Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is
There's no good reason for the U.S. to be so far behind in adopting EMV
Computerworld - We're still doing it wrong. How on earth, in the year 2013, nearly seven years after the record-setting TJX breach, can a retailer suffer a credit card breach that actually compromises user account numbers?
And yet here we are, witnessing Target scurrying to make things right after announcing that some 40 million customers' credit and debit card data had been illegally accessed in what amounts to the second-biggest credit card security breach in U.S. history. While there are doubtless many problems that led to this breach, at least much of the culpability must rest on the fact that we're using ancient payment card technologies here in the U.S., whereas the rest of the world has long ago eclipsed us with more modern tech.
Almost all of the burden for this, of course, falls on the side of the merchants and the payment card issuers/processors. But we consumers also need to pull our weight and demand more modern systems from our providers.
So let's consider the issues from two perspectives: 1) the merchant side and 2) the customer endpoint, at least for online purchases.
First, the merchant side, since that's what was compromised in the Target breach. Our best hope for ending this type of wide-scale breach that harvests millions of account numbers is the Europay Mastercard Visa (EMV), cards used throughout the world -- except for here in the U.S.
While certainly not perfect (as a group of researchers at Cambridge University discovered a couple of years ago), EMV, or "chip and pin" cards, have one massive advantage over the magnetic stripe system used in the U.S.: The merchant does not gain access to the customer's account number. Since that number doesn't leave the customer's card, massive system compromises should never result in the harvesting of millions of card numbers.
Unfortunately, EMV cards are not yet commonly available in the U.S. Things could be changing, since some U.S. banks are offering them, and during my holiday shopping this year, I did see two vendors whose point-of-sale terminals had chip-and-pin slots. I've used EMV on my overseas travel. I hope a lot more U.S. residents have experienced them as well and will create a groundswell for widespread U.S. adoption.
Now for the consumer perspective. I know that most people have done more online shopping over the past month than they did in the 11 months before that, but there are things we can do year-round to protect ourselves while shopping.
For starters, ask your credit card issuers if they support EMV cards, or what their rollout plans and timeline are. The card issuers need to hear a solid message from us consumers that we're fed up with magnetic stripe systems that are so trivially compromised.
More by Kenneth van Wyk
- Kenneth van Wyk: Apple's big fail
- Kenneth van Wyk: After Snowden
- Kenneth van Wyk: Target breach underscores how backward U.S. payment tech is
- Kenneth van Wyk: Enjoy your trip, but protect the data you take with you
- Kenneth van Wyk: Lingering faults with security by default
- Kenneth van Wyk: High hopes for iPhone's Touch ID
- Kenneth van Wyk: Why mobile apps beat Web apps for privacy
- Bug bounties: Bad dog! Have a treat!
- How to avoid Big Brother's gaze
- The true root causes of software security failures
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts