Target Moves To Chip and Pin Cards To Boost Security 210
jfruh (300774) writes "U.S. retailers must accept chip-and-pin charge cards by the end of 2015 or become liable for fraudulent purchases made with chip cards. Target, still smarting from its recent embarrassing security breach, is moving to get ahead of that trend. The company will be installing chip-and-pin terminals in all its stores, and will also be issuing chip-and-pin versions of its own branded cards, which account for about 20 percent of Target sales. Will this move by a huge retailer push the U.S. into parity with the rest of the world?"
This isn't why they had a security breach (Score:5, Informative)
They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.
That has nothing to do with chip and pin.
And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and pin or not. Because by that point the data is prepared for processing. The only way chip and pin would be effective is if the security code were different for each transaction. That seems extremely unlikely but if you could some how pull that off then snagging the numbers might not get the thieves anything. Of course, how you'd get that to work with online retail is anyone's guess.
TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.
Re: Chip and PIN (Score:4, Informative)
Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.
Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.
Well, it really depends. Without chip and pin, the vendor assumes all responsibility for chargebacks. It will be a decision for each square user as to whether it is more profitable to assume liability or pay for the more expensive reader. upgrade.
Re: This isn't why they had a security breach (Score:4, Informative)
The vendor takes the customer's name, postal address and card number, and sends a message to their card processor (bank) saying "I want to charge this customer this amount for this transaction"; the bank sends back a url and the customer is redirected to that page.
The (secure) page (which displays a shared secret known only by you and the bank) asks for your online banking password; the bank processes the payment, and redirects you back to the vendor's thank-you page.
This has nothing to do with chip and pin.
But UK banks also hand out free one-time pad [barclays.co.uk] terminals which use your chip and pin card for online identitification.
Re:This isn't why they had a security breach (Score:4, Informative)
It has everything to do with chip and PIN. It would've prevented the security breach entirely because with chip and PIN, getting the card number by itself is useless. You need the smart chip on the card and the PIN to activate it before you can do anything with the card number. Since you can't use the numbers without the chip and PIN, there is no incentive for thieves to steal the card numbers - they are just numbers, not a magical way to access someone else's money.
You buy a card reader [newegg.com] for your home computer.
I don't get why people keep trying to blame Target's security for this problem. The problem all along has been that you can buy stuff using nothing more than a plaintext sixteen-digit number that "belongs" to someone else. I'm not saying Target isn't at fault for failing to secure their network. But giving your credit card to a waiter at a restaurant makes your card just as vulnerable as Target's network was during their security breach. The current system is like telling your bank to authorize payment if someone gives them "your secret password." Then you proceed to give that very password out to every merchant you visit, so they can tell the bank and collect payment. Well if you're giving your password in plaintext to every merchant out there, it's not very secret is it? And anyone who steals the plaintext or overhears it or copies it can make charges to your account (whether it be a thief who stole them from the merchant, or an employee at the merchant, or the guy standing behind you in line who snapped a picture of your card with Google Glass).
The way I understand how chip and PIN works, you insert the card into the reader which powers up the chip. The merchant transmits the transaction info to the chip. You enter your PIN which gets transmitted to the chip. The chip then uses the private key embedded in it to encrypt those pieces of data. That encrypted data and the card number is sent to the credit card processor, who holds the card's corresponding public key. They look up the card number, find its public key, and decrypt the data. The card number is no longer the gateway to your money, it's just a reference number for looking up the public key. It's the public/private key pair safeguarding your money and authenticating the transaction, and using the private key requires physical access to the card's chip and the corresponding PIN.