A CIO for whom I once worked used to try to convince me that the battle for private data is already lost. His view was that our personal data is already out there in the world and it will just be a matter of time before we all get breached. He was, in a sense, correct. Up to 70 million individuals recently had personally identifiable information stolen in the recent Target data breach.
In July 2012, I wrote about the near-total transition in Western Europe to the chip-based EMV payment system [EMV is an acronym for Europay, MasterCard and Visa, an international standard for inter-operation of integrated circuit cards]. Replacing the existing magnetic stripe card data swipe system still in use in the United States is a security imperative. Too much private data sits without protection in that stripe. As of 2011, 75 percent of cards in Europe were already chipped, and penetration in Canada exceeded 30 percent. I have started to observe some EMV chip-capable payment terminals in retail outlets in the New York City metropolitan area, but not yet been able to make a payment in the U.S. via chip-and-PIN as opposed to swipe the stripe.
Many reports state that one of the factors leading to the Target breach were known insecurities of the magnetic stripe system, combined with a RAM-based point-of-sale terminal virus. Perhaps this is the case, although I wonder as well whether the upstream flow of the data was adequately protected. Certainly, at least some of the data was resident in other company databases. Why then, in light of known vulnerabilities, has the payment industry in the U.S. been slow to transition away from swipe the stripe?
Estimates have shown that it could cost as much as $3 billion (about the 2010 cost to fight wars in Iraq and Afghanistan for one week) to convert the payment infrastructure in the U.S. chip-and-PIN. But we can start small. Begin with the piece of payment infrastructure carried in your wallet or purse: the card!
I sense, however, that the payments industry has about the same eagerness for the upgrade that the nation had for the switch over to metric measurements. Why do I perceive a lack of will?
I have several personal accounts with a major bank that offers EMV chip-and-PIN cards to its customers. One card has the chip because I requested it last year. However, I recently signed up for a promotion with that same bank for another card with a different sponsor. I received the new card in the mail and immediately noticed that there was no EMV chip. This new card is definitely meant for travel, offering a no-foreign-transaction fee benefit. How does this make sense?
Using the U.S.-issued chip-and-PIN card in Europe offered its own surprise. The European terminals seem to have a lax security procedure. Over the course of a recent trip to two different countries, my chip-and-PIN card was accepted without the terminal requesting that I enter the PIN. This too, makes no sense.
Then again, we live in a world where large corporations and government entities store our private data on unencrypted laptops that walk out the door. The common theme here is that in many cases, our profession knows the right solution, or at least a better solution. We must be more effective in the implementation. The public is becoming desensitized into believing that breaches are inevitable and that we must live with them.
This is not the message that we security practitioners want to send.