamic authentication (CDA) cryptogram, provided by the card, which is unique for each transaction, OR

2. in online transaction - the card issuer system fully authenticates the card by checking dynamic ARQC cryptogram, provided by the card, which is unique for each transaction ...

This all means that the EMV compliant cards MUST ALWAYS FIRST PROVE to the EMV terminal (offline case) or card issuer system (online case) that they are 100% authentic cards, which are issued by the certain bank, BEFORE transaction can proceed and eventually be aproved.

The EMV cards produce these dynamic authentication cryptograms by using secret keys unique for each card, which are injected into them during the card personalization process by the card issuers.

No EMV cards can be cloned and replicated, unless the thief also knows those secret keys - and they are imposible to get by simply reading the card data. On the other hand magnetic stripe cards DO NOT need to (because they simply can't) authenticate themselves to the POS terminals or card issuer systems and they can be cloned and replicated very easily (because they are just storing STATIC card data, without ability to produce any dynamic authentication cryptogram).

Realize the BIG DIFFERENCE NOW?

The only 2 reasons why it still matters when these hacker 'bad guys' steal card data from careless merchant's systems is because

1. US is still using and relying on mag stripe cards for proximity payments across the board - in merchant stores and in ATMs

2. the stollen card data could be used in online internet payments which are not protected by 3-D Secure consumer authentication

Risk #1 CAN BE FULLY ELIMINATED by US switching completelly to EMV technology. Then every card would have to be properly authenticated by verifying the card's dynamic cryptogram on every merchant POS terminals or every ATM machine, before the transaction can be approved.

Risk #2 can be eliminated in many ways - 3-D Secure, etc, ...

Basically if EMV cards were used everywhere and if magnetic stripe technology is completely eliminated (phased out) then stollen card data would not matter at all anymore to anybody. Nobody will be able to clone the EMV card by using card number, expiry date and cvv value and use it on ATM or merchant POS terminal.

Now all of you 'experts' ... can you please STOP spreading NONSENSE anymore ... once and for all ... PLEASE.

Let us hope that year 2014 may bring some sense into the payment industry.

TagsCardsPayments

Comments: (0)

Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Latest posts from Retired

With US Rollout Of EMV Who Needs Magnetic Stripe Anymore?

03 February 2014  |  2441 views  |  1  |  Recommends 1 TagsSecurityPayments

Bitcoin may need to shed its world of intrigue to grow more

31 January 2014  |  901 views  |  0  |  Recommends 0 TagsVirtual currency

T-Mobile US says to expand into banking cards

23 January 2014  |  910 views  |  0  |  Recommends 0 TagsTransaction banking

London bitcoin meetup

19 January 2014  |  1111 views  |  0  |  Recommends 0 TagsTransaction banking

Target data breach and EMV

12 January 2014  |  2596 views  |  3  |  Recommends 0 TagsSecurityPayments
name

Retired Member

job title

company name

member since

1974

location

Summary profile See full profile »

Retired's expertise

What Retired reads
Retired writes about

Who is commenting on Retired's posts

Vishal Chaturvedi
Matt Scott
Marinka Ryan
Alexander Peschkoff
Michel-Ange Camhi
Rob Fernandes
Ketharaman Swaminathan
Nick Collin