Payments: A Primer on Card Payment Security and the Target Precedent
SEE LAST PAGE OF THIS REPORT Howard Mason
FOR IMPORTANT DISCLOSURES 203.901.1635
May 6, 2014
Payments: A Primer on Card Payment Security and the Target Precedent
- The retirement of CEO Greg Steinhafel, apparently related to the Target data breach last November, is shocking. While the proximate cause of the breach was weak security in the POS systems, the ultimate cause is Visa’s desire to preserve the status quo and, in particular, its favorable position in signature-authenticated transactions particularly debit.
- WMT is seeking damages because of this alleging in a March 24th complaint that: “Visa has long recognized that the magnetic stripe technology that its General Purpose Credit Card and Signature Debit Card networks utilize is inherently insecure and fraud-prone. Yet, Visa has shifted most of the costs of fraud losses to merchants in this country through the implementation of various compliance programs and liability rules”
- The threat to Visa from PIN authentication is that it opens the door to competition from electronic funds transfer or EFT networks (particularly in debit given the dual-routing requirements that exist for PIN-, but not signature-, authenticated transactions) and to direct routing from merchant processor to issuer bank based on bank identification numbers. This direct BIN routing is facilitated by PIN authentication since the lower fraud costs (1.1 cents/$100 of spend globally vs. over 6 cents for signature) reduce dependence on network-level fraud risk management provided by V and MA.
- Indeed, in some countries, PIN authentication has supported the development of domestic payment networks, such as Interac in Canada and EFTPOS in Australia, where network fees are 2 cents/transaction or less vs. the 6 cents and 11 cents/transaction charged by V and MA for debit and credit respectively.
- As a result, the US system has not evolved to chip-and-PIN technology (compliant with global Europay-MasterCard-Visa or EMV standards) now deployed in other mature card markets, and this is reflected in disproportionately high fraud: the US accounts for 47% of global fraud costs but only 24% of global card volumes. Recognizing this was unsustainable, Visa in August 2011 announced plans to accelerate EMV adoption in the US but initially advocated for a chip-and-signature standard (which protects against counterfeit fraud but not fraud on lost/stolen cards) rather than the overseas chip-and-PIN standard (which can protect against both since a lost or stolen card requiring PIN authentication is not useful without the PIN). Furthermore, with the goal of exerting more control over mobile transactions, Visa linked merchant incentives for adoption of EMV standards to deployment of Visa’s standards for contactless technology. WMT likened this to a Trojan horse.
- In practice, there is such heightened scrutiny that Visa’s gaming of security initiatives in the US is not likely to succeed, and the Target implementation of EMV sets a precedent for other retailers. Target is implementing chip-and-PIN not chip-and-signature (although chip cards will carry a mag-stripe and allow signature-authentication so as to be usable at merchants that do not have chip readers); and is installing EMV-compliant readers for contact cards not contactless cards. As a founding member of MCX, Target is reserving the contactless (i.e. mobile channel) for the MCX standard.
The Target breach of 2013Q4 (the second largest in US history with 40 million card accounts compromised vs. a 2005 breach at TJX involving over 45mm cards) has focused attention on fraud risks in the US card payments systems, and led lawmakers to urge faster adoption of chip-and-PIN in the US (with Representative David Scott asking if Congress should make it mandatory). This technology is already widespread in mature overseas markets including Western Europe where “EMV-compliant” cards account for nearly 90% of cards and three-quarters of point-of-sale or POS terminals – see Exhibit 1. In passing, we note that EMV is an acronym for Europay-MasterCard-Visa setting out the communication protocol when card credentials are passed from a chip, whether on a card or in a phone, to a POS terminal; it encompasses both contact payments, where a card is slotted into a chip-reader, and contactless payments, where a card or phone is waved over a reader in a “tap ‘n’ pay” payment and the information conveyed by radio signal such as provided by the near-field-communications or NFC standard.
Exhibit 1: EMV Adoption Rates by Region
The impact of not adopting EMV is apparent in US fraud losses. The US is one of the few mature markets where counterfeit fraud losses are increasing (so that the total fraud losses of $5.33bn in 2012, including those from lost and stolen cards, were up 14.5% from 2011), and the US accounts for 47% of global card fraud losses but only 24% of card volumes. In part, this is because the US has the highest proportion of online sales (which are more fraud-prone because they are card-not-present or CNP transactions), but it is also because the relatively insecure card-present system has made the US a target for criminals. As David Roberston, publisher of the Nilson Report, puts it: “Adoption of EMV at point of sale is the strongest defense against counterfeit cards. EMV adoption would not only help US issuer but also issuers in other parts of the world that must continue to put mag-stripes on their cards to accommodate POS terminals in the US. Fraudsters are willingly paying a premium for stolen mag-stripe data from EMV card countries in order to create counterfeit cards for use in the US”
The US has lagged the rest of the world in EMV adoption in part because the business case, based on fraud losses versus the costs of chip-and-PIN deployment, has not fully developed. Against 2012 card fraud losses of just over $5bn, chip-and-PIN deployment costs would cost issuers over $2bn (re-issuing ~1.5bn cards at a cost of over $1.50/card vs. 25 cents for a mag-stripe card) and merchants over $5bn (upgrading 10 million POS terminals at a cost of over $50/terminal). The business case is complicated by the chargeback rules of the card networks which mean that issuers bear ~two-thirds of system fraud losses, and merchants the balance. Specifically, issuers cannot chargeback to the merchant amounts on fraudulent transactions when a counterfeit card is used at point-of-sale but can chargeback amounts on card-not-present or CNP transactions (such as those on the web, at a call-center, or through mail-order). Visa and MasterCard will increase the business case for merchant investment in EMV terminals through new “liability shift” rules that will take effect in October 2015 allowing issuers to chargeback fraudulent transactions on EMV-compliant cards or phones to merchants that have not installed EMV-compliant terminals.
The Target Breach
In practice, the Target breach has already changed the merchant calculation by drawing attention to the potential cost of lost sales if consumers lose faith in payments integrity. Hence, for example, Target’s 2013Q4 earnings fell 46% year-on-year (by ~$440mm) with the CEO identifying the data breach as a cause; and, of course, Target has responded by announcing a conversion of all it card programs (including the proprietary RED card) to chip-and-PIN technology with MasterCard as an enabling partner (but not processor for the RED cards). It is important to recognize, however, that Target’s priority is to manage perception among its customers (and with regulators), and that it is limited in its ability to manage system-wide integrity.
Indeed, the measures announced by TGT would not have addressed the data breach except in the narrow case of Target-branded Visa cards. The Target breach involved the use (by a 17-year old Russian according to Intelcrawler) of malware, darkly referred to as BlackPOS, that invaded Target’s point-of-sale system (reportedly through 25 compromised cash registers) and stole data on 40 million credit cards. These data can then be sold to criminals who use it to produce counterfeit cards by, for example, writing the account credentials on to a hotel room-card with a magnetic stripe. A criminal will typically not go to this effort for a card, such as the RED card, which does not have the general-purpose characteristics of a Visa or MasterCard so that, ironically, Target’s proprietary cards were relatively unaffected.
The criminal’s task is made more difficult with a chip card since the card credentials can be dynamically encrypted on the chip (rather than statically encoded on a mag-stripe) and because it is more difficult to clone a chip card than a mag-stripe card. However, the conversion by Target of its cards to chip-and-PIN does nothing to protect shoppers who use typical bank-issued mag-stripe cards. For these cards, the root problem is that sensitive data is flowing through Target’s card processing system making it a worthwhile target for hackers. TGT appears to have increased vulnerability by providing insecure network access to a third-party heating-and-air-conditioning vendor and, according to a Senate report, to have “missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach”.
The Bigger Security Picture
While the proximate cause of the Target data breach was weak security around the POS systems, the ultimate cause is Visa’s sponsorship of signature, rather than PIN, authentication. This, in turn, is driven by a business agenda to limit network competition and, in particular, preserve the duopoly with MasterCard in signature debit. Indeed, fraud losses arising from the Target breach were entirely related to signature-authentication since, while PINs were stolen, they were encrypted. Spokesperson Molly Snyder is on record: “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems”.
The most cost-effective step that could be taken to improve card security in the US is to shift to PIN authentication. As Mallory Duncan, General Counsel for the National Retailer’s Federation, puts it: “Protecting all cards with a PIN instead of a signature is the single most important fraud protection step that could be taken quickly. It’s proven, it’s effective, and it’s relatively easily implementable. PIN debit cards are close to ubiquitous worldwide, and readily producible in the U.S. Chip is a desirable add-on. If speed of implementation is of importance, then substituting PIN for signature is preferable to implementing chip.”
Under regulatory pressure, Visa has chosen to focus instead on deploying chip cards meeting EMV standards, and has even promoted a chip-and-signature standard rather than the international standard of chip-and-PIN. In a February edition of the WSJ, CEO Charlie Scharf commented that defeating cybercriminals “means quickly replacing status quo payment technology in the US, which relies on magnetic stripes, with EMV technology, which uses an embedded microchip. Computer chips on payment cards stop thieves from creating counterfeit cards”. The failure to address the authentication method (PIN vs. signature) leads to a security viewpoint that is, at best, incomplete:
- Using a chip, rather than a mag-stripe, to store card credentials can improve security since it allows for on-chip encryption and, if the chip is IP-connected, for tokenization (where card credentials are replaced by proxy data, or tokens, which are not valuable if stolen since they are typically valid for only one transaction and only one context – e.g. in-store but not online). This makes it more difficult for criminals to steal card credentials from POS systems and use them to produce counterfeit cards. However, chip cards do not protect against fraud from lost or stolen cards (accounting for ~25% of losses vs. 40% for card counterfeiting) if they can be authenticated by signature
- Furthermore, even chip cards will initially also include a mag-stripe (for compatibility at merchants who have not installed chip readers) and, without PIN protection, these cards will remain just as vulnerable at these merchants as if they carried no chip at all. This vulnerability will spur merchant adoption of chip readers (since, under Visa “liability shift” rules going into effect in October 2015, merchants will bear fraud losses arising from chip-enabled cards if they have not installed chip readers), but system security depends on ultimately retiring mag-stripes. In the meantime, PIN authentication would improve security cards carrying a mag-stripe (whether or not also chip-enabled) if the PIN were encrypted at POS as in the case at TGT.
Visa acknowledges that signature-authentication is insecure, but attributes its inertia to merchant reluctance to install PIN pads. Given PIN pads are relatively inexpensive, this could quickly be resolved by implementing liability-shift rules for PIN (so that merchants would bear fraud losses on PIN cards if they chose not to install PIN pads and encrypt PINs). The reality is that PIN authentication, regardless of its security benefits, does not advance Visa’s business interests because it opens the door to more intense competition from
electronic funds transfer or EFT networks (particularly given dual routing requirement on PIN, but not signature, debit) and to direct routing (between merchant processor and issuing bank) based on bank-identification-numbers. This direct “BIN” routing is facilitated by PIN authentication (where global fraud losses run at 1.1 cents per $100 of spend versus ~6 cents for signature authentication) since the lower fraud content reduces dependence on network-level fraud risk management provided by Visa.
Even Visa’s ostensibly security-driven sponsorship of chip vs. mag-stripe cards is complicated by its business agenda. Under regulatory pressure to share in the costs, Visa offers merchants who install chip technology an incentive in the form of reduced costs for auditing compliance with Payment Card Industry (PCI) standards; however, this incentive is available only if merchants install technology for both contact cards (which are dipped into a chip reader) and contactless cards (communicating with the POS terminal via NFC radio). This so-called “device duality” does not offer a security advantage over contact-only chip readers but does advance Visa’s business agenda to promote its payWave standard for mobile payments and so retain more control over mobile transactions. A WMT payments director is explicit: “device duality gives them [Visa and MasterCard] one more tool they need to direct the transaction. I see it as a Trojan horse”.