Discussion in 'other security issues & news' started by ronjor, Mar 30, 2012.
According to the reports full track 1 and track 2 data was stolen. If true, that breaks one of the most important requirements of PCI DSS. EMV can't come too soon to the U.S.....
Scoobs72, the Krebs post mentions;
...Visa also supports advanced security layers such as encryption, tokenization and dynamic authentication through EMV chip technology to further protect sensitive account information and minimize the impact of data compromises.
So Visa supports EMV but this isn't a feature on US cards yet? Only magnetic??
Visa, Mastercard, Amex et al support EMV. The U.S now has a plan to migrate to EMV and this breach highlights the importance of this. Krebs' comments about encryption and tokenization are red-herrings. EMV has no encryption or tokenization support. The important bit about EMV is that each transaction is dynamic, massively reducing the value of captured cardholder data.
After reading the article yesterday (thanks for the link, by the way), I phoned my bank to get confirmation that they didn't expect transactions up here to be affected. The service rep I spoke to essentially said the same as other posters here, that the U.S. is behind most of the rest of the world in card security, specifically in the use of cards (debit and credit) having only the magnetic swipe-strip.
Here in Canada, and according to him in the majority of other countries as well, an embedded chip (presumably EMV) was added to all such cards several years back.
Perhaps the sentence ought to be read as "Visa also supports advanced security layers such as encryption, tokenization and (also) 'dynamic authentication through EMV chip technology".
This stuff isn't exactly my cup of tea but I've read a tiny bit about 'tokenization' on f.i. a Visa press release link.
Would overall tokenization have limited the amount of data stolen in this case; PAN tokenization is meant to replace/reduce the level of track 1/2 data send to/at the processor?
And the current news means that tokenization hasn't been (fully) implemented? (Or am I talking out of my *** now)?
Well, Visa doesn't support encryption or tokenization. They are just technologies that 3rd party vendors layer on to the payment processing environment. Fundamental to EMV, on the other hand, is the dynamic nature of an EMV transaction, which means that if Mr. Hacker captures the track 2 equivalent data, there's not a great deal he can do with it. You can't create a fake credit card with it and you can't use it to purchase transactions online...unless you happen to buy at the small number of ecommerce retailers who don't check CVVs (the 3 digit code printed on the back of your card). Shhhhsh...best not mention those.
Tokenization could have helped, but it is not a technology that is designed to be deployed on the data sent from the retailer to the processor. It is a technology that secures data at rest, rather than data in flight. In this instance, Mr Hacker would have had to grab the database of encrypted card details as well as finding a way to obtain the encryption keys which presumably would have been safely within a hardware security module. So it would have been much harder.
But implementing tokenization can have big impacts on other parts of the business that need to access card details, and can only be implemented easily long after settlement of the payment transactions. So, yes, it is a technical solution, but it has major practical issues on the operation.
^thx for the explanation Scoobs72, appreciated.