The EMV Switch: Chip-and-PIN Cards and the Target Breach

In 2013, Target got hit by a data breach after the retailer's point-of-sale systems were compromised, exposing sensitive data such as PINs from millions of payment cards. After the incident was disclosed to the public, card issuers made a statement that they would shift to an EMV, or Chip-and-Pin, system by October 2015 to address the weakness of the existing payment system.

US merchants were given an October 1 deadline to make the switch, while gas stations are scheduled to do the same in 2016. While those who can't migrate to the newer payment system before the deadline can still operate, any merchant who still hasn’t switched to EMV will now be liable to for payment fraud caused by compromised POS terminals. As merchants switch and apply the new system, will we see less fraud cases? Before we answer that question, let us first examine the situation behind the biggest Black Friday of the decade.

Sometime between November and December 2013, cybercriminals were able to access customer information through Target’s card readers in the U.S. and Canada in an operation that put nearly 40 million Target shoppers at risk of identity theft. Further investigation also showed that PIN numbers were also compromised, giving the cybercriminals extensive access to bank accounts via debit cards. The information stolen could be used to create counterfeit cards to withdraw cash from ATMs, and could also be sold on the underground market.

[SPECIAL REPORT: What happens to stolen data after a breach?]

The perpetrators of the attack on Target took advantage of America's reliance on magnetic stripe cards—an outdated payment system that offered little protection against newer threats. At the time, less than one percent of U.S. payment cards used EMV technology whereas over 80 countries were already using it.

With the switch to EMV, users are further protected from credit card fraud or private data being stolen. EMV cards are equipped with a chip that stores a cryptogram that allows banks to determine if the card or the transaction has been modified. It also stores a counter that gets incremented with each transaction. This makes sure that there are no duplicate or skipped counter values—a sign that can indicate fraudulent activities.

This payment method stores the data on the chip rather than the magnetic stripe, making it virtually impossible to duplicate and create fake EMV cards. It also needs a PIN input code with every transaction as an extra verification step. Apart from the card, the use of more secure EMV-compliant devices is another key component in making sure that shoppers are exposed to less risk.

[READ: The lowdown on next-gen payment processing technologies]

Despite the new features that protect users from fraud, the EMV payment system still has its weaknesses, the biggest of which is its susceptibility to PoS RAM Scraper attacks (since the decrypted data resides in RAM). Other incidents concerning the failure of the EMV system pointed to human error when a bank in Canada incorrectly implemented their EMV handling transaction code, devices that could intercept and modify communications between EMV credit cards and POS terminals, and poor implementation of the system.

Ultimately, the EMV system should definitely decrease fraud cases. But if the EMV cards were used instead of the regular payment cards during the Target breach back in 2013, the attackers would have still managed to run off with card information, since they used a PoS RAM Scraper. The only difference is that EMV card users would have been exposed to credit card fraud.

[READ: Target breach shows need to create more secure payment systems]


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.