Target Breach Spells End For Magnetic Stripe Cards Next Year

Page 1 of 2  
After years spent fighting pushes for more secure standards, the payment card industry and retailers are moving quickly to abandon magnetic stripe cards and embrace so-called ‘chip and pin’ technology.
Credit card firms MasterCard and Visa plan to have most customers on the more secure chip and pin cards by October, 2015, according to a report in the Wall Street Journal. The move comes in the wake of a massive heist of account information for tens of millions of credit card holders from the systems of U.S. retailers including Target, Neiman Marcus and Michaels Stores.
In an interview with MasterCard’s Carolyn Balfany, the Journal notes that company has set October, 2015 as the date for a “liability shift” – a change in policy that will hold the party in a fraudulent transaction liable for losses due to that transaction. The goal, said Balfany, is to try to encourage merchants and card issuers (banks) to move to the more secure chip and pin technology in concert.
Visa said that it also will institute a liability shift in October 2015. However, the shift to more secure cards will likely start much earlier. Visa is requiring all ATMs that accept its cards to be EMV compliant by April of next year.
https://securityledger.com/2014/02/target-breach-spells-end-for-magnetic-stripe-cards-in-2015/
According to the article in the Wall Street Journal, the liability shift means that the party that uses the less-advanced technology in the transaction will be held liable if the transaction turns out to be fraudulent. So, if the merchant is still using the old system and processes a transaction with a swipe and signature, the merchant would be liable. If the merchant has a new terminal to accept the chip and PIN cards, but the the bank hasn't issued a chip and PIN card to the customer, the bank would would be liable.
And that means the banks are going to be pretty firm about replacing magnetic stripe cards with chip and PIN cards.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
The rest of the advanced technology countries have had this new system in place for several years, we are just catching up to the rest of the world. So right on!!!
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Chips are a problem. They can be scanned. Strips cannot be externally scanned. The card is not the problem with the target episode.
Greg
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Per gregz:

Is that to say that somebody's card in their wallet in a pocket could be scanned surreptitiously as they walk past a hidden device - like some corporate ID cards are to keep track of who goes where?
--
Pete Cresswell

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

We have had chipped cards in Europe for the past ten years. Problem for USAians when they come here.
Not foolproof though. The crooks have found ways round them. Mostly involving micro-cameras and fake fronts to cash machines. But a lot more difficult for them.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 02/10/14 12:22 pm, Moe DeLoughan wrote:

In advance of our European vacation a little more than a year ago a major US bank replaced our original card by one with a chip. Perhaps many (all?) US banks already have the ability to issue such cards if they are requested.
Perce
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 2/10/2014 1:51 PM, Percival P. Cassidy wrote:

They do. They haven't wanted to, because it costs money. Now that the Target data breach is costing them piles of money and making them look incompetent or stupid as well (by choosing not to implement more secure cards), they're willing to make the transition to the new cards.
The reason I posted this is because of last week's thread on RFID chips in credit cards, with the paranoid saying they were gonna refuse those cards. Well, it looks like by 2016 your choice will be a chipped card, or no card at all.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

You need to confirm that your card is Chip & Pin and not Chip & Signature. Europe uses Chip & Pin, although mag stripe cards will work at most registers but not kiosks or petrol pumps.
Chip & Signature was a half-arsed implementation done by a few card issuers in the US and doesn't work at very many locations.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 2/10/2014 9:26 PM, Arthur Conan Doyle wrote:

I've been confused about that very issue. My financial institution issued a Pin and Chip credit card to me early this year that I've used in 5 different countries on 2 continents. I've experienced 3 different scenarios using the card. (1) I put the card into the reader, verified the transaction and amount on the reader's screen, the merchant did his thing on his keyboard, and the transaction was completed without a request for a PIN OR a signature; (2) as above, except a receipt was printed out which required my signature without any inquiry from the merchant about a PIN or a signature; or (3) the merchant or the card reader requested a PIN but gave the alternative to allow me to complete the purchase by signing the receipt rather than entering the PIN. My financial institution said that in general, I should not need to enter the PIN unless I'm using the card at an ATM (which I would never do on account of the punitive interest rates and fees that type of transaction incurs.) Any insights why I've encountered these 3 different scenarios?
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 02/11/14 10:52 am, Peter wrote:

Using our "chipped" card in France, I think we almost always had to sign, but neither of us remembers whether we ever had to enter the PIN as well.
Perce
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

I'd guess you were issued a Chip and Signature card, not a Chip & Pin card.

Sounds like a low value transaction. Same thing happens in the US with mag stripe cards.

Classic Chip & Signature operation.

Not seen that, but I don't have a Chip & Signature card.

Do you use this card as a Debit or ATM card in the US? Maybe it's some strange hybrid card. I'd call your bank and ask if you have a true Chip & Pin card.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Which has absolutely nothing to do with the Target breach as the liability shift deadline was established long before the Target incident. Furthermore, EMV (Chip & Pin) would have NOT prevented the Target breach as it was caused by penetrating the card readers and installing unauthorzed software. Nothing to do with the mag stripe.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 02/10/2014 06:24 PM, Arthur Conan Doyle wrote:

The card readers are just another keyboard. Most if them load your information in clear text into known locations in memory. The bad guys used a simple memory scrubber to access it.
I love to show my customer just how easy it is. I open a text editor (Notepad will do), then swipe my AAA club card through their card reader. What shows up in the text editor will amaze and astound. Scared the hell out of them. It is that easy.
Target had non point of sale computers on the same network leg as their point of sale computers (their HVAC [temperature] monitoring computers got infected and it spread to their point of sale computes.) Big mistake. Never ever, never ever put anything unrelated on the point of sale leg.
They also used the cheaper clear text card swipers, instead of encrypted card swipers.
No matter how you store the information on the card, if it does not get loaded into the computer in an encrypted format before it enters the computer, the bad guys can scrub it from memory and/or copy it with a keystroke logger.
Think of it this way: data at rest needs to be encrypted; data in motion also needs to be encrypted. The target breach was data in motion.
As long as someone else has to pay the bill, the state of credit card security will remain very, very lax. Be interesting to see what happens if Target has to pick up the bill. Maybe then they will get serious.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
the riddle wrapped in an enigma wrapped
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 2/10/2014 9:15 PM, Todd wrote:

The data at a Target POS is read and immediately encrypted before sent. The malware read the data at the POS terminals as it came off the cards.
(The second breach was data stored on Target computers.)

After Oct 1, 2015 any merchant that uses mag-strip swipe will be responsible for cost of credit card fraud.
Target installed some of the card readers used in the European system and hoped other merchants would also install them. Other merchants didn't, and the transaction presumably takes longer, which was a disadvantage to Target.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 02/12/2014 10:30 AM, bud-- wrote:

That is my point. That is why you want to use an encrypted card swiper. That way the data is already encrypted before it hits the computer. Not after plain text hits the computer, get read by a POS program, and then gets encrypted. It is very easy to intercept or scrub from memory before that point. But encrypted card readers cost more.
To get merchants attention, I like to open a test editor (Notepad will do fine), then swipe my AAA card through it. What shows up will amaze and astound. And it is that easy.
What idiot(s) uses Windows on their POS systems anyway: okay Target did. And a lot of others too. They just don't take security seriously.

I wonder ...
Merchants better be careful, with this new PCI stuff, they are going to be held responsible regardless. PCI is about shifting liability back to the merchant. You pencil whip it and you are dead meat. I only have one customer that actually takes it seriously. The rest, one look at the questionnaire, and "Hand me that, whip, whip, whip. Problem solved."
Telling them PCI is about shifting liability back to them is the only way I can get their attention. They don't care about some lofty principle about security for something they think will never happen to them, but when I tell them they are in the cross hairs (liable), then suddenly they pay attention.
I am surprised 10 times as many merchants are not breached. And, I really, really hate turning my credit card over to anyone these days. Occasionally, I ask if they are PCI compliant and I get a blank stare, then a halting "yes". Liars.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
the riddle wrapped in an enigma wrapped
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 2/12/2014 1:30 PM, bud-- wrote:

TRANSLATION: Instead of the credit card company passing on the cost to the consumer, the merchant will.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 02/12/2014 11:29 AM, Ed Pawlowski wrote:

Ultimately, that is who always pays for it anyway. Same with taxes placed on business.
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
the riddle wrapped in an enigma wrapped
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
Per Todd:

That begs a question that I have never heard addressed - even by the lunatic fringe: Why should there be any taxes at all on businesses beyond those necessary to support local infrastructure?
Since the taxes get passed on down the chain to the consumer anyhow, it's almost a wash between increasing income tax and not taxing businesses and what we have now.
"Almost" because the diff is that some of those tax dollars get passed on to offshore consumers and essentially we receiving foreign aid.
But the flip side of that is that our products are more expensive offshore and the competitive position of our manufacturers is diminished to the extent of that "aid".
Seems logical. So why isn't anybody raising it as an issue? What's the flaw?
--
Pete Cresswell

Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

The constituency that likes government support and the politicos that represent them likem like indirect taxes because it hides the fact that peoples pockets are being picked.
It also plays to the people who like to use taxes to punish behaviors or businesses they don't like instead of rasing funds to support the necessary functions of government.
I would far rather see one federal government bill presented to citizens once a year and get rid of withholding taxes, fuel taxes, social secirity taxes, etc. You see an amazing rush to reduce the size of government. Like that will ever happen.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 02/13/2014 05:54 AM, Arthur Conan Doyle wrote:

1+++++++++++++++++

--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
the riddle wrapped in an enigma wrapped
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Site Timeline

Related Threads

HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.