Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Almighty Buck Security

Target Moves To Chip and Pin Cards To Boost Security 210

jfruh (300774) writes "U.S. retailers must accept chip-and-pin charge cards by the end of 2015 or become liable for fraudulent purchases made with chip cards. Target, still smarting from its recent embarrassing security breach, is moving to get ahead of that trend. The company will be installing chip-and-pin terminals in all its stores, and will also be issuing chip-and-pin versions of its own branded cards, which account for about 20 percent of Target sales. Will this move by a huge retailer push the U.S. into parity with the rest of the world?"
This discussion has been archived. No new comments can be posted.

Target Moves To Chip and Pin Cards To Boost Security

Comments Filter:
  • A bit off topic, but how will this changeover affect companies like square that depend on swipe and sign for most transactions?

    Other than that, it's about fucking time!

    Sick of finding out every other month that some retailer that I frequent has been hacked.

    I'm tired of constantly changing my credit info to avoid being ripped off...

    • by jolyonr ( 560227 )

      Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.

      Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.

      • Re: Chip and PIN (Score:4, Informative)

        by Em Adespoton ( 792954 ) <slashdotonly.1.adespoton@spamgourmet.com> on Wednesday April 30, 2014 @12:16PM (#46881109) Homepage Journal

        Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.

        Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.

        Well, it really depends. Without chip and pin, the vendor assumes all responsibility for chargebacks. It will be a decision for each square user as to whether it is more profitable to assume liability or pay for the more expensive reader. upgrade.

      • Don't you just need a simple ISO7816 card reader? I remember paying $10 for those 8 years ago back in my directv hacking days. The communication method is simple serial/RS232, of which there is a Bluetooth standard for (and it works rather well with Android phones too, I've used it for OBD2 serial communication to avoid needing a wire connected under the dash.)

        PayPal Here could likewise do ISO7816 via a bluetooth dongle and ask for the pin on the device itself. I don't imagine the whole thing would cost the

        • That's clearly part of it, but there is a lot of backoffice related stuff that needs to be present for it all to work as there is encrypted information that needs to get passed back and forth from the card to the issuer.

          But a small merchant might not have that much to do in that I am guessing that their own bank would handle all of that.

        • by maevius ( 518697 )

          Not really. Chip might be kinda easy to read using commodity hardware, but pin entry must be done through a PCI certified device (as in, lots of money for certification, passed on to you, the consumer)

          https://www.pcisecuritystandar... [pcisecuritystandards.org]

        • I still have a Target-branded chip-and-pin card and USB reader from 10+ years ago from an early pilot they did with a well-financed crypto startup. I would imagine some of their executives are kicking themselves now for having shut the project down then.

          It's nice to see the US finally catching up with what Europe has been doing for a very long time.

    • Comment removed based on user account deletion
    • On the user side, all cards are not only backwards compatible with not only magnetic stripe but mechanical impression on carbon paper.

      On the processor side, presumably Square will have a new unit next year that can read the chip unless they want to absorb the costs of chargebacks themselves.

    • I think your bank is probably more tired of it than you are as by law they are required to eat most of the liability. The good banks give you zero liability (as in, you aren't ever responsible for losses.)

      I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers (wouldn't bother me, but buying things via smartphone or tablet will need some revamping.)

      • I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers

        My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.

        • I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers

          My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.

          Remember that under US law, when you pay via credit card, you have rather strong protections that largely take your side when you dispute whether a merchant delivered what you ordered. No such provisions exist when you pay using PayPal. This is especially valuable in the era of internet ordering, rather than brick-and-mortar purchases.

        • by tlhIngan ( 30335 )

          My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.

          That exists right now - it's called a "Card Not Present" transaction and the transaction fees ARE higher as a result. I believe Square charges like 3.5% instead of 2.5% for those kind of transactions. because of the increased risk.

          Paypal fees mirror the credit card processing fees, so Pa

      • by matfud ( 464184 )

        The company accepting payment bumps the user off to an outside service such as "Verified by Visa" or mastercards equiv and let them handle the problem. These are run by the payment processors and as a card user you generally have to sign up to them seperately. They tend to use seperate information that is not on your card.

        Then visa takes responsibility for fraud.

      • Yes, you'd have to have the card reader if everyone implements a challenge/response type system like in Europe. I have one at work and keep one at home. When I travel I throw one in the bag just in case. You get used to it.

    • by lgw ( 121541 )

      Other than that, it's about fucking time!

      Sick of finding out every other month that some retailer that I frequent has been hacked.

      That won't change in the long run. In the short run maybe some benefit, while the crooks come up to speed, but chip and PIN is also hackable. It's not as easy, to be sure, but technology marches on and both PIN harvesting and stolen card use are both happening in Europe today (though not with the frequency of the US problems yet).

      One place we might gain advantage form our late start is that no one will have the older-tech cards where PIN-extraction from stolen cards is possible (and done) due to flaws.

      • Do you have any links to chip & pin flaws? The one I saw I thought allowed you to enter any PIN and have it return as valid, so the transaction would be charged. You had to have a programmable card hooked up to a laptop and a valid card, I think. Doable with a jacket and backpack, but not quite clone & go. Curious what else is out there.

  • by Lumpio- ( 986581 ) on Wednesday April 30, 2014 @11:48AM (#46880695)
    Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...
    • I can confirm this.
    • Re: (Score:3, Interesting)

      by welshie ( 796807 )
      Today I saw an American in London trying to buy their lunch with their credit card. The cashier didn't know how to process swipe-and-sign cards, since they are exceedingly rare, they had to go and find a pen.
      • by Skater ( 41976 )
        I'm going to Vienna, Austria (from the US) in a few weeks for work. My work-supplied credit card doesn't have the chip, so I asked about getting one with it. The area that handles the cards in my office said, "You're the first to ask about them," and called the credit card issuer. The CC company came back and said, "No, we don't issue them." Oddly enough, I have a personal CC in my wallet with the chip, issued by that same company. That card will be going with me to Europe.
        • It still has to be swiped in Europe.

          You need a Chip and PIN card. Wells Fargo issues them now. And Chase does for some cards too. You really should be getting one of those before you go.

          If you don't have the PIN for your card, you don't have a Chip and PIN card and you'll be in a slightly worse boat in Europe than a card that doesn't have a chip because you'll usually have to tell them "ignore that chip, you have to swipe that" every time you use the card.

        • by jfengel ( 409917 )

          Good choice. I was in Europe recently, and there are a fair number of places that can't handle the chipless cards. (Including, irritatingly, French toll booths, which are fairly frequent and of course far away from any place you could get cash.)

      • I was in London in Feb, but I have a chip card from BofA. Technically not chip-and-pin, it is chip-and-signature. But I didn't have any problem whatsoever when I was there. Everyone knew what to do with it, and it worked without a hitch.

      • Today I saw an American in London trying to buy their lunch with their credit card. The cashier didn't know how to process swipe-and-sign cards, since they are exceedingly rare, they had to go and find a pen.

        Very much this. I'm a Brit that has lived in the US for 17 years. When I go back home, the cashiers hear my accent, think I'm local and then give me weird looks when they have no clue how to process my credit cards (even though, technically, they should be able to). It's got to the stage now where I just use cash over there.

    • Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...

      Not so fast.

      Chip-and-pin is not a panacea. Every major chip-and-pin system in the world has known security flaws that haven't been fixed in years.

      I would far rather have them fix the security flaws that already exist BEFORE adopting a new system with just more security flaws. It's an unnecessary expense and rather self-defeating.

  • by Karmashock ( 2415832 ) on Wednesday April 30, 2014 @11:48AM (#46880705)

    They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.

    That has nothing to do with chip and pin.

    And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and pin or not. Because by that point the data is prepared for processing. The only way chip and pin would be effective is if the security code were different for each transaction. That seems extremely unlikely but if you could some how pull that off then snagging the numbers might not get the thieves anything. Of course, how you'd get that to work with online retail is anyone's guess.

    TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.

    • Comment removed based on user account deletion
      • he would not be able to use it without an extra password.

        Which was written on a piece of paper in your wallet with your credit cards.

      • perhaps it's because i've never had anything go wrong in terms of online shopping, but that program is such a pain in the ass.

      • And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

        Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page where you have to enter further credentials to complete the order. So, even if a thief has your credit card number and the extra security number on the back, he would not be able to use it without an extra password.

        And when my order comes up to the Verified with Visa page, I cancel it. VwV is a pain.

        The security number by design not embossed on the card, nor, as far as I know, encoded in the stripe, because for physical card-reading applications the cashier has to confirm your identity by other means such as signature and driver's license.

        Online transactions use the security ID, but if someone has latched onto that, then they're already running amok in someone's network or have physically stolen the card (in which cas

        • by cdrudge ( 68377 )

          The security number by design not embossed on the card, nor, as far as I know, encoded in the stripe, because for physical card-reading applications the cashier has to confirm your identity by other means such as signature and driver's license.

          In VISA's case, their recommendation is to compare the signature with the one on the back of the card. However they explicitly state (page 34) [visa.com] that merchants can't decline processing a VISA transaction if the customer refuses to show an ID for a signed card. I believ

        • I agree the Visa and MC programs are a pain. They come up so infrequently that I never remember what the password is. Plus with varying rules as to what constitutes an acceptable password, I can't even count on it using a password I'm familiar with.

          If implemented like in Europe,though, you only have to remember the PIN. Which you use everywhere, so that's not an issue. There's a challenge-response part of the online purchase that generates a code to confirm you have possession of the card and know the PIN t

      • Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page

        I have yet to see any online retailer do that to me, and if they did I'd assume it was some kind of MITM/phishing attack. I'd also be surprised if the retailer/phisher could correctly guess which of the several hundred "banks" (actually a CU) in the US I use.

    • Pffft, you think that matters? Target had a high-publicity credit card hack theft thingy, Target installing "better" card thingys with "chips" in them, seems gadgety and high tech. Target gets its "we're improving our credit card security" headline. American people go "wooooo, high tech thingy! Problem solved!"
    • And cloned cards were a major vector of fraud in the Target attack.

    • The proof is in the pudding as they say. There must be something to it, since the fraud rate for EMV card holders is far below signature-only card holders. No one is claiming that EMV is foolproof. It WOULD have stopped the Target breach since the POS system never handles the PIN, it only records the terminal's response that the PIN was valid.
    • by Solandri ( 704621 ) on Wednesday April 30, 2014 @01:55PM (#46882577)

      They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.

      That has nothing to do with chip and pin.

      It has everything to do with chip and PIN. It would've prevented the security breach entirely because with chip and PIN, getting the card number by itself is useless. You need the smart chip on the card and the PIN to activate it before you can do anything with the card number. Since you can't use the numbers without the chip and PIN, there is no incentive for thieves to steal the card numbers - they are just numbers, not a magical way to access someone else's money.

      And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

      You buy a card reader [newegg.com] for your home computer.

      TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.

      I don't get why people keep trying to blame Target's security for this problem. The problem all along has been that you can buy stuff using nothing more than a plaintext sixteen-digit number that "belongs" to someone else. I'm not saying Target isn't at fault for failing to secure their network. But giving your credit card to a waiter at a restaurant makes your card just as vulnerable as Target's network was during their security breach. The current system is like telling your bank to authorize payment if someone gives them "your secret password." Then you proceed to give that very password out to every merchant you visit, so they can tell the bank and collect payment. Well if you're giving your password in plaintext to every merchant out there, it's not very secret is it? And anyone who steals the plaintext or overhears it or copies it can make charges to your account (whether it be a thief who stole them from the merchant, or an employee at the merchant, or the guy standing behind you in line who snapped a picture of your card with Google Glass).

      The way I understand how chip and PIN works, you insert the card into the reader which powers up the chip. The merchant transmits the transaction info to the chip. You enter your PIN which gets transmitted to the chip. The chip then uses the private key embedded in it to encrypt those pieces of data. That encrypted data and the card number is sent to the credit card processor, who holds the card's corresponding public key. They look up the card number, find its public key, and decrypt the data. The card number is no longer the gateway to your money, it's just a reference number for looking up the public key. It's the public/private key pair safeguarding your money and authenticating the transaction, and using the private key requires physical access to the card's chip and the corresponding PIN.

    • by NetNed ( 955141 )
      It's just a blame shift and the issuers are not going to stop till they can make US consumers responsible to prove fraud while still on the hook for whatever charges were made. Same as in Europe where the system has been corrupted already but the banks are silent on it and where the consumer has to prove the charges are fraudulent


      Like this: [krebsonsecurity.com]
      or this: [theregister.co.uk]

      And many more on the internet that I am more then surprised the slashdot community didn't point out. Much different community then ten years ago on here
    • by tlhIngan ( 30335 )

      That has nothing to do with chip and pin.

      And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and p

    • Online sales use a challenge-response system to ensure you have the card and know the PIN. You don't enter the PIN into any website, though, just the little card reader. The challenge-response system is run by the bank, I think. You're redirected there as a part of the sale to verify. Kind of like the Verified by Visa thing, but instead of just entering a password, you do the whole challenge-response thing with your card and reader.

      This is how it's done in Europe, at least.

      In POS systems, the PIN never leav

  • by PvtVoid ( 1252388 ) on Wednesday April 30, 2014 @11:50AM (#46880735)
    The U.S. is finally catching up with Bulgaria on this one.
  • Walmart started doing this about a month ago in my area. Unfortunately for me the chip doesn't
    work on my card so every time I go to walmart they have to manually key in my credit card number.

  • Nope (Score:5, Insightful)

    by Mike Ice ( 3637719 ) on Wednesday April 30, 2014 @12:06PM (#46881005)
    We will not gain parity simply because Target said "make it so". Sadly the cheap and easy CC system the US uses is the easy thing to stay with. Expect an extension of the current system just before it expires in 2015. Nobody want to spend money to be more secure - "that won't happen to us" mentality rules here in the States...
  • Was recently in Italy and had to beg a kindly local woman to buy me a train ticket with her card as the ticket machine would not accept either cash (in the wrong denominations) or my magnetic stripe card. They're probably used to us visiting 3rd-worlders.
  • by TechyImmigrant ( 175943 ) on Wednesday April 30, 2014 @12:17PM (#46881129) Homepage Journal

    My wife has a retail store and a credit card reader.

    If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.

    Target has more leverage, but small retailers have to take what the bank makes available.

    For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.

    • by maevius ( 518697 )

      Completely generic? Ummmm no. They are C programmable embedded devices which are usually developed according to the acquiring bank's specifications.

      • The wire protocols are standardized by PCI.

        • by maevius ( 518697 )

          Ummmmm no.
          The wire protocols are de-facto standarized up to a point (ISO-8583 or vendor specific protocols) and the rest are application specific. Interestingly, wire protocols are one of the things that PCI has never touched.

          • I was under the impression PCI referenced 8583 and the transport wrapper. Maybe not. I'm not searching PCI specs for fun.

      • I read that, not as in all devices are the same (since a chip and pin device has a completely different reader) but that there's no reason someone willing to buy a different reader shouldn't be able to use one

    • by PRMan ( 959735 )
      You can't even get a card for travelling to Europe in the US with a chip and pin. Looking into it recently, most people were saying you could get one from the UN credit union.
    • My wife has a retail store and a credit card reader.

      If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.

      Target has more leverage, but small retailers have to take what the bank makes available.

      For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.

      Then you're dealing with the wrong vendor. I can tell you right now that I sometimes work on proof of concept applications for one of the largest POS terminal makers in the US and all of their hardware comes with chip and pin support. Even the lowest end equipment. It's available in the US. In fact, the last time I went into the T-Mobile store, all of the terminals inside the store supported chip and pin.

      • But not the shitty Hypercom terminals you find in a large fraction of independent retailers.

        • But not the shitty Hypercom terminals you find in a large fraction of independent retailers.

          I am not involved in the sales end of their setup, but I do know that it works with European chip and pin cards. Some of the proof of concepts I put together are to market the terminals to banks. The low end readers are like $200. The units I play with are dev units, and do not communicate with a processing service. It's side work for me, so I don't know a lot of the details of how their product works once you tie it in to the processing. They sell the exact same units to the rest of the world, though.

          • >Are these Hypercom terminals even less than $200?

            Some are. On Amazon I've seen $70 terminals. Our model is $269 because adding an ethernet interface adds $200 to the price. Odd that since I just brought a 16 port switch to $70.

            But to get one that works with the bank I have to get it from the bank and they charge their own price. Presumably they throw some secret numbers in there that any decent hacker could extract.

  • Will this move by a huge retailer push the U.S. into parity with the rest of the world?"

    Target is huge? I'm not so sure about that. But it will be fait accompli when Walmart changes.

  • How about taking bitcoin online? Make a deal with BitPay or Coinbase.

    No information to steal except for shipping information. And the public fact that it was paid with bitcoin.

  • by weave ( 48069 ) on Wednesday April 30, 2014 @12:48PM (#46881671) Journal

    Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.

    I have one of these Chip and Signature cards and on my last trip to UK it was a real PITA, especially at self-checkouts. Like at ASDA there was a signature signing pad but I had to wait for a clerk to come over to give me the pen and then she checked my signature real closely. Same thing at the duty free at the airport. The self-checking stopped and alerted the clerk to come over to check my signature. Then at other stores the clerk couldn't find a pen, or was surprised when paper spit out and had to ask a manager what was going on.

    (I had one clerk hand me the slip to sign, checked my signature, then put the signed slip into the bag with the receipt! If I was an "arse" I probably could have disputed the charge and gotten away with it because they couldn't produce a signed slip)

    At the ASDA (far away from where tourists usually go) the clerk remarked it's been years since she saw someone have to sign for a charge. I apologized, said I was an American, and that our banks think we are too stupid to remember a PIN. She got a good chuckle out of that...

    • True about most US cards being C&S, not C&P. Or being both, but with C&S as higher priority and not supporting offline PIN (which is where the real trouble comes). From what I'm hearing, Visa is the one that's really pushing C&S in the US; MasterCard is pushing C&P. And since the new EMV Target cards will be MasterCards, there's reason to hope that they'll be C&P.

      For the record, Walmart has also apparently been advocating C&P. They're also ahead of Target in rolling out EMV suppo

    • by erice ( 13380 )

      Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.

      Confuse or alarm? Perhaps it has changed but it used be that if you purchased using a credit card and used the PIN, the transaction went through as a cash advance with all the associated and onerous fees.

  • That is great and all, but are there any banks in the US supporting chip and PIN cards for Visa/MasterCard currently? I'd love to get one even if I only use it at Target just to help push things along, but I don't know of any cards that are supporting it now (and I really don't need a Target card).

  • The terminals that had the problem were their new (few months old) chip and PIN-capable EMV terminals.

    Chip and PIN doesn't fix the breach Target had. Only Chip and PIN with tokenization does.

    I already have one Chip and PIN card from my bank (US bank) and I'm trying to get my other one switched too. But it doesn't fix this problem.

    Target, if you replace your terminals again, please get ones that do Chip and PIN and also NFC and PIN please?

  • I'm still waiting for the metric system to catch on =)

  • http://www.digitaltransactions... [digitaltransactions.net]

    "Security experts say data still can be transmitted unencrypted, or in plain text, during an EMV transaction."

    So this is going to help Target how?

Successful and fortunate crime is called virtue. - Seneca

Working...