By Steven Myers
Associate Professor of Computer Science and Informatics
With the New Year beginning, we have just come through another holiday shopping season, and for many of us, we await our credit card bills--the hangover to the cheer that is the giving season. Only two years ago, during the holiday season, Target's infamous data breach put some 40 million credit card numbers in peril due to hacked point-of-sale systems skimming credit credentials. The result was millions of reissued credit cards. Of course, Target is not alone, and since that breach many other national brands such as Goodwill, TJ Max, Kmart, Neiman Marcus, Staples, Safeway, Hilton and others have had breaches that released credit card data. These breaches have resulted in wasted time and money, as millions of people were issued new credit cards, and have spent time looking for and following up on fraudulent activities. It is worth considering how technology is adapting to provide more secure transactions to hopefully improve the situation going forward.
For most people the most noticeable change is the implementation of chip-and-sign technology in the U.S. Many new credit cards issued in the past year or two contain large gold-colored metal chips. This chip (often referred to as an "EMV" chip) is actually a small tamper-resistant microprocessor with some private storage that is used to secure transactions and provide significantly more security beyond what is capable with the small magnetic strip on the back of traditional credit cards. The chip adds a small computer to the credit card that permits it to interact with credit systems using secure cryptographic protocols, similar to those used to secure Internet transactions. The chips can even be reprogrammed at a point-of-sale terminal to modify their susceptibility to fraud in real-time. For example, they can be cancelled, or have a limit on the size of transactions placed on the card. In contrast, traditional magnetic strips can only contain static information, and are quite easy to read, duplicate and forge.
So, how do these new chips reduce fraud? The system works on several levels. First, all of the digital information stored on the card is digitally signed by the issuer. Digital signatures are not the scanned signatures the consumer signs on a digital pad, but rather cryptographic protocols that allow a signing party to sign information, so that a verifying party knows who signed it and that the signed information has not been modified. However, EMV chips do not just send a card number to perform a transaction. The point-of-sale terminal generates information specific to the transaction, and the card itself digitally signs this transaction-specific information. This prevents transactions from being replayed, and ensures the card is present for the transaction. The card is known to be present as the tamper-resistant private memory of the chip contains something called a signing key, and only someone with access to the key can sign on behalf of the card.
Secondly, a number of fraud prevention features can be programmed directly into the card, either at the time of issuance or the next time it is inserted into a point-of-sale terminal for a transaction. For example, EMV cards can be programed to prevent the card from being used in foreign transactions, or to allow only offline transactions below a certain value, or to completely disable a card that been reported lost. These features can be programmed in near real time, during the next transaction the card performs.
One might wonder why EMV cards do not simply encrypt all information and send that data to the issuer. There are several issues here. First, there will always be a need for some transactions to be offline, and in those cases some public credit card number is seemingly necessary. Secondly, and probably more importantly, many merchants and intermediaries need these numbers to track customer purchases, enable easy purchase returns, route purchase data through payment networks, and other practical functions. While encryption seems like an easy solution, it creates a number of practical problems.
One recently introduced solution called "tokenization" uses an "alternate" credit card number for different merchants, locations or even transactions. This allows merchants to store all your transactions under a unique pseudo credit card number, but one that has no value to other merchants, as your card would generate a different pseudo credit card number for other merchants. Thus, merchants can perform returns, and track purchases using the pseudo credit card number, while gaining the security that a breach in their pseudo credit card numbers would result in no global damage. Further, after a breach has happened, everyone's cards can be programmed to update their pseudo credit card numbers, making them of no future value. Of course, both the card and the bank need to be able to map back and forth to the actual credit card number to appropriate pseudo credit-card numbers, in order to properly manage accounts. This is done securely on the chip, and in secure processing facilities at the issuer.
Several "new'' technologies, including wireless Near Field Communication (NFC) credit cards and smartphone enabled technologies such as Apple Pay, Android Pay and Samsung Pay, are all very similar in that the point-of-sale terminal is talking to the microprocessor is the smartphone as opposed to the one embedded in the credit card. The mechanism by which communication takes place is now over a low-power, near-range radio transmission, as opposed to physical contact with the chip reader. All these technologies are running EMV protocols, which is why ApplePay, Android Pay and Samsung Pay were able to roll out their services to so many merchants with little difficulty.
EMV technology is not a silver bullet that solves all problems. For backward compatibility most merchants are still accepting traditional magnetic swipe cards, although this will change over time. More importantly, EMV is currently not useful for online purchases (your personal computing device probably doesn't have an EMV reader on it). Therefore, there will continue to be a market for stolen credit card credentials for the near future. However, it does provide many fraud reduction features, and has enabled more payment options for consumers. Some food for thought as you nurse your holiday shopping hangover.