Yesterday, U.S. retailers spoke to a U.S. Senate panel about the recent breaches. Mark Bower, VP of product management at Voltage Security writes:
"While it’s encouraging to see Target strategically embrace EMV, it’s necessary to look at mitigating threats to data that EMV unfortunately doesn't protect. EMV, aka chip and PIN in Europe or chip and signature in the US, helps reduce card cloning which was a top fraud problem in the 90’s when EMV was first specified. However, the UK Experiences over the last several years [1] clearly show that the stolen data from EMV systems can be re-purposed for fraud in non EMV and Card-Not-Present scenarios (i.e. e-commerce), resulting in a major surge in online transaction fraud; something the US needs to prepare for.
With EMV, the sensitive credit card number is still not encrypted from chip to the POS or beyond. Transactions are authenticated, but not encrypted. So, mass data breaches need to be mitigated by the combination of EMV with end-to-end encryption and tokenization from the reading device using data-centric security technologies that are already here and proving their worth in the fight to make attacks harder and unattractive to criminals. The combination helps eliminate many of the kinds of exploitable gaps we have witnessed in 2013 and prior in retail payment flows. More specifically, with this approach, the ever-vulnerable POS/Checkout and upstream retail systems never see live data, yet can still do their job of taking payments and providing analytic data to the merchant or acquirer.
The US standards bodies at the heart of the financial system security like ANSI X9 (X9.119, X9.124) and NIST (SP800-38G) and major hardware and software providers to retail payments are providing the necessary foundation for this strategy to be embraced on an industry-wide basis. This is why many of the top 10 US merchant acquirers and national merchants are already well ahead of the game with this 3-pronged approach. This includes Heartland Payment Systems who led the industry towards better security approaches after a similar well-documented mass-breach in 2009 [2], effectively changing the whole industry view on payment security in the process.
The result is a much safer and low risk operating environment for payment data when properly protected, and as Bob Carr, Heartland CEO famously stated [3] , “Every single breach I know of wouldn't have happened if our end-to-end encryption solution had been there".