Saturday, November 5, 2016

Did the Smart Card Alliance screw up?

Searching all over the web I am looking for evidence the new EMC chips encrypt the data inside the card.  Now one would think, wow, that is the first place to look, have they figured out the transaction is encrypted in the card, not in the POS terminal.

Here is a clue.  Whenever you hunt for the obvious, and it is not there,then you know they screwed up, and are hiding their screw up..  EMC needs to encrypt the credit card info, always, it never leaves the card without encryption, the merchant doesn't need to see it.  The merchant is sending the card info to the bank, the vendor does not need it, unless it is crypto coin. The merchant needs 1) The item(s) you bought, and 2) authorization from the proper bank, under the current system..  No where in the chain is there any reason to see the credit card data. Even crypto coins, they are never decrypted, but work just fine.  The banks can do the same, they deliberately fouled this up, merchants should refuse the card, customers shoulfd refuse iy.  It is not long before we et a wireless app that can read nearby transaction.

One would think the multi-billion dollar Fintech community would say, "Hey, if EMC cards are not sending encrypted data then you get more, not less fraud.  So, do not bother with EMC.  If the cards are revealing unencrypted information, then they will be replaced, almost immediately.  Wealthy people are not going to run around while thieves with wireless receivers pick up all their transactions.

First Data: Where encryption fits in the payments processing chain As described above, end-to-end encryption starts at the moment of cardholder data capture and remains in place until the acquirer has the data. This system reduces the possibility that a thief can obtain usable data if he is sniffing any part of the network that carries sensitive data. If data is not encrypted at the point of capture, it is vulnerable as it is transmitted in plain text to the POS server or the merchant’s central server. (This is what is believed to have happened in data breaches involving Hannaford Bros., TJX and the Dave & Buster’s restaurant chain.) In situations where a card is presented in person, encryption can take place within the POS terminal application, at the time or immediately after the magnetic-stripe reader (MSR) obtains the card data track. While numerous Level 1 merchants have already enabled this capability, most other merchants have not, largely due to the cost of installing a card reader with the encryption capabilities. Encryption can safeguard data in a card-not-present (CNP) scenario as well as when a card is swiped. The data can be encrypted as soon as it is entered into the sales application and prior to being submitted for approval of the transaction. This can be further enhanced by leveraging third-party hosted payment pages, eliminating the need for the CNP merchant to touch the card data at all. To secure data at rest, some merchants choose to encrypt the cardholder data they have in back-end databases. Although this data is no longer needed for the original purchase transaction process, it is sometimes used for auxiliary uses such as reporting and data analysis. While encryption certainly helps to protect the data, it does nothing to reduce the scope of the cardholder data environment that must be audited for PCI DSS compliance. Regardless of encryption status, it is still cardholder data and it must be reviewed for compliance with the industry regulation. Thus security is improved but at an increased cost and effort.

Crap everywhere I look.  Some bozo says, wow, great new technology for the customer. But they always leave a security gap.

No comments: