MasterCard, VISA Warn of Processor Breach

Discussion in 'other security issues & news' started by ronjor, Mar 30, 2012.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,778
    Location:
    Texas
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,739
    Location:
    New York City
  3. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    According to the reports full track 1 and track 2 data was stolen. If true, that breaks one of the most important requirements of PCI DSS. EMV can't come too soon to the U.S.....
     
  4. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Scoobs72, the Krebs post mentions;
    ...Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.

    So Visa supports EMV but this isn't a feature on US cards yet? Only magnetic??
     
  5. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Visa, Mastercard, Amex et al support EMV. The U.S now has a plan to migrate to EMV and this breach highlights the importance of this. Krebs' comments about encryption and tokenization are red-herrings. EMV has no encryption or tokenization support. The important bit about EMV is that each transaction is dynamic, massively reducing the value of captured cardholder data.
     
  6. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    After reading the article yesterday (thanks for the link, by the way), I phoned my bank to get confirmation that they didn't expect transactions up here to be affected. The service rep I spoke to essentially said the same as other posters here, that the U.S. is behind most of the rest of the world in card security, specifically in the use of cards (debit and credit) having only the magnetic swipe-strip.

    Here in Canada, and according to him in the majority of other countries as well, an embedded chip (presumably EMV) was added to all such cards several years back.
     
  7. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    Perhaps the sentence ought to be read as "Visa also supports advanced security layers such as encryption, tokenization and (also) 'dynamic authentication through EMV chip technology".

    This stuff isn't exactly my cup of tea but I've read a tiny bit about 'tokenization' on f.i. a Visa press release link.
    Would overall tokenization have limited the amount of data stolen in this case; PAN tokenization is meant to replace/reduce the level of track 1/2 data send to/at the processor?
    And the current news means that tokenization hasn't been (fully) implemented? (Or am I talking out of my *** now)?
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,778
    Location:
    Texas
    http://arstechnica.com/business/new...k-that-may-affect-10-million-credit-cards.ars
     
  9. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,108
    Location:
    Sofa (left side)
    Well, Visa doesn't support encryption or tokenization. They are just technologies that 3rd party vendors layer on to the payment processing environment. Fundamental to EMV, on the other hand, is the dynamic nature of an EMV transaction, which means that if Mr. Hacker captures the track 2 equivalent data, there's not a great deal he can do with it. You can't create a fake credit card with it and you can't use it to purchase transactions online...unless you happen to buy at the small number of ecommerce retailers who don't check CVVs (the 3 digit code printed on the back of your card). Shhhhsh...best not mention those. :)


    Tokenization could have helped, but it is not a technology that is designed to be deployed on the data sent from the retailer to the processor. It is a technology that secures data at rest, rather than data in flight. In this instance, Mr Hacker would have had to grab the database of encrypted card details as well as finding a way to obtain the encryption keys which presumably would have been safely within a hardware security module. So it would have been much harder.

    But implementing tokenization can have big impacts on other parts of the business that need to access card details, and can only be implemented easily long after settlement of the payment transactions. So, yes, it is a technical solution, but it has major practical issues on the operation.
     
  10. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,317
    Location:
    AmstelodamUM
    ^thx for the explanation Scoobs72, appreciated.
     
Loading...
Thread Status:
Not open for further replies.