IT professor: New cards could stop big retail data breaches
Here’s a sobering fact: The U.S. is one of the last countries to still use the old swipe-and-sign credit cards. A possible shift toward the “chip and pin” system for credit cards was a hot topic during recent testimony on Capitol Hill by Target’s chief financial officer.
In STATEside’s latest edition of Office Hours, Doug Twitchell, an associate professor of information technology who teaches courses on cyber security, talks about the chip and pin system, and why it may hold the answers.
What is chip and pin?
Unlike our current cards, which are a piece of plastic with a little magnet strip on the back, chip and pin cards have an electronic device in them, a chip known as an EMV. The idea is when you go to the store, you put your card into a device—or wave it in front of a device—and your card certifies the transaction. It is a direct communication with the banks. Instead of signing, you prove you are you by using a pin number, like an ATM card. But the device never gets the pin. It is all on the card.
The numbers are not stored anywhere at the retailer—not the credit card number or the pin. So it is difficult to intercept them. It’s still not foolproof, but things cannot happen on the same scale that they did at Target. The card number is never exposed, and even if it was exposed, it cannot be authenticated. Countries that use chip and pin don’t see this kind of theft that we see here in the U.S.
Chip and pin has been used in Europe for nearly a decade. Why has it taken so long to be adopted in the U.S.?
Adopting the chip and pin system in the U.S. will require a massive investment. This is an expensive thing. We’re talking about replacing every point-of-sale (POS) device—the machine where you slide your card. They would have to be changed at every Target, every Walmart, every McDonald’s, and every gas station. That’s every single device in the country. And the card itself is expensive. The actual piece of plastic we use now is about 5 cents, but the card with the chip is about $1.50 a piece. That is also a huge investment for the banks.
Is that how the other thefts happened? Through the POS devices?
The numbers were stolen off the point-of-sale, or POS, devices, the small computers where customers slide their cards to pay for goods. The POS devices had been hacked and sent what is called malware—the general term for any piece of software you don’t want on your computer. So when people swipe their cards, the numbers are put into the POS memory. The malware would just read the entire device memory and take everything. It’s called a memory scrape, and it sent the memory to the thieves.
Could there be incentives offered to accelerate the switch to chip and pin?
It could be the banks that could force the issue, or the credit card companies, or the retailers, or even the Federal Reserve, but it would have to be on a national scale. Right now, it looks as though the payment card industry will issue new standards at the end of 2015, which will change who is liable for fraud based on the technology they use. Basically, if you don’t use chip and pin or something like it, you will be liable for the fraud.
Rachel Hatch can be reached at rkhatch@IllinoisState.edu.