19 August 2017
Lachlan Gunn

ATM Security

Lachlan Gunn - BenAlpin Ltd

12Posts 73,693Views 23Comments

Should we have chip only payment cards?

26 November 2009  |  6367 views  |  17

Should sensitive cardholder data be held as standard in magnetic stripes on European EMV cards?

The European ATM Security Team (EAST) has conducted a website poll on this topic. On currently available plans, by the end of 2010 all ATMs within Europe are expected to be EMV (Chip and PIN) compliant. The data on the magnetic stripe is no longer required for a transaction at EMV compliant payment terminals and ATMs. Over the past decade the industry has invested a substantial amount into this technology.

The magnetic stripe data, which is vulnerable to being copied or ‘skimmed’, is only required for transactions outside Europe at terminals/ATMs that are not EMV compliant.

EAST is bringing focus onto this issue to encourage industry discussion and debate.

TagsCardsSecurity

Comments: (19)

A Finextra member
A Finextra member | 26 November, 2009, 11:39

And how would cardholders who pay for INTERNATIONAL cards be able to use their chip only cards outside of Europe?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Nick Green
Nick Green - ISD Consultants - Northampton | 26 November, 2009, 14:53

For the international traveller it has been suggested, in the past, that you have two cards with different numbers - one for the EMV world and one cheap magstripe for the non-EMV world. On a different but practical point even a chip only card would have to have some mag tape on - it's how ATMs detect you have the card in the right orientation. Additionally removing the tape would reduce the life of the magstripe reader (magnetic tape is soft compared to plastic) that would have to remain for non-EMV vistors.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott
Matt Scott - RenovITe Technologies Inc - London | 26 November, 2009, 17:35

Having different cards for European Domestic and International is a good idea - implementing them with different Card and Account properties would limit risk exposure in the event the International Mag Stripe is compromised.

Isn't this where V-Pay was meant to be taking the Market in Europe - to an EMV only Acquiring Zone?  I still believe there are unresolved issues with regards to Card/Cardholder Not Present transactions (Mail Order/Telephone Order & e-Commerce).

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 27 November, 2009, 06:47

As ATM skimming gets more and more popular and credit card companies suffer bigger losses, it is pretty obvious that the world is moving towards chip-only cards.

In Europe a chip-only card would already function very well. ATMs are almost fully chip compliant already, and for vendors which have not yet upgraded to EMV terminals it only serves them right tro have to manually input the chip-only card's number in their terminal - maybe they'll get tired of it eventually and get the EMV terminal.

When travelling to non-EMV countries, one would carry along a debit card (Visa Electron, Mastercard Maestro) with a magstripe for ATM withdrawals, and the chip-only card for purchases - again entered manually to the sales terminal.

To have to enter the card number manually increases the responsibility of the sales terminal holder, who must check the validity of the card by hand. The CVV number is also stored with the card processor as "input manually". This decreases credit card fraud, because the fraudsters cannot use blank cards or operate anonymously. And this goes for magstripe countries as well.

If  Europe moves to chip-only cards, making fraud very difficult, the fraud schemes will hit other areas of the world twice as bad. This will probably result in American and Asian banks finally considering the EMV as well.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 27 November, 2009, 09:59

"If  Europe moves to chip-only cards, making fraud very difficult, the fraud schemes will hit other areas of the world twice as bad. This will probably result in American and Asian banks finally considering the EMV as well."

But card fraud rate in the U.S. is less than half of the card fraud rate in the UK, for example, because U.S. credit cards are rarely issued with pin-codes. What's the point in skimming a U.S. mag-stripe, signature-based card if there isn't a pin-code that goes along with it? How can you possibly motivate a country to solve your problem when its fraud rate is less than half yours?

Once again, the problem solving is done by everyone without regard for consumers.

Instead of issuing multiple cards, which by the way isn't a novel idea since a french bank mulled this idea over in 2003 but decided against it, why not change the ATMs and stand-alone POS in Europe to have dual card slots, one to process the chip (not require the cardholder to put the entire card in the slot), and the second slot for regular mag-stripe based cards? This way you don't need to issue multiple cards.

"When travelling to non-EMV countries, one would carry along a debit card (Visa Electron, Mastercard Maestro) with a magstripe for ATM withdrawals"

And this will make card accounts safe?

How about carding? I'm sure most people here know that a card number has to conform to a luhn-digit check and its common knowledge that fraudsters have lists of BINS and the following range of numbers that represent Platinum, or Gold, accounts. Issuing multiple cards also as acknowledged in one comment, does not solve CNP fraud.

Another solution which a group of european banks admitted is the most efficient method to deflect the increase of cross-border fraud (as well as CNP fraud) is to enable the cardholder to activate or deactivate their card for out-of-country use and CNP use. This way, even if the cards get skimmed, the clone cards are rejected. Even if a carder gets the correct card number with cvv/exp date, the fraudster will not be able to use the card details in a CNP transaction.  

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Nick Green
Nick Green - ISD Consultants - Northampton | 27 November, 2009, 10:55

Marite,

I didn't say the two card idea was novel - yes it's been around for years.

"How can you possibly motivate a country to solve your problem when its fraud rate is less than half yours?"

Shouldn't this be OUR problem because ultimately we all pay for fraud and I would question the statement that the US has less fraud; they tend to measure it in a different way which makes it look less than it is.

EMV isn't just about fraud it also offers control to the issuer to manage cardholders' spend at the point of sale and to develop other products and services. With EMV it is possible for an Issuer to issue cards that may only be used in a restricted type of retail environment (eg T&E) the terminal and card can determine this without reference to the Issuer host - try doing that with a magnetic stripe.

CNP does continue to be an issue - I'm currently working with a company that have a new approach (NDA means I can't say much) but it won't be a rapid adoption as it is reliant specific enviromental changes (sorry it's vague) but when it was demonstrated to a global card scheme it created an OMG moment - and yes it uses EMV.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 27 November, 2009, 12:00

"I would question the statement that the US has less fraud; they tend to measure it in a different way which makes it look less than it is."

Question it all you want. The explanation is simple and logical. No static pin-code (signature-based) = no reason for skimming.

"With EMV it is possible for an Issuer to issue cards that may only be used in a restricted type of retail environment (eg T&E) the terminal and card can determine this without reference to the Issuer host - try doing that with a magnetic stripe."

Wonderful. Perhaps, they'll start issuing Electron EMV cards which will enable cardholders to pay for toll or parking.

"CNP does continue to be an issue - I'm currently working with a company that have a new approach (NDA means I can't say much) but it won't be a rapid adoption as it is reliant specific enviromental changes (sorry it's vague) but when it was demonstrated to a global card scheme it created an OMG moment - and yes it uses EMV."

The implementation of most of these OMG solutions usually resulted into getting into the 'chicken and the egg' conundrum and this is what kills the golden goose.

"Shouldn't this be OUR problem..." 

I noticed you didn't say anything about my comment regarding installing dual slots in ATM machines (some exist already) and stand-alone terminals. 

Most times, solutions to problems are quite simple.

But problems are solved only by those that have the motivation to solve them. And each of us that sell solutions, of course, will push for what will make us money and not necessarily the most efficient solution.

The entire CARD payment industry has gone haywire in any case. Instead of keeping card payments simple and less costly for all market participants, it has evolved into complicated, expensive networks serviced by a few players. I look forward to PSD which opens up the payment industry in Europe. Certainly, competition always leads to more efficient products and services. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Lachlan Gunn
Lachlan Gunn - BenAlpin Ltd - Perth | 27 November, 2009, 15:29

Marite

I like the possible solution you mentioned:

"Another solution which a group of european banks admitted is the most efficient method to deflect the increase of cross-border fraud (as well as CNP fraud) is to enable the cardholder to activate or deactivate their card for out-of-country use and CNP use. This way, even if the cards get skimmed, the clone cards are rejected. Even if a carder gets the correct card number with cvv/exp date, the fraudster will not be able to use the card details in a CNP transaction."  

Does anyone know if there is a suggested practical or favoured approach to this?  How would the cardholder do this?  By telephone, by SMS, by Internet? Has anything been tested?

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Cedric Pariente
Cedric Pariente - Racine Alpha - Paris | 28 November, 2009, 10:33

I think there is a key component missing here:

The opinion of the users !

Do you really think people would appreciate being forced to have 2 cards because specialists think it's better for them?

Ask them also what they think of VBV or SecureCode that has been thrown away at their face without notice asking for their birthdate in order to "secure" their online transaction.

Before adopting a solution, the users' opinion should be mandatory.

A poll is necessary, but a real one, independent. Not from "an independent survey company" that is sponsored by banks or payment networks.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 30 November, 2009, 09:45

Lachlan, "Does anyone know if there is a suggested practical or favoured approach to this?  How would the cardholder do this?  By telephone, by SMS, by Internet? Has anything been tested?"

Yes, this is done via IVR/telephone, SMS, Mobile Interface, Web Interface. The proof of concept was delivered in 2003 through a successful pilot with real cardholders with subsidiaries of french metropolitan banks such as SOCREDO Banque, Banque de Tahiti and Banque de Polynesie.

Please check you finextra inbox. I sent you a private message.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Peter Gullberg
Peter Gullberg - Todos AB - a Gemalto company - GOTHENBURG | 30 November, 2009, 15:09

It's a good idea, but I think the correct question should be:

- Should chip based ATM-cards continue to have automatic fallback to magstripe in magstripe only ATM's?

It seems that MasterCard and VISA haven't really adopted the liability shift between Europe and US, where some banks still loose money, even though they have incorporated all the security features that technically would remove this type of fraud.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 30 November, 2009, 15:56

"Should chip based ATM-cards continue to have automatic fallback to magstripe in magstripe only ATM's?"

I don't see how else cardholders would be able to withdraw money other than to allow the processing of mag-stripe/static pin-code with these magstripe only ATMs. It ain't really a fallback in anycase. Fallback rule refers to a condition wherein the ATM that can process chip, deems the chip 'unreadable', therefore it fallsback to reading the magstripe.

 

"It seems that MasterCard and VISA haven't really adopted the liability shift between Europe and US, where some banks still loose money, even though they have incorporated all the security features that technically would remove this type of fraud."

There is no liability shift in Canada or the United States. Although we do read about Liability shift in Asia Pacific, I'm not so sure that this is accurate. For example, Singapore does not have even a single ATM machine that processes the chip.

Shift in business rules that are imposed onto the market usually trigger antitrust inquiries and procedures. Recall, the two antitrust cases with the European Commission concerning VISA and Mastercard.

 

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott
Matt Scott - RenovITe Technologies Inc - London | 01 December, 2009, 11:07

With regards to Fraud Rates - are you talking US Issuer or US Acquirer rates - because I think you will find America is a prime target to take skimmed card data to because of the "less complex" security applied to processing there.  In the instance of at least one European Issuer I am aware of they simply decline or refer any Authorisation Requests from America due to the exponental growth of Skimmed Fraud in that area.

I find it difficult to believe that Cards are issued in America with Signature as the only method of Cardholder Authentication - forging a signature is easy and most cashiers will not notice if you write Donald Duck anyway.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 01 December, 2009, 13:26

"Forging a signature is easy and most cashiers will not notice if you write Donald Duck anyway."

See : http://www.finextra.com/community/fullblog.aspx?id=3595

If a merchant in the U.S. accepts a card without checking the signature, and if the cardholder disputes the transaction, then the Issuing Bank charges back the amount to the Merchant, and the salesperson or the merchant will then learn not to accept cards without checking the signature. 

""With regards to Fraud Rates - are you talking US Issuer or US Acquirer rates - because..."

Issuer related fraud rate, of course and this fraud rate is more important since the Issuer can always charge back a transaction to the Acquirer if the card was not properly accepted. If a clone of a skimmed European card is used in an ATM machine in the U.S, with the correct pin-code, it is the European issuer that refunds the money to the cardholder. If a clone of a skimmed US card is used in an ATM machine in Europe, with the correct pin-code, it is the U.S. card issuer that refunds the money to the cardholder. 

"In the instance of at least one European Issuer I am aware of they simply decline or refer any Authorisation Requests from America due to the exponental growth of Skimmed Fraud in that area"

Too bad for this European Bank's stranded cardholders... 

 

"I think you will find America is a prime target to take skimmed card data to because of the "less complex" security applied to processing there." 

The other side of that coin is : "Europe is a prime target to skim the magnetic stripe of cards and record the pin-codes because of the proliferation of stand-alone POS and ATM terminals."

Protecting European cardholders against card skimming does not involve rocket science. It's definitely not for the lack of security solutions that European cards are prime targets of skimmers. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Matt Scott
Matt Scott - RenovITe Technologies Inc - London | 01 December, 2009, 21:52

I think you've missed the point of the original statement - which was - if we remove mag stripes from cards will fraud be reduced and the answer to this is yes - undeniably.

Skimmed European EMV Cards will mostly be rejected at EMV-enabled ATM's (mis-configured hosts may still permit the auth as technical fallback).

Skimmed US Cards can be used at any ATM because there is no way to tell a Skimmed Card from a Genuine Card (no Chip).

Eventually Fraud losses will reach a point where the International Cardschemes will take corrective action.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 02 December, 2009, 09:29

Matt : "I think you've missed the point of the original statement - which was - if we remove mag stripes from cards will fraud be reduced and the answer to this is yes - undeniably."

EAST is bringing focus onto this issue to encourage industry discussion and debate. 

And if you read the entire thread of this discussion and debate, you will note that I commented on other solutions such as putting dual slots in ATMS and standalone POS and giving cardholders the ability to TURN ON/TURN OFF their cards for out of country use and CNP use.

And if you read the entire thread of this discussion and debate, you would have noted that the first question I asked is if you remove the magstripes, how would European cardholders be able to use their cards in non-EMV countries (still in Asia/Pacific, Middle East, North America, South America).

In summary, I commented on alternatives which in essence could rewrite the question to "If we offer dual slots in ATM machines and standalone POS, will fraud be reduced and the answer to this is yes - undeniably."

"If we offer cardholders the ability to turn off and turn on their cards for out of country use and CNP use, will fraud be reduced and the answer to this is yes - undeniably."

You also said : "Skimmed European EMV Cards will mostly be rejected at EMV-enabled ATM's (mis-configured hosts may still permit the auth as technical fallback)."

????. Under your scenario, your pure EMV cards cannot be skimmed. So, fallback does not apply.  But they also cannot be used in countries that do not process the chip (Asia/Pacific, Middle East, North America, South America)

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Robert Siciliano
Robert Siciliano - IDTheftSecurity.com - Boston | 02 December, 2009, 14:22

Can I buy ATMs in Europe and have the same fun? Is there the same raw data? http://www.finextra.com/community/fullblog.aspx?id=3551

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 02 December, 2009, 16:40

So there are two ways to go. We could go forward, and have chip payment cards and terminals rolled out universally, eventually taking out the mag stripe. 

Or we could go backwards.  We could remain so paralysed by customer convenience over security that we keep layering more and more complexity and stop-gap fixes on the good old magnetic stripe card.  Don't worry about all the complexity, so long as we still got the stripe!

Chips are taking over all types of cards; why resist the tidal flow?  It's ironic to me that the US gets a bad rap for its reluctance to go to EMV cards, yet the US market happens to enjoy the best smartcard-enabled laptops (like the Dell e-series, with contact and contactless car readers built-in) thanks to the growth in FIPS 201 PIV cards and a rich array of associated apps.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Lachlan Gunn
Lachlan Gunn - BenAlpin Ltd - Perth | 11 September, 2010, 17:52

The results of the EAST research poll carried out in January and February 2010 showed that 60% of the respondents were in favour of action being taken to address this risk as follows:

28% indicated that they would be happy to contact their bank to have the stripe on their card activated before travelling outside Europe;
12% indicated that they would be happy to carry a Chip only card, and to apply for a separate stripe card should they need to travel outside Europe;
20% agreed with both approaches.

The remaining 40% didn't agree with either approach.

This followed on from the EAST Poll conducted at the end of 2009 which indicated that 60% of respondents felt that European EMV cards should not hold sensitive cardholder data as standard in a magnetic stripe, although feedback was received highlighting practical issues with removing the stripe

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Lachlan

Heat from your fingers could disclose your PIN at an ATM

30 August 2011  |  5039 views  |  1 comments | recomends Recommends 0 TagsCardsSecurityGroupInformation Security

Do you get SMS alerts for debit card transactions?

18 August 2011  |  9593 views  |  3 comments | recomends Recommends 0 TagsCardsSecurityGroupInformation Security

Europol busts international cross border skimming operation

18 July 2011  |  5604 views  |  0 comments | recomends Recommends 0 TagsCardsSecurity

Fraud migrates away as European EMV rollout nears completion

22 June 2011  |  5788 views  |  1 comments | recomends Recommends 0 TagsCardsSecurity

Is the rise of global card fraud being taken seriously?

11 February 2011  |  4882 views  |  1 comments | recomends Recommends 0 TagsCardsSecurity

Lachlan's profile

job title Director
location Perth
member since 2009
Summary profile See full profile »
Lachlan is Director of BenAlpin Ltd, a security consultancy, and is also founder and a Director of European ATM Security Team Ltd, an independent, non-profit, international ATM user group. EAST has a...

Lachlan's expertise

Member since 2007
12 posts23 comments
Lachlan's blog archive
2011 (5)2010 (4)2009 (3)

Who's commenting on Lachlan's posts