Kyle Creyts, senior threat analyst, Lastline
Kyle Creyts, senior threat analyst, Lastline

P.F. Chang's is the latest in a string of retailers including Target and Neiman Marcus to lose customer financial data using point-of-sale (POS) credit card swipe machines that have been compromised by advanced malware. So is it time to go back to cash? Or are there other forms of digital payment that are more secure?

Certainly, NFC, Square, Stripe and EMV technology are all better than swipe.Why? All of these use or support  some form of spend limiting, track data encryption or implement additional card and cardholder verification mechanisms.

Square, for example, encrypts the track data (the information on the mag-stripe on the back of your card) at the reader (the little white plug, or the place where you swipe at the register), and it can't be decrypted by the device it is attached to; my understanding is that it is only decrypted deep inside Square's payments processing enclave. This means that there is no way to steal the track data from the POS device.

Let's talk about EMV. EMV is a standard for payment cards or devices with integrated circuits to interact with transaction terminals (such as ATMs, point-of-sale stations, etc). More commonly know as IC payment or chip card payment, systems compliant with EMV have the ability to apply a number of mechanisms to authenticate that the card being used in a transaction was the card issued to a cardholder, as well as mechanisms for validating that the person using the card – or card information in the case of online transactions – is an authorized user of that card.

Classing all NFC (contactless) payment mechanisms into one lump is hard, but the popular contactless payment mechanisms I am aware of support EMV, dramatically restricting the reuse of card authorization data collected at a terminal. This applies to other forms of non-NFC EMV transaction as well, including chip-and-pin, chip-and-signature, and other mechanisms that require contact.

Though all this discussion about POS attacks will likely begin to fade as the liability shift for non-EMV transactions approaches and more POS implement EMV; as of October 2015, fraudulent transactions at many terminals in the U.S. will be the liability of the party which hasn't implemented the necessary EMV measures, whether it is the card issuers (banks, FIs, etc.), or the acquirer (the retailer, or merchant that is responsible for the POS terminal), or both. By October 2017, this should be so for all terminals in the U.S.

But stop gap measures like switching to taking analog credit card imprints in order to prevent digital security breaches as P.F. Chang's is implementing are only temporary, don't scale and in fact introduce other security concerns as they are easily stolen with a quick smart phone picture and don't allow for proper real-time authentication or verification.

While the EMV implementation deadline isn't for another year plus, this latest in a string of POS credit card swipe machine malware attacks and financial data thefts is a powerful call to action for the retail industry – update and secure your payments technology now.