Wednesday, August 17, 2016

In card transactions, the chip (and the machine) are not enough

In the United States, many bytes have been devoted to the transition to "chip and PIN" (or, in some cases, "chip and signature") credit and debit cards. While much has been said about the financial motivations of banks and retailers, one underlying assumption has been that the chip card, when paired with a compatible card reader, is secure.

However, Robinson + Cole cites an NCR study that points out one other significant factor - a factor that some are choosing NOT to implement.

NCR says that the problem is that while retailers are encouraging the use of chip cards, they are upgrading their payment machines but they are not encrypting the transaction. Retailers would need to pay extra for the encryption. So while they are spending money on the new payment machines for chip cards, the transaction is still not all that secure.

As an aside, I should make a note that this is not a failure of the technology; it's a failure of the implementation of the technology.

Of course NCR presumably has its own motivations - it wants the retailers to spend money on encryption - but the argument makes sense. If you're going to spend all this money to install readers to reader the new chip cards, why not follow through with implementing the software change? Without encryption, all of that money is wasted.

And it's not like the encryption issue is anything new; the Smart Card Alliance was discussing end-to-end encryption in 2009.
blog comments powered by Disqus