Preventing Payment Card Data Breaches
UL conducted a risk analysis of a broad range of payment card fraud scenarios and assessed the potential impact of EMV compliance and the PCI standards on data breaches.
WHY PREVENTING PAYMENT CARD DATA BREACHES MATTERS
Payment card data breaches became a hot topic in the U.S. in 2013, highlighted by the Target and Neiman Marcus incidents, in which 40 million1 and 350,0002 cards, respectively, were compromised. However, while these two incidents dominated the spotlight, in the same year there were more than 600 security breaches in the U.S.,3 resulting in $6.8 billion in card fraud losses.4 There were an additional $6.5 billion in card fraud losses in other countries in 2013.5 Understandably, preventing payment card data breaches has become a top priority for the payments industry, particularly in the U.S.
A payment card data breach is the result of one or more hackers gaining access, often on a large scale, to information stored on debit or credit cards with the goal of selling this information on the black market or directly performing fraudulent transactions.6 When a particular merchant is compromised, all consumers who used their payment cards at that merchant’s retail locations are at risk.7 This is broadly what occurred in the Target and Neiman Marcus incidents. In both cases, malware strains designed to take advantage of system vulnerabilities circumvented security, enabling backdoor access to consumer card data.8
Currently, the U.S. accounts for almost 50 percent of annual card fraud globally, which is comparatively high, given that 27 percent of card transactions occur in the U.S.9 One contributing factor is that the U.S. is the last of the G20 countries to migrate to EMV-based credit and debit cards,10 and the predominant credit and debit cards currently in use in the U.S. employ magnetic stripe (magstripe) technology, which was introduced to the mass market in the early 1970s11 — long before the Internet and mobility transformed the payments industry.
EMV cards were first introduced in 199412 and were later adopted by most of the world, including 19 of the G20 nations.13 These cards use an embedded chip to generate a unique encrypted code for each transaction, allowing the issuer to accurately confirm the authenticity of the card, while reducing the risk of fraud, unauthorized access to information and duplicate cards.14 EMV cards have achieved a high level of adoption largely because they have helped decrease counterfeit fraud by 60 to 80 percent in countries where EMV cards have become the standard.15 By the end of 2013, there were more than 2.37 billion EMV cards issued globally,16 of which 17 to 20 million were issued in the U.S.17
Driven by the major credit card brands, the U.S. is now in the process of migrating to EMV, with liability to card fraud mandated to shift to merchants by October 1, 2015 if they do not have EMV-enabled payment devices.18 However, EMV is a digital transaction protocol that introduces a cryptographically secured means of determining the authenticity of credit and debit cards, helping these cards avoid being cloned by hackers.19 Despite this protection, which goes beyond what is provided by magnetic stripe technology, EMV itself is unable to prevent the installation of malicious software that could lead to a commercial data breach, such as what occurred at Target and Neiman Marcus.20
WHAT DID UL DO?
UL conducted a comprehensive risk analysis of payment card fraud scenarios. From our study of data breaches, we understand that the type of card data that is obtained tends to include Track 2 data (the cardholder’s account, encrypted PIN plus other discretionary data21) of every card that was swiped at the compromised point-of-sale (PoS) device, along with the encrypted PIN data for every card transaction that was PIN-based. Although we believe it is extremely unlikely for the encryption to be broken, which would provide access to the actual PIN numbers, we have seen that stolen card data can be used to create counterfeit copies of the original cards. Whether these cards can be used in fraudulent transactions depends on two considerations: the kind of card that is compromised and the usage environment where the fraudulent card is used. These two considerations became the parameters for our risk analysis.22
We assessed the potential for fraud across different scenarios that are based on cross-referencing payment card technologies with acceptance environments. The specific payment card technologies we examined included magstripe and PIN, magstripe and signature, and EMV. The different acceptance environments included a magstripe PoS terminal, an EMV PoS terminal and an ATM machine for card-present transactions, as well as an Internet-based payment for card-not-present (CNP) transactions. This process yielded a robust set of scenarios, for which we then conducted risk assessments.23
Risk assessment insights
Scenario 1: A swipe and PIN transaction is compromised, and fraud is attempted at magstripe PoS device that only requires a signature — Unconditional fraud possibilities
In this scenario, the ability for a criminal to commit fraud depends on the card type and issuer rules. As the PIN has not been compromised, signature-based or no-CVM required (without the 3- or 4-digit code that is imprinted on the physical card but excluded from the magnetic stripe) transactions are at risk with issuers that allow their debit cards to be authorized either using a signature or without a PIN or signature (no CVM, for low-ticket transactions).26
Scenario 2: A swipe and PIN transaction is compromised, and fraud is attempted at a magstripe PoS device — Conditional fraud possibilities
This is the most likely form of fraud resulting from large-scale PoS compromise. In this scenario, a hacker is able to clone (i.e., create a copy) the compromised card to use in card-present situations using his or her own signature. An issuer would have no way of telling the difference between a transaction with the genuine card or with the cloned card. The issuer would be liable for the fraud but may seek to shift liability to the merchant that was the source of the card data compromise.
Acquirers can take additional measures to limit exposure to this kind of fraud. For example, PoS software can be modified to require merchants to enter the last four digits of the embossed primary account number (PAN) prior to authorization, as this would make it more difficult for a criminal to create cloned cards using compromised card data; although, this measure can be overcome because it has become relatively easy to obtain embossing equipment. Another fraud mitigation method is to ask customers for photo-ID to check against the name on the supplied card, but this can slow the transaction time, adding cost to the merchant while inconveniencing customers.25
Scenario 3: An EMV-card transaction is compromised, and fraud is attempted at a magstripe PoS device —Conditional fraud possibilities
In this scenario, the ability to commit fraud is determined by the issuer of the card. The issuer will be able to detect that, based on the PoS entry mode data element in Field 55 (authorization data in the magstripe used by an acquirer to create a clearing message), the card is used in a magstripe-only terminal. Since this was originally an EMV card, this transaction may fall under the EMV liability shift regime (depending on region). The issuer may choose to decline the transaction, in which case no fraudulent transaction can take place. If the issuer chooses to approve the transaction, the fraud can occur and local liability shift rules will determine whether issuer or acquirer is liable for fraud.27
Scenario 4: A swipe and PIN transaction is compromised, and fraud is attempted at EMV-compliant PoS device — Unconditional fraud possibilities
Here, the same rationale as Scenario 1 applies, with the assumption that the EMV-compliant PoS device is still capable of reading a magstripe card. Depending on the CVM requirements on a debit or credit card, transactions with a fraudulent card can potentially be authorized.28
Scenario 5: A swipe and signature transaction is compromised, and fraud is attempted at EMV-compliant PoS device — Conditional fraud possibilities
This case follows the same rationale as Scenario 2, in which the fraudulent card can be successfully used by the hacker, even though the PoS device is EMV-compliant.29
Scenario 6: An EMV-card transaction is compromised, and fraud is attempted at EMV-compliant PoS terminal —No fraud possibilities
The ability to commit fraud in this scenario depends on regional fallback rules (the backup protocols, if any, that are authorized when the primary mode does not work). To an EMV-compliant PoS device, the fraudulent card will look like an EMV card in which the chip is damaged. In this case, the service code
on the magstripe Track 2 would indicate the presence of a chip that the PoS device is unable to read, so the transaction may qualify for fallback under appropriate rules. If fallback is not allowed, the fraudulent transaction will be rejected. However, if fallback is allowed, the issuer will authorize the transaction if sufficient funds are available in the account. During the initial stages of EMV migration in the U.S., if fallback is allowed, Scenario 6 should be colored “orange” to indicate the potential for risk.30
Scenario 7: Magstripe and signature at an ATM
Not a valid scenario
There is no signature at an ATM.31
Scenario 8: A swipe and PIN transaction is compromised, and fraud is attempted at an ATM
Conditional fraud possibilities
Generally, a cloned card is unable to be used to commit fraud at an ATM machine, as this would require a correct PIN number to be entered. However, criminals can use social engineering and phishing techniques to obtain PIN numbers32, and it is also possible for criminals to obtain identity information to change the PIN numbers of cloned cards.33
Scenario 9: ATM usage of a compromised EMV card
No fraud possibilities
With a cloned EMV card, criminals will not be able to duplicate the information contained in the EMV chip. An EMV-enabled ATM will return an invalid transaction on a duplicated card.34
Scenarios 10, 11 and 12: Internet, CNP usage of a compromised card — Conditional fraud possibilities
In theory, the data that are stolen from cards by compromising a PoS device cannot be used for CNP internet purchases. This is because a compromised PoS device only gives access to magstripe Track 2 data, which do not contain the so-called security code (referred to as CVV2 or CVC2 data) printed on the signature panel of the card.35
However, experience has shown that under certain circumstances, fraud can be successfully committed with the data gathered through a large-scale PoS compromise:
- In some cases, a web-based merchant that accepts card payments does not require entry of a security code to complete a transaction. In these cases, compromised card data can successfully be used for fraudulent purchases. Since the merchant does not require all the data it is supposed to (the CVC2 security code), the merchant will be liable for any losses.
- Some issuers do not validate the value of the CVC2 data, which means compromised card data can be used for CNP purchases. In this case, the issuer will be liable for any losses.
- A statistical attack vector exists with a large-scale PoS compromise. Because the CVC2 security code is a three-digit numerical value, there are 1,000 possible combinations. Most issuers allow three subsequent CVC2 validation attempts before fraud is suspected and authorization is declined, which yields a 0.3 percent per card success rate for fraudulent CNP transactions. When the data from millions of payment cards are stolen, there is a large statistical chance of committing fraud in CNP environments (the 0.3 percent hit rate would yield 3,000 usable cards out of one million compromised). In this case, the issuer would be liable for transaction fraud, but would likely seek to shift liability to the merchant where the large-scale PoS compromise took place.36
Preventing large-scale data breaches
The EMV transaction protocol takes place between an EMV-compliant card (debit or credit) and an EMV-compliant PoS device or ATM. By using EMV, PoS devices and/or card issuers will always be able to detect attempted card cloning. However, for reasons of backwards compatibility, non-EMV compliant cards can be used on EMV-compliant acceptance infrastructures. Similarly, EMV-compliant cards are usable on magstripe-only acceptance devices. Because of this, merchants that have EMV-enabled their PoS acceptance infrastructures can still be a source of card data compromise in case a hacker gains access to PoS software code and can still unknowingly acquire card fraud (see Scenarios 4, 5, and 6). That said, if the U.S. had already migrated to EMV, the consequences of large-scale card compromises, such as the ones recently reported, would have been less severe (see Scenario 6).37
Beyond EMV compliance, UL believes that the Payment Card Industry (PCI) standards play a vital role in the process of preventing data breaches. PCI Data Security Standard (DSS) controls (a set of technical and operational requirements designed to protect cardholder data38) have been designed to prevent and/or detect a large-scale compromise. To commit such fraud, criminals need a point of ingress to allow for the wide-scale delivery of a compromise, a known vulnerability in the system to allow for the compromise and a point of egress for the exfiltration of the collected data. These points are directly addressed by the PCI DSS requirements, and although compliance is not an absolute guarantee of prevention of such a compromise, we believe that data breaches are far more likely to have resulted from a lack of rigor around one or more of the PCI DSS controls.39
If hackers were to attempt to collect card data directly from a PoS device, this form of compromise could largely be mitigated through the use of encryption on all cardholder data at the point of interaction (POI) at the PIN Entry Device itself before the data are passed into a PC-based PoS system. Specifically, compliance with the PCI Point-to-Point Encryption (P2PE) requirements, or even just the correct use of Secure Reading and Exchange of Data (SRED)-approved POI devices, would help remove all cardholder data from the PoS environment. This is likely the largest single step retailers can take to protect their customers’ card data.40
As the U.S. payments industry transitions from magstripe to EMV cards, a large number of potential security risks will be mitigated. EMV compliance will help ensure that the card account information that flows through a PCI-compliant acquiring infrastructure is genuine and can be authenticated, and an acquiring infrastructure that is compliant with applicable and up-to-date PCI standards should provide sufficient end-to-end protection against card account compromise. UL believes that the combination of PCI and EMV compliance will provide a robust framework against card fraud in both the card-present and CNP domains. During this time of transition in the U.S., we will continue to closely monitor existing and emerging security threats, identify gaps and formulate proactive risk mitigation strategies to help ensure payment security.41