Data breaches at Target, Neiman Marcus and other retail
chains left many of us nervous about using our debit and credit cards. Data for 40
million credit cards was stolen from Target's point-of-sale machines in 2013,
and another 1.1 million from Neiman Marcus.
Slava Gomzin pinpoints weaknesses in the current payments processing landscape in "Hacking Point of Sale." He spoke to CreditCards.com about what we as consumers can do to keep our data safe.
Q:The Target debacle
set off a debate about debit cards vs. credit cards.
Which is safer in that kind of breach?
A: In theory, a
debit card is safer than a credit card because it offers two-part
identification. In information security, this is called two-factor
authentication. You have to swipe your card then key in your PIN number, which makes
it twice as hard for a hacker to replicate and use your card. The problem is
most debit cards are dual-purpose, so they can be used as a debit card but processed
by the credit card network.
If you have a debit card, you know some places prompt you to
enter a PIN number, but in others you just swipe the card without entering the
PIN. The cardholder data on the magnetic stripe can be processed without the
two-part identification. So hackers can still steal the data from the [point-of-sale] machine, make fake cards and use them.
Q: Will the migration
to chip cards protect us from hackers?
brings some protection. You insert a chip-and-PIN card instead of swiping, then
key in your PIN number. So there's that two-factor authentication. There is
also an immediate dynamic offline authentication that magnetic stripe cards
don't have. The original purpose behind EMV was to fight credit card fraud at point
of sale. Chip cards protect the cardholder much better there than magnetic
Q: We're getting mostly
chip-and-signature cards in the U.S. Is the two-step process of signing as
effective as keying in a number?
A: From the
POS perspective, it's the same as chip-and-PIN. It's just less secure from the
merchant's perspective. Some people think there's some validation of the
signature when you sign on the terminal, but there is no validation. You can
put anything instead of your signature. Nobody's validating it.
Q:Could those breaches
at Target and Neiman Marcus have been avoided if chip cards were used instead
of magnetic-stripe cards?
necessarily, because EMV was not designed to secure the cardholder's data after
the point of sale. With the breaches at Target and Neiman Marcus, cardholder
data was stolen after it was entered into the system. It was stolen from the
memory of POS machines. At that point, it doesn't matter if it was entered
through the magnetic stripe. When someone steals cardholder data through an EMV
card, dynamic indication was used so you cannot just replicate the cards and
use it for another transaction. The bottom line is that EMV is more secure than
magnetic stripe, but it's not really designed to secure the data.
Q:Chip technology has
been around for 10 years. Is it still hack-proof?
A: EMV is
not new technology. It did significantly reduce the amount of fraud for
brick-and-mortar merchants in Europe, but the fraud there moved online. A big
problem with EMV is it doesn't provide security to online transactions. When
you go to a website to pay for something with an EMV card, you still need to
enter the account number and date exactly the same way you do with a magnetic
Q:By the time we make
the transition to EMV, will hackers have figured a way around it?
are not super smart. They look for the easy way to steal card data. It's much
more difficult to steal EMV data than magnetic stripe, so hackers moved to the U.S.
The U.S. is the easiest place to steal card data today.
Even if merchants decided to make a full transition to EMV tomorrow, it would take several years for a full transition and it still doesn't protect online transactions.
After the transition to EMV, they will try to find new ways
to attack the systems. At conferences in recent years, white-hat hackers
demonstrated that EMV is vulnerable to attack. Hackers will adapt to the new
technology the same way they adapted to PCI after it was introduced seven years
Q:PCIrules -- short
for Payment Card Industry Data Security Standard -- were set up in 2004 to
protect us from this kind of fraud. Do the recent breaches mean that system failed?
reduced the amount of breaches significantly for a couple years and
then hackers learned how to avoid it because there were so many holes in PCI --
especially in stores. PCI rules allowed data to be processed in the RAM of point-of-sale machines, then transmitted over the local networks. Hackers learned
this quickly and after a couple years,
the amount of breaches started to grow. By the end of last year, it was growing
Getting poll results. Please wait...
Q:You compared the
PCI-compliant merchant environment to "a poorly designed nuclear reactor ready
for a meltdown."
A: [Laughs.] Of
course, it was a good idea to introduce PCI, but PCI is suitable for big
payment processors like banks and data centers. It's not suitable at all for
the store environment. I think it was a mistake originally to introduce PCI to
merchants. Instead of investing a lot of money into PCI compliance, they should
have invested in point-to-point encryption and forget about the breaches.
Q:In your book, you
advocate for an overhaul of the security system at point of sale. How likely is
that to happen?
technologies today that would
solve the problem. Point-to-point encryption is one. It protects the cardholder
data from the moment of the card entry ... The problem is that it requires significant
investment in [research and development] and hardware. So instead of investing in that, merchants
were forced to follow these PCI rules that are not so effective at protecting
the cardholder. It's not something we can't stop, but I don't think we are
moving in the right direction.
Q:Merchants are already
investing a lot in EMV technology in the U.S. If they resist an expensive
security overhaul, will we see more Target-style breaches?
A: Even if
merchants decided to make a full transition to EMV tomorrow, it would take
several years for a full transition and it still doesn't protect online
transactions. So we will see more breaches, at least in the near future.
Q:As cardholders, where
are we most vulnerable -- in stores or online?
A: Both are
vulnerable. As long as there are magnetic stripe cards being used, we're far
more vulnerable in stores than we would be with chip cards. Online, there are payment
systems in place that introduce some security. Instead of just entering your cards
every time, you can use PayPal or Amazon Payments, for example. Both
technologies are much safer than entering your credit card number.
Q:I've always wondered
if I'm more or less vulnerable using PayPal.
A: If you
have a choice on the Web, always select PayPal because it stores your cards'
information on special servers in a secure environment. PayPal and Amazon Payments
are also PCI compliant, by the way, but PCI compliance works there because both
have big data centers with IT
professionals and security experts. When you key in your credit card online or
use it at a store, you simply don't know what will happen to the number after the
Instead of using one credit card with a $10,000 limit, create two or three card accounts with lower limits. That way, if someone steals your card, they can't steal all your money.
Q:Some issuers offer virtual
credit card numbers you can register for before an online purchase. The numbers
expire after 24 hours. Is that an effective way to protect your information?
A: Yes, it offers
some protection, but you still have to enter your credit card number to
generate this temporary number, so you still expose your data online. The
second issue is that it's not a very practical solution because it takes time
and consumers don't like to take that extra step. It's definitely much safer
than just using your credit card.
Q:So hackers grab our
information as we're inputting the credit card number?
A: With an
online transaction, they can attack through a plug-in on your browser, something
stored in your machine or on the retailer's website. There are a lot of ways to
attack online transactions.
Q:Is it similar to the
way hackers stole cardholder information at Target and Neiman Marcus?
A: No, the attack
vectors are completely different for brick-and-mortar transactions. I can't
tell for sure what they did at Target and Neiman Marcus because they don't
disclose this information. Based on what we know, I assume it was done by RAM-scraping,
where software is installed on point-of-sale machines to scan the memory and
look for credit card numbers. It's relatively simple. It collects this data and
sends it to the command center, a virtual data center installed somewhere in a
Q:What can we do to
protect ourselves while security measures are put in place?
still very dangerous. I would recommend reducing the risk of losing everything
at once. Instead of using one credit card with a $10,000 limit, create two or
three card accounts with lower limits. That way, if someone steals your card,
they can't steal all your money. Same for debit cards. If you have just one bank
account, hackers can withdraw all the money from your account. You'll probably
get your money back because the banks have insurance from credit card companies
but it will take several days. So I recommend opening a few accounts and using
several different cards.
Q:Is that what you do?
A: Yes. To
me, it's still much more convenient to use credit cards than to pay with cash, but
we can pay a lot for this convenience.
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.
If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.
The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.
Three most recent Legal, regulatory, privacy issues stories:
Did you like this story? Then sign up for CreditCards.com’s weekly e-newsletter for the latest news, advice, articles and tips. It's FREE. Once a week you will receive the top credit card industry news in your inbox. Sign up now!