Tags ArchivesEMV

Will Plastc Succeed where Coin Failed? standard

Facebook has some really interesting ways to position products in front of its users. Not one day after a few of us went on a Coin rant I was presented an advertisement for Plastc, a bigger and better version of Coin that includes an EMV Chip. Early adopters of Coin had mixed results with the card itself with some merchants refusing to accept it, and current users are struggling with the lack of chip support in the device. Here’s why Coin will slowly be phased out in a way to be completely ineffective. Embedded in the magnetic stripe of your payment card is a collection of data that is submitted for payment when you swipe the card. One of the ...

Continue Reading

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Continue Reading

More Fun with EMV standard

Yes, it’s time to go hit your local university library again (or just join the Association for Computing Machinery) to see a great article from Anderson & Murdoch entitled, “Inside Risks EMV: Why Payment Systems Fail.” For those of us in the US that are now on the cusp of a wide-scale EMV rollout, there are still many questions that need to be answered. Drs. Anderson and Murdoch do a great job of summarizing the issues that we will face here in the US, including some of the attacks that were common in other implementations of EMV. Turns out, the French may be the best experts at cracking this thing. EMV tokens make an appearance in the article, but there ...

Continue Reading

EMV as an E-Commerce Fraud Driver standard

Oh what a year it has been so far. Breach here, breach there, breaches everywhere! EMV to the rescue, right? RIGHT?!? Well, yes and no. EMV does add tremendous security (when configured properly) to a Card Present (CP) transaction, but EMV does nothing to help the security of Card Not Present (CNP) transactions. And given the increased digitization of business and commerce, we would expect that over time the number of CNP transactions would increase at the expense of CP transactions. Meaning, as more digital business models drive people to purchase goods and services without physically presenting their card for purchase, people will opt for that style as it could be seen as more convenient. Don’t forget that CNP transactions ...

Continue Reading

What the Leaked Target PIN Data Actually Means for You standard

Before you read this, consider checking out my first post on the Target breach. Payment systems are complex. If you have ever assessed one or looked under the curtains going all the way back to the issuer, you know this. So it is not a surprise that there is a ton of misinformation flying around about the PIN data that Target admitted was taken. Before we get to far down the road here, I want to review a few items to make sure we’re all on the same page. First, let’s talk about track data. The type of data in the magstripe on the back of your card is sensitive, which is why PCI Requirement 3.2 forbids storing it. I’ve ...

Continue Reading

The Gotchas of EMV for the US Consumer standard

Update Nov 4, 2013: I was in the UK last week and it looks like the Underground has fixed their terminals to allow the use of the chip at a UPT! This is great news. My guess is there is some upper limit to what can be accepted without signature and it is now implemented. Some of you may know that I spent a little over a week on vacation with my wife traipsing through Europe this month. And even though I was constantly yelled at for walking too fast or running to check out some grey squirrel (they are tan here in the US), we had a fabulous time. We had a few hitches in our travels as any ...

Continue Reading

Does EMV Fix SMB Compliance? standard

By now you probably know that EMV is coming to the US. Some say it is long overdue, others believe it will only shift fraud to other methods. But what if EMV adoption would solve the PCI issues for small and medium businesses? That could be a really interesting case study to see how it applies as small businesses are typically caught unawares when bad things happen. As with all things, it may come down to acceptance more than anything else. Imagine for a moment if companies did aim to remove PCI DSS assessment activities from their annual audit schedule and converted all of their terminals to support EMV. Unless you and I as consumers get cards with a chip ...

Continue Reading

A Conversation with Bob, Troy, and Jeremy standard

If you caught me this year at the PCI Community Meeting you may have noticed something strange attached to my badge—a green “Press” ribbon. While it was strange to wear it and I don’t consider myself a member of the press, I’m thankful for what it ended up getting me. I had some great 1:1, on the record discussions with key stakeholders which I plan on bringing to you here in the blogorino. The first one I want to review is a conversation I had with the public leaders of the PCI SSC, Bob Russo (GM), Troy Leach (CTO), and Jeremy King (EU GM). The first thing I asked about was the new Special Interest Group (SIG) process that Jeremy ...

Continue Reading

Why Visa’s TIP Doesn’t Matter standard

On Thursday, I posted about a memo released by Visa, Inc. last week discussing the acceleration of EMV adoption. There is much buzz going on right now as merchants now have a false sense of hope. PCI Assessments aren’t going anywhere any time soon. Why? One of the fundamental rules about PCI DSS is that you are dealing with five competing payment brands that handle their own enforcement. This means that as a merchant you can be a different level with a different payment brand, which may or may not affect how you validate compliance. A move by any one payment brand does not necessarily represent all five brands, nor does it guarantee that you will see the effects in ...

Continue Reading

Chip and PIN on the Way standard

Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way! While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants. If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points. Chip and PIN doesn’t work if the card in your wallet doesn’t use ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!