Clients field us questions on encryption constantly: What type to use, the differences between encryption-at-rest versus in transit, what qualifies as “strong” encryption under current best practices, key management, which encryption methods meet “government” standards so as provide “reasonable security,” recommendations for encrypted email vendors… the list goes on.
However, a recent story focusing on EMV cards, which we’re presently working with and on, highlights how important comprehensive encryption is and the need to holistically plan and then implement encryption (along with simple but robust key management procedures). And also demonstrates how even the most well-intentioned systems contain weak points for potential attack.
For example:
• Point of Sale terminals and devices that accept both EMV and magnetic stripe cards are potentially more susceptible to fraud because these devices accept magnetic stripe transactions for EMV cards as a fall-back last resort to enable a transaction to succeed. In these scenarios, EMV cards lose their protective edge, as a counterfeit card of an EMV card with just a magnetic stripe can be used, even if the original card included an EMV chip present.
• Furthermore, Point of Sale machines that have been infected with RAM scraping Trojans can still be used to steal and effectively commit fraud at many online merchants with this stolen credit card information. Although Target made a big showing post its massive breach of moving to EMV cards, under the data flows it had in place at the time of the breach EMV cards would have not prevented the data theft, as the card data was not encrypted throughout it’s internal flow at Target. Already card not present fraud (“CNP” in industry parlance) is spiking for EMV cards outside of Europe and pre the US widescale rollout. Additionally, online transactions remain a major weakness for EMV cards until easy to use one-time tokenization and passcodes, or accepted mobile EMV readers for consumers come to the fore.
However, there is a silver lining to this story:
• One way of preventing fraud is by purchasing and use point of sale devices that utilize Point to Point Encryption (P2PE) techniques, where the PoS device encrypts the data as its read and before it leaves the device.
If you are concerned with the issues covered in this article or believe your business can benefit from stronger encryption techniques, please contact us at info@SmartedgeLawGroup.com or (203) 307-2665
