Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Target Moves To Chip and Pin Cards To Boost Security

Unknown Lamer posted about 4 months ago | from the likely-a-communist-plot dept.

The Almighty Buck 210

jfruh (300774) writes "U.S. retailers must accept chip-and-pin charge cards by the end of 2015 or become liable for fraudulent purchases made with chip cards. Target, still smarting from its recent embarrassing security breach, is moving to get ahead of that trend. The company will be installing chip-and-pin terminals in all its stores, and will also be issuing chip-and-pin versions of its own branded cards, which account for about 20 percent of Target sales. Will this move by a huge retailer push the U.S. into parity with the rest of the world?"

cancel ×

210 comments

Sorry! There are no comments related to the filter you selected.

Re: Chip and PIN (1)

killfixx (148785) | about 4 months ago | (#46880661)

A bit off topic, but how will this changeover affect companies like square that depend on swipe and sign for most transactions?

Other than that, it's about fucking time!

Sick of finding out every other month that some retailer that I frequent has been hacked.

I'm tired of constantly changing my credit info to avoid being ripped off...

Re: Chip and PIN (2)

jolyonr (560227) | about 4 months ago | (#46880725)

Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.

Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.

Re: Chip and PIN (4, Informative)

Em Adespoton (792954) | about 4 months ago | (#46881109)

Square will have to do what PayPal Here does in territories with Chip and Pin, and that's replace their device with one that has a chip reader.

Of course, the PayPal Here reader with Chip and Pin is almost ten times the cost of the US PayPal Here swipe reader.

Well, it really depends. Without chip and pin, the vendor assumes all responsibility for chargebacks. It will be a decision for each square user as to whether it is more profitable to assume liability or pay for the more expensive reader. upgrade.

Re: Chip and PIN (1)

AlphaWolf_HK (692722) | about 4 months ago | (#46881237)

Don't you just need a simple ISO7816 card reader? I remember paying $10 for those 8 years ago back in my directv hacking days. The communication method is simple serial/RS232, of which there is a Bluetooth standard for (and it works rather well with Android phones too, I've used it for OBD2 serial communication to avoid needing a wire connected under the dash.)

PayPal Here could likewise do ISO7816 via a bluetooth dongle and ask for the pin on the device itself. I don't imagine the whole thing would cost the same if not less than the present dongle they have. (My bluetooth OBD2 dongle cost me $20, and apparently the manufacturer makes a profit on it.)

Re: Chip and PIN (1)

toonces33 (841696) | about 4 months ago | (#46881557)

That's clearly part of it, but there is a lot of backoffice related stuff that needs to be present for it all to work as there is encrypted information that needs to get passed back and forth from the card to the issuer.

But a small merchant might not have that much to do in that I am guessing that their own bank would handle all of that.

Re: Chip and PIN (1)

maevius (518697) | about 4 months ago | (#46881777)

Not really. Chip might be kinda easy to read using commodity hardware, but pin entry must be done through a PCI certified device (as in, lots of money for certification, passed on to you, the consumer)

https://www.pcisecuritystandar... [pcisecuritystandards.org]

Re: Chip and PIN (2)

Mattcelt (454751) | about 4 months ago | (#46881855)

I still have a Target-branded chip-and-pin card and USB reader from 10+ years ago from an early pilot they did with a well-financed crypto startup. I would imagine some of their executives are kicking themselves now for having shut the project down then.

It's nice to see the US finally catching up with what Europe has been doing for a very long time.

Re: Chip and PIN (2)

number17 (952777) | about 4 months ago | (#46880927)

but how will this changeover affect companies like square that depend on swipe and sign for most transactions?

Your card will likely continue to have a magnetic stripe [rbcroyalbank.com] for non chip and pin terminals. Canada's deadline for "liability shift" [www.visa.ca] was March 31 2011 for credit.

Re: Chip and PIN (0)

sjbe (173966) | about 4 months ago | (#46881117)

A bit off topic, but how will this changeover affect companies like square that depend on swipe and sign for most transactions?

Short answer is "who cares?". If they can't get with the new technology then we don't need them.

Re: Chip and PIN (1)

radarskiy (2874255) | about 4 months ago | (#46881155)

On the user side, all cards are not only backwards compatible with not only magnetic stripe but mechanical impression on carbon paper.

On the processor side, presumably Square will have a new unit next year that can read the chip unless they want to absorb the costs of chargebacks themselves.

Re: Chip and PIN (2)

AlphaWolf_HK (692722) | about 4 months ago | (#46881159)

I think your bank is probably more tired of it than you are as by law they are required to eat most of the liability. The good banks give you zero liability (as in, you aren't ever responsible for losses.)

I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers (wouldn't bother me, but buying things via smartphone or tablet will need some revamping.)

Re: Chip and PIN (1)

timeOday (582209) | about 4 months ago | (#46881615)

I'm curious how this will work for internet transactions though, unless they expect everybody to have smartcard readers

My guess: more businesses will be pushed towards PayPal, which will not use the extra verification, the PayPal fees amounting to a "security surcharge" / insurance policy for the extra risk of such unverifiable transactions.

Re: Chip and PIN (2)

lgw (121541) | about 4 months ago | (#46881489)

Other than that, it's about fucking time!

Sick of finding out every other month that some retailer that I frequent has been hacked.

That won't change in the long run. In the short run maybe some benefit, while the crooks come up to speed, but chip and PIN is also hackable. It's not as easy, to be sure, but technology marches on and both PIN harvesting and stolen card use are both happening in Europe today (though not with the frequency of the US problems yet).

One place we might gain advantage form our late start is that no one will have the older-tech cards where PIN-extraction from stolen cards is possible (and done) due to flaws.
 

America is *finally* implementing chip-and-pin (4, Insightful)

Lumpio- (986581) | about 4 months ago | (#46880695)

Meanwhile in Finland, everything and everybody has a wireless payment terminal. I once even saw a street musician with one for tips...

Re:America is *finally* implementing chip-and-pin (1)

jones_supa (887896) | about 4 months ago | (#46880975)

I can confirm this.

Re:America is *finally* implementing chip-and-pin (4, Funny)

Ol Olsoc (1175323) | about 4 months ago | (#46881175)

I can confirm this.

Only Netcraft can confirm this.

Re:America is *finally* implementing chip-and-pin (2)

93 Escort Wagon (326346) | about 4 months ago | (#46882089)

I can confirm this.

Only Netcraft can confirm this.

Netcraft can only confirm that the street musician is dying.

Re:America is *finally* implementing chip-and-pin (3, Interesting)

welshie (796807) | about 4 months ago | (#46881107)

Today I saw an American in London trying to buy their lunch with their credit card. The cashier didn't know how to process swipe-and-sign cards, since they are exceedingly rare, they had to go and find a pen.

Re:America is *finally* implementing chip-and-pin (1)

Skater (41976) | about 4 months ago | (#46881291)

I'm going to Vienna, Austria (from the US) in a few weeks for work. My work-supplied credit card doesn't have the chip, so I asked about getting one with it. The area that handles the cards in my office said, "You're the first to ask about them," and called the credit card issuer. The CC company came back and said, "No, we don't issue them." Oddly enough, I have a personal CC in my wallet with the chip, issued by that same company. That card will be going with me to Europe.

if that card is Chip and sign, you're boned (2)

YesIAmAScript (886271) | about 4 months ago | (#46882093)

It still has to be swiped in Europe.

You need a Chip and PIN card. Wells Fargo issues them now. And Chase does for some cards too. You really should be getting one of those before you go.

If you don't have the PIN for your card, you don't have a Chip and PIN card and you'll be in a slightly worse boat in Europe than a card that doesn't have a chip because you'll usually have to tell them "ignore that chip, you have to swipe that" every time you use the card.

Re:America is *finally* implementing chip-and-pin (1)

toonces33 (841696) | about 4 months ago | (#46881509)

I was in London in Feb, but I have a chip card from BofA. Technically not chip-and-pin, it is chip-and-signature. But I didn't have any problem whatsoever when I was there. Everyone knew what to do with it, and it worked without a hitch.

Re:America is *finally* implementing chip-and-pin (1)

CodeArtisan (795142) | about 4 months ago | (#46881689)

Today I saw an American in London trying to buy their lunch with their credit card. The cashier didn't know how to process swipe-and-sign cards, since they are exceedingly rare, they had to go and find a pen.

Very much this. I'm a Brit that has lived in the US for 17 years. When I go back home, the cashiers hear my accent, think I'm local and then give me weird looks when they have no clue how to process my credit cards (even though, technically, they should be able to). It's got to the stage now where I just use cash over there.

Re:America is *finally* implementing chip-and-pin (0, Troll)

interkin3tic (1469267) | about 4 months ago | (#46881305)

I remember hearing that one reason the US didn't have this while most other civilized countries did was because of all the crazy christians we have, who think it's the mark of the devil. There's no doubt a little bit of reluctance to start a new security measure which will cost them money, especially when there's no real demand for it here, but I'm guessing concerns over some insane televangelist going on some insane rant about "Visa is the DEVIL!" could seal the deal. So I'm going to blame them.

'Bout time (0)

CRCulver (715279) | about 4 months ago | (#46880701)

Congratuations USA, you are only 10 years behind Finland. And not only have chip-and-pin cards been around for that long here, but some merchants have stopped accepting cards without chips (which is a pain in the ass for US expats or tourists who want to use their US card here).

Re:'Bout time (0)

Anonymous Coward | about 4 months ago | (#46880857)

10 years? I've had a chip card always, and it's been more than 10 years

Re: 'Bout time (0)

Anonymous Coward | about 4 months ago | (#46881033)

You're comparing a nation with probably 1000s of times more retailers than Finland. There's an economy of scale thing to consider.

Re: 'Bout time (1)

CRCulver (715279) | about 4 months ago | (#46881105)

Chip-and-PIN terminals are found across the EU, whose overall population and amount of businesses is perfectly comparable to the US.

Re: 'Bout time (4, Interesting)

AlphaWolf_HK (692722) | about 4 months ago | (#46881567)

The US almost always suffers from the early adopter problem. That is, we get the earlier versions of standards merely because we adopt them first, and by the time Europe gets around to adopting them the technology has improved based on what was learned in the US. Note similar things like T1 equivalent E1 being faster, and given that superseding technologies (such as optical carrier) are sold in multipliers of T1 speeds, the Europe versions tend to be speced higher.

Broad adoption of standards is like a marriage: You're stuck with it, flaws and all, and changing to another incompatible one requires a lot of pain and sacrifice, with there being more pain the longer the marriage has lasted. For another perspective on this, look how much of a PITA it was to switch to digital TV, which the US actually did faster than most of the world.

And yes, I know Europe also had magnetic stripe. But like the marriage analogy they didn't have it for as long nor was it adopted as broadly before chip and pin came along, likewise switching wasn't as difficult.

There is a silver lining to our system though:

One time I saw somebody commenting on how much he hates chip and pin because it was supposedly only being pushed so that banks can force you to pay for fraudulent charges, whereas magnetic stripe they supposedly can't. The article was referring to the US adoption, and so I told him that we already have laws that strictly limit liability for consumers that mostly just make banks liable, and they aren't going away. He then lambastes me that "the rest of the world" doesn't do it that way, therefore chip and pin is evil, and I'm a stupid ignorant American for thinking that, even though the article was specifically about the US where such a problem doesn't exist.

Why doesn't it exist? Well, because us backward Americans have been on magnetic stripe for so long, that it was born out of necessity. (Which by the way, looking in his profile revealed he lived in Europe, which isn't "the rest of the world" as other non-European countries do have similar laws to the US, for the same reasons.)

Re: 'Bout time (0)

Anonymous Coward | about 4 months ago | (#46882179)

Well you can compare with individual states too, and the situation does not change at all.

CARDHOLDER SHOULD BE LIABLE FOR ALL PURCHASES (0)

Anonymous Coward | about 4 months ago | (#46881735)

Case closed.

This isn't why they had a security breach (4, Informative)

Karmashock (2415832) | about 4 months ago | (#46880705)

They might as well announce they're getting Yettie insurance. They had their payment system compromised by people that got access to their point of sale system at one of their stores and then used that to gain access to their central system.

That has nothing to do with chip and pin.

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field? So indifferent to chip and pin, that is going to keep working. And I suspect that indifferent to chip and pin, somewhere in the target billing system there will be a list of credit card numbers, expiration dates, and security codes. A hacker gaining access to that database isn't going to care if the cards were chip and pin or not. Because by that point the data is prepared for processing. The only way chip and pin would be effective is if the security code were different for each transaction. That seems extremely unlikely but if you could some how pull that off then snagging the numbers might not get the thieves anything. Of course, how you'd get that to work with online retail is anyone's guess.

TLDR... I don't think chip and pin is going to accomplish anything and in so far as I understand the issue it wouldn't have stopped the breach at target in the first place. So i don't know why they're talking about it like its a solution to anything.

Re:This isn't why they had a security breach (1)

CRCulver (715279) | about 4 months ago | (#46880781)

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page where you have to enter further credentials to complete the order. So, even if a thief has your credit card number and the extra security number on the back, he would not be able to use it without an extra password.

Re:This isn't why they had a security breach (1)

NevarMore (248971) | about 4 months ago | (#46880855)

he would not be able to use it without an extra password.

Which was written on a piece of paper in your wallet with your credit cards.

Naa, I use 4-step security, so I don't have to wri (1)

Anonymous Coward | about 4 months ago | (#46882017)

1) Click on "Forgot Password?" Link
2) Click on link to reset password in email just received
3) Create new password
4) Use new password before you forget it. If you forgot it, return to step 1

Re:This isn't why they had a security breach (1)

rogoshen1 (2922505) | about 4 months ago | (#46880861)

perhaps it's because i've never had anything go wrong in terms of online shopping, but that program is such a pain in the ass.

Re:This isn't why they had a security breach (0)

Anonymous Coward | about 4 months ago | (#46881003)

I find it to be a pain because it's not everywhere, if I had to do it for every transaction/every card I'd actually remember it, as it is I just use my MasterCard on newegg because I have no idea what I set up my verified by visa credentials to be.

Re:This isn't why they had a security breach (1)

PPalmgren (1009823) | about 4 months ago | (#46881997)

To get you to sign up for it, they're kind of deceptive. You can press 'skip' or 'no thanks' to verified by visa signup. Of course now that you're signed up your boned, and its probably a good idea to do it, but not having it isn't going to remove the ability for you to report and void fraudulent charges.

Re:This isn't why they had a security breach (0)

Anonymous Coward | about 4 months ago | (#46881479)

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page where you have to enter further credentials to complete the order. So, even if a thief has your credit card number and the extra security number on the back, he would not be able to use it without an extra password.

Mastercard has a similar program; saw it a few times years ago, but not since; and I don't think AMEX does that at all. Of course, then you have Discover and several other vendors too - so is your website going to query each and everyone? Or use the lowest common API between them to process as many cards as you can and keep your customers as happy as you can?

Chip and Pin wont' solve a thing.

Re:This isn't why they had a security breach (1)

RabidReindeer (2625839) | about 4 months ago | (#46881767)

And ultimately, how would you do chip and pin for online retail? You know, people that literally have to type their credit card number into a field?

Lots of online retailers now put credit card transactions through the Verified with Visa program, which takes you to e.g. your bank's online banking login page where you have to enter further credentials to complete the order. So, even if a thief has your credit card number and the extra security number on the back, he would not be able to use it without an extra password.

And when my order comes up to the Verified with Visa page, I cancel it. VwV is a pain.

The security number by design not embossed on the card, nor, as far as I know, encoded in the stripe, because for physical card-reading applications the cashier has to confirm your identity by other means such as signature and driver's license.

Online transactions use the security ID, but if someone has latched onto that, then they're already running amok in someone's network or have physically stolen the card (in which case, cancel/replace ASAP!)

Re: This isn't why they had a security breach (0)

Anonymous Coward | about 4 months ago | (#46880793)

With chip and pin the retailer doesn't store the card number, moron

Re: This isn't why they had a security breach (1)

DigiShaman (671371) | about 4 months ago | (#46880853)

Wasn't the hack accomplished by reading the data unencrypted in RAM?

Re: This isn't why they had a security breach (1)

IamTheRealMike (537420) | about 4 months ago | (#46881341)

Out of a regular PoS that's running Windows, yes. C&P transactions take place entirely between a dedicated piece of hardware and the card itself. Also the card signs a nonce so there's nothing to steal if the hardware is bad beyond the old regular magstripe data which is already stealable.

that's not true (1)

YesIAmAScript (886271) | about 4 months ago | (#46882151)

http://en.wikipedia.org/wiki/E... [wikipedia.org]

Although most of these attacks require you be able to clone the data reaped from EMV onto a stripe card and use it in a place that accepts stripe swipes. If the US stops accepting those, it will reduce fraud by presenting less opportunity. But it won't be because EMV prevented data extraction, but because you can't (currently) clone onto an EMV card.

Re: This isn't why they had a security breach (1)

Karmashock (2415832) | about 4 months ago | (#46881025)

exactly how do they charge the card then?

Re: This isn't why they had a security breach (1)

Em Adespoton (792954) | about 4 months ago | (#46881261)

It's a key exchange -- the vendor presents the charge and the user presents the one-time encoded authentication token. Both of these are sent upstream to the authorization server, which then queries the merchant bank and cardholder bank to verify the token and the authorization request. They then send a signed response back down the line so that the card knows it was their issuer who authorized the request, the merchant bank knows the cardholder is good for the charge, and the merchant never sees anything at all identifiable.

This is how the rest of the world has done things for a decade. There is zero reason for a merchant to know anything other than that the customer is good for the credit, and that the banks will back the transaction. The rest of the transaction is done between banks, not people and merchants.

It still boggles my mind that a country that values anonymous cash so much would be so tied to a credit system that leaks personal information like a sieve, PCI DSS notwithstanding.

Re: This isn't why they had a security breach (1)

maevius (518697) | about 4 months ago | (#46881395)

No....

The full PAN can and must be read from an EMV card. (EMV specifications, book 3, Mandatory data objects). Actually both the authentication and the card PAN are sent to the issuer.

Re: This isn't why they had a security breach (0)

Anonymous Coward | about 4 months ago | (#46881907)

If the merchant sees nothing, how do the receipts from chip and pin (in Canada at least) still print your name and some of your credit card (some do, some don't, usually only the last 4 digits)

Re: This isn't why they had a security breach (3, Informative)

rkww (675767) | about 4 months ago | (#46881277)

exactly how do they charge the card then?

The vendor takes the customer's name, postal address and card number, and sends a message to their card processor (bank) saying "I want to charge this customer this amount for this transaction"; the bank sends back a url and the customer is redirected to that page.

The (secure) page (which displays a shared secret known only by you and the bank) asks for your online banking password; the bank processes the payment, and redirects you back to the vendor's thank-you page.

This has nothing to do with chip and pin.

But UK banks also hand out free one-time pad [barclays.co.uk] terminals which use your chip and pin card for online identitification.

Re: This isn't why they had a security breach (1)

number17 (952777) | about 4 months ago | (#46881043)

Online stores can store the credit card number, not the PIN. Typically they will ask for the CVV which shouldnt be stored. See PCI Compliance FAQ [pcicomplianceguide.org]

Re:This isn't why they had a security breach (1)

SailorSpork (1080153) | about 4 months ago | (#46880961)

Pffft, you think that matters? Target had a high-publicity credit card hack theft thingy, Target installing "better" card thingys with "chips" in them, seems gadgety and high tech. Target gets its "we're improving our credit card security" headline. American people go "wooooo, high tech thingy! Problem solved!"

Re:This isn't why they had a security breach (1)

Anonymous Coward | about 4 months ago | (#46881331)

This is exactly right. It wasn't the method of authentication that was faulty.

Target's physical security of the CC equipment was breached. Just like all those gas station pumps with altered/hijacked CC scanners you've heard about.

This *fix* is downstream from the original problem so it will accomplish nothing.

This is 100% misdirection/PR. The sad thing is that most people will not know it.

Chip and Pin stops card cloning (1)

wiredog (43288) | about 4 months ago | (#46881775)

And cloned cards were a major vector of fraud in the Target attack.

Re:This isn't why they had a security breach (0)

Anonymous Coward | about 4 months ago | (#46881843)

You are right but the reason the Target breach was made such a big deal of was to use it as a vehicle to usher in chip and pin. Chip and pin has been compromised already in Europe with the consumer on the hook to prove that the charges were fraudulent. That's why they want it here. Sure the card companies can't do it here now, but wait and there will be "new legislation" to change the wording so that if someone does get a hold of our chip and pin information that we will be ones that have to prove that it was theft. Never mind that the card companies are making money hand over fist, they want more and more and more, and they don't want to have to pay for the flaws in their systems. It's all bullshit and the media is the conduit for spreading it to the masses.

Re:This isn't why they had a security breach (1)

jbmartin6 (1232050) | about 4 months ago | (#46882247)

The proof is in the pudding as they say. There must be something to it, since the fraud rate for EMV card holders is far below signature-only card holders. No one is claiming that EMV is foolproof. It WOULD have stopped the Target breach since the POS system never handles the PIN, it only records the terminal's response that the PIN was valid.

Fucking finally (4, Funny)

PvtVoid (1252388) | about 4 months ago | (#46880735)

The U.S. is finally catching up with Bulgaria on this one.

Re:Fucking finally (0)

Anonymous Coward | about 4 months ago | (#46881705)

The U.S. is finally catching up with Bulgaria on this one

Yet we're still so fucking far behind in everything else. I just got back from 2 months traveling all over Europe. It was really depressing to realize just how far behind we are in communications and consumer tech. Unlimited gigabit for $30/month? It's amazing what a little ISP competition will produce.

The conspiracy nut in me wonders if the NSA had a hand in the stagnation of US internet speeds, pressuring the FCC to let entrenched monopolies run amok. That would make spying *much* easier. In light of everything else, it sounds completely plausible.

Re:Fucking finally (1, Insightful)

danbob999 (2490674) | about 4 months ago | (#46882201)

Maybe in 1-2 centuries the US will adopt the metric system.

Late on all fronts (0)

Anonymous Coward | about 4 months ago | (#46880741)

As always, it only took a massive PR disaster before anyone started moving in this direction. The technology has been available (all over the word) for at least 15 years. I even used chip based calling cards around the world back then.

The companies thought it was cheaper to not upgrade. But now because they got massively embarrassed, they will finally spend the money which would have saved them thousands of times more money had they done it in the first place.

Why is it always reactionary in business? It's frustrating.

Also, while not quite the point of the Slashdot posting, this is news is several weeks late, Target announced this on their website a while ago. Slashdot Beta: News for nerds several weeks late, and then we'll dupe it. Beta sucks too.

Re:Late on all fronts (1)

Jmc23 (2353706) | about 4 months ago | (#46881193)

Why is it always reactionary in US business? It's frustrating.

FTFY.

'cause other countries took care of this years ago.

Re:Late on all fronts (2)

jjhall (555562) | about 4 months ago | (#46881259)

It isn't the merchants dragging their feet. Chip and Pin has not been available to merchants in the US. The thing most people don't realize is that credit card fraud is a profit center for Visa/Mastercard/etc. Do you think Visa is eating the cost of a fraudulent transaction to cover the "$0 Fraud Liability" they offer to their customers? Of course not. It goes right back on the merchant. Now the merchant is out their merchandise, out the money they would have received from the sale, and they are hit with a fee (that goes to Visa) for the chargeback. Have a massive breach like Target? Now there are big fines to pay to the card companies on top of it all.

The entire security of the credit card system is based on keeping a 16 digit number secret. That same 16 digit number you have to share with everyone you give money to. Making it TONS more secure would be cheap and easy, and most merchants are already set up to handle it... A simple rotating PIN that is only valid for a length of time is all it would take. Have merchants run all transactions as Debit, and give the customer an app on their phone (or even a periodic SMS with a new PIN.) The card companies could use the fraud liability as an incentive to use the system. No rotating pin? $1000 fraud liability. Monthly? $500. Weekly? $100. Daily? $25. Rotating PIN app or new SMS after each transaction? $0. This would also secure online purchases as well.

Every time I see a story relating to credit card security, I laugh to myself over how much more secure my World of Warcraft account is than my credit card accounts.

Re:Late on all fronts (2)

OneAhead (1495535) | about 4 months ago | (#46881349)

Why is it always reactionary in American business?

FTFY. As to answer the question: it used to not be that way, but the companies discovered that if they gave enough money to the politicians, the regulator would let them get away with making arrangements like: "if none of us makes the first step to innovate, the others won't be force to follow, and we all can save ourselves the financial investment of the innovation".

Re:Late on all fronts (0)

Anonymous Coward | about 4 months ago | (#46881463)

As always, it only took a massive PR disaster before anyone started moving in this direction. The technology has been available (all over the word) for at least 15 years. I even used chip based calling cards around the world back then.

The companies thought it was cheaper to not upgrade. But now because they got massively embarrassed, they will finally spend the money which would have saved them thousands of times more money had they done it in the first place.

Why is it always reactionary in business? It's frustrating.

Also, while not quite the point of the Slashdot posting, this is news is several weeks late, Target announced this on their website a while ago. Slashdot Beta: News for nerds several weeks late, and then we'll dupe it. Beta sucks too.

I was at a company that was helping the merchant banks roll out chip and pin back in '98. The pilots were going pretty well, and the only real issues were around the costs of the cards -- merchant issuers were rolling out chip-and-pin readers everywhere, even where there was no plan to immediately roll that area out to chip and pin.

Then the dot com bubble burst (in 2001?) and banks dropped all pilot programs as they focused on defending their existing business model. Chip-and-pin vanished, even though the Verifone/etc. readers that can read the chips were already deployed. It took another 5 years before they started looking at starting up new pilots to see if the market was ready for chip-and-pin again.

It was all just unfortunate timing that killed it the last time around. A lot of marketing spin (consumers: this is more like cash; you reclaim your privacy -- merchants: this is more secure and prevents skimming -- banks: this is more profitable and protects the bottom line), training, hardware development/deployment etc. was sunk into this the first time around, and only a small fraction of that was able to be reclaimed. These data breaches however are free advertising that overcomes a lot of the impetus the system has been facing, so since all the original pilots are already long complete, roll-out should now move along reasonably quickly.

HOWEVER, I was under the impression that the "new" US system would not require encrypted PIN -- in other words, while offloading liability and making people do "secure" things, unencrypted data would still be showing up in the merchant's systems. Hopefully this has changed since the data breaches, and the US is going to move to a sane (if slightly more expensive) end-to-end chip-and-pin system like the rest of the world.

Re:Late on all fronts (1)

bluefoxlucid (723572) | about 4 months ago | (#46881675)

Chip-And-Pin has the annoying side-effect of requiring a PIN instead of a signature. I don't understand why you need a PIN at all, honestly.

My suggestion nearly a decade ago was straight PKI. An embedded IC would contain a burned, non-readable, unique private key and certificate. The certificate would be bank-signed, and verified dynamically with the bank.

When you insert the card into the reader, a command stream is sent. This includes the transaction, a time stamp, and a block of random data. The bank accepts each data set once (manageable by a bloom filter of large hashes per hourly time stamp and a database indexed by time stamp). The whole block of data [TIME(now),RANDBITS(1024),Transaction[]] goes to the card, gets signed by the private key on the card through a dedicated RSA4096+RC4 specified to avoid weak IVs (bank rejects if the IV is weak), and is returned to the terminal.

In this way, you must physically possess the card to carry out a transaction. Transacting with Amazon? Plug a USB reader into your computer, plug it in. Reader contains a display which can list the charge, the merchant, and the transaction. You see "$315.09 AMAZON" and a listing, can accept that. You see "$45 XXX TOOLBAR EROTIX INC" and you reject that. Nothing goes to the card until you press the "accept" button on the reader.

I don't see a need for a PIN. If someone steals your card, deactivate your card.

Re:Late on all fronts (1)

maevius (518697) | about 4 months ago | (#46881931)

Interestingly enough, EMV (c&p) cards work like this. However the card and the cardholder are both authenticated - either PIN or signature.

If someone steals your card, deactivate your card.

Ok, isn't it a bit stupid to design a system that can be circumvented by someone stealing your card? And no card deactivation for sure doesn't solve the problem

Re:Late on all fronts (0)

Anonymous Coward | about 4 months ago | (#46881959)

Chip-And-Pin has the annoying side-effect of requiring a PIN instead of a signature. I don't understand why you need a PIN at all, honestly.

The reason is that if someone steals your card, that isn't enough to charge things to your account.

And incidentally, for disabled people who are unable to sign, chip & signature cards do exist.

More security lip service (1)

Anonymous Coward | about 4 months ago | (#46880745)

It boosts their profits and nothing else as Chip & Pin helps to shift the liability to the customer.
We've had Chip & Pin for a while in the UK and there has been a lot of serious security problems.

walmart started requiring a chip about a month ago (1)

Wycliffe (116160) | about 4 months ago | (#46880827)

Walmart started doing this about a month ago in my area. Unfortunately for me the chip doesn't
work on my card so every time I go to walmart they have to manually key in my credit card number.

Re:walmart started requiring a chip about a month (1)

Barny (103770) | about 4 months ago | (#46881179)

If the chip doesn't work, just get a new card issued?

Didn't Target had Chip and Pin back in 2005? (1)

ConstantineM (965345) | about 4 months ago | (#46880893)

Didn't Target already had Chip and Pin back in 2005 or 2004? What happened to all of those?

I remember I got a Chip and Pin card from Fleet around that time (just on the edge of them being acquired by B of A); Fleet has even sent me a free card reader, which I've never used, actually.

Not invented here (0)

Anonymous Coward | about 4 months ago | (#46880947)

Chip and Pin in the USA will go the same way Concorde did as it was not invented here.

Re:Not invented here (2)

PvtVoid (1252388) | about 4 months ago | (#46880993)

Chip and Pin in the USA will go the same way Concorde did

Back and forth to Europe twice a day?

What!? Why this late? (0)

Anonymous Coward | about 4 months ago | (#46880953)

It is mandatory here for like last 5 years, some cards now does not have a magnetic slip anymore(mostly membership/club cards).

I will cancel all my cards (-1)

Anonymous Coward | about 4 months ago | (#46880981)

I am not going to remember a PIN for each of my credit cards. I will cancel all my cards, immediately.

Re:I will cancel all my cards (0)

Anonymous Coward | about 4 months ago | (#46881563)

I am not going to remember a PIN for each of my credit cards. I will cancel all my cards, immediately.

I am guessing that you are just trolling. You should be able to go to an ATM of the issuing bank and change your pin to one that you can remember. It can be the same as the one you use for your banking card but that is less secure. There is a trade-off between security and convenience which you have to consider.

If your card is not issued by a local bank then you will have to call the automated number on the back of your card to change it there.

Nope (5, Insightful)

Mike Ice (3637719) | about 4 months ago | (#46881005)

We will not gain parity simply because Target said "make it so". Sadly the cheap and easy CC system the US uses is the easy thing to stay with. Expect an extension of the current system just before it expires in 2015. Nobody want to spend money to be more secure - "that won't happen to us" mentality rules here in the States...

Re:Nope (0)

Anonymous Coward | about 4 months ago | (#46881537)

And the insecure and expensive solution is any better? Heh...more the fool you.

Re:Nope (0)

Anonymous Coward | about 4 months ago | (#46881739)

This will not gain parity because others are moving toward three-factor authentication:
http://www.oki.com/en/press/2014/02/z13115e.html

Recent experience in Italy (1)

dtjohnson (102237) | about 4 months ago | (#46881101)

Was recently in Italy and had to beg a kindly local woman to buy me a train ticket with her card as the ticket machine would not accept either cash (in the wrong denominations) or my magnetic stripe card. They're probably used to us visiting 3rd-worlders.

Re:Recent experience in Italy (1)

Jmc23 (2353706) | about 4 months ago | (#46881279)

Sad thing is the US screws it up for visitors as well. So stupid to ask for a postal code for a foreign card, or use incompatible debit systems.

It's almost like the US is the SONY for currency.

If I wandered into the bank.. (3, Interesting)

TechyImmigrant (175943) | about 4 months ago | (#46881129)

My wife has a retail store and a credit card reader.

If I wandered into the bank and asked how I get a C&P terminal for the store, they would stare at me blankly. It simply isn't available. The terminals exist, but the bank isn't going to talk to it until they're good an ready to, which at the current rate of progress is 'never'.

Target has more leverage, but small retailers have to take what the bank makes available.

For this and other reasons, we will probably switch banks, but people should be under the impression that retailers in the Us can 'just switch'. They can't. The bank decides which terminals it will work with. This is bizarre given that the terminals are completely generic.

Re:If I wandered into the bank.. (1)

maevius (518697) | about 4 months ago | (#46881221)

Completely generic? Ummmm no. They are C programmable embedded devices which are usually developed according to the acquiring bank's specifications.

Re:If I wandered into the bank.. (1)

TechyImmigrant (175943) | about 4 months ago | (#46881329)

The wire protocols are standardized by PCI.

Re:If I wandered into the bank.. (1)

maevius (518697) | about 4 months ago | (#46881531)

Ummmmm no.
The wire protocols are de-facto standarized up to a point (ISO-8583 or vendor specific protocols) and the rest are application specific. Interestingly, wire protocols are one of the things that PCI has never touched.

Re:If I wandered into the bank.. (1)

TechyImmigrant (175943) | about 4 months ago | (#46881849)

I was under the impression PCI referenced 8583 and the transport wrapper. Maybe not. I'm not searching PCI specs for fun.

Re:If I wandered into the bank.. (1)

KingOfBLASH (620432) | about 4 months ago | (#46882225)

I read that, not as in all devices are the same (since a chip and pin device has a completely different reader) but that there's no reason someone willing to buy a different reader shouldn't be able to use one

Re:If I wandered into the bank.. (1)

PRMan (959735) | about 4 months ago | (#46881413)

You can't even get a card for travelling to Europe in the US with a chip and pin. Looking into it recently, most people were saying you could get one from the UN credit union.

Welcome to the rest of the world? (0)

Anonymous Coward | about 4 months ago | (#46881369)

Some time ago all the mag-strip only cards were replaced with Chip and Pin here in Canada.

Not quite (1)

ThatsNotPudding (1045640) | about 4 months ago | (#46881419)

Will this move by a huge retailer push the U.S. into parity with the rest of the world?"

Target is huge? I'm not so sure about that. But it will be fait accompli when Walmart changes.

Canada has had them since the mid 00's (0)

Anonymous Coward | about 4 months ago | (#46881465)

Canada completed roll out of chip and pin in 2010. Congrats on finally catching up with the rest of the world.

Why aim for mere parity? (0)

Anonymous Coward | about 4 months ago | (#46881481)

Why is Target playing catch up? Why doesn't it leapfrog Chip and Pin and do something even better?
Why should anybody hand over the credentials required to initiate transactions in their name to a clerk or a machine that they don't control?

Let's start with a concept like 3C Transactions [github.com] and build something much better than Chip and Pin.
3C is more secure than C-n-P and easier to implement. It could begin initial rollout with no new hardware required by merchants.

Of course, 3C is really just a napkin sketch and would take some work to build into a real world solution. But the benefits over C-n-P seem so obvious that it (or something with similar principles) should be well worth the effort.

Bitcoin? (1)

PRMan (959735) | about 4 months ago | (#46881493)

How about taking bitcoin online? Make a deal with BitPay or Coinbase.

No information to steal except for shipping information. And the public fact that it was paid with bitcoin.

Re:Bitcoin? (1)

maevius (518697) | about 4 months ago | (#46881699)

Because bitcoin is totally fraud-proof.

Ahh...Chip and SPIN... (0)

Anonymous Coward | about 4 months ago | (#46881501)

Chip and Pin isn't any better than what's currently there...

Chip and Spin [chipandspin.co.uk]
Safety in numbers? Not likely. [theguardian.com]

It's not a solution and screws YOU the consumer on many fronts.

Chip and Signature, not Chip and PIN (3, Interesting)

weave (48069) | about 4 months ago | (#46881671)

Most US cards being issued with a chip are Chip and Signature, not Chip and PIN -- because banks have trained Americans to think PIN means debit so banks fear applying a PIN to a credit card would confuse people.

I have one of these Chip and Signature cards and on my last trip to UK it was a real PITA, especially at self-checkouts. Like at ASDA there was a signature signing pad but I had to wait for a clerk to come over to give me the pen and then she checked my signature real closely. Same thing at the duty free at the airport. The self-checking stopped and alerted the clerk to come over to check my signature. Then at other stores the clerk couldn't find a pen, or was surprised when paper spit out and had to ask a manager what was going on.

(I had one clerk hand me the slip to sign, checked my signature, then put the signed slip into the bag with the receipt! If I was an "arse" I probably could have disputed the charge and gotten away with it because they couldn't produce a signed slip)

At the ASDA (far away from where tourists usually go) the clerk remarked it's been years since she saw someone have to sign for a charge. I apologized, said I was an American, and that our banks think we are too stupid to remember a PIN. She got a good chuckle out of that...

Chip and Pin cards? (1)

dirk (87083) | about 4 months ago | (#46881781)

That is great and all, but are there any banks in the US supporting chip and PIN cards for Visa/MasterCard currently? I'd love to get one even if I only use it at Target just to help push things along, but I don't know of any cards that are supporting it now (and I really don't need a Target card).

target (0)

JohnVanVliet (945577) | about 4 months ago | (#46881805)

i can almost GUARANTY that target will "frack up " this too
a 2015 prediction
target will use the password " 1234" to secure the servers

Should we actually trust the NSA to babysit us (1)

Orwell1983 (3637733) | about 4 months ago | (#46881841)

This is the most ridiculous things I have ever heard and the fact that people buy into it is what is wrong with America. Chip and pin cards, are you kidding me? I hate to give in to the hype of an overused buzzword, but we do find ourselves coming into an age where big data has massively amplified the stakes of security as companies are pooling all of their assets into one giant "data lake" so that it can be analyzed. Yes, I agree that it is great that they now can "glean valuable insights from the connections between xyz..." by aggregating all of the information into one giant store of structured or unstructured data to be analyze, rinse, repeat and analyze again, but then guess what - one hole in your security means the whole house of cards comes tumbling down and all of your data "assets" and people's "private" information is now exposed. Chip and pin cards are a joke to placate the public - this is a good blog on what companies are putting in place right now that are actually a step in the right direction at least. http://sqrrl.com/big-data-secu... [sqrrl.com] The thing that is interesting: the one with the most all encompassing security architecture was created at the NSA.... So do we not trust that approach because the database was created by evil government spies and will abuse our information somehow, or trust them because maybe they actually know how to keep information secure. All I know is that it's interesting that at least they built their "big data" analyzation tools as a secondary priority to security, and as the blog shows the other databases are now implementing different security measures to their information warehouses which is at least a step in the right direction....My two cents. To all of the big companies like this that think "that won't happen to us".... That first step off your high horse is going to be a bitch honey. Tuck and roll.

Whoosh (0)

Anonymous Coward | about 4 months ago | (#46881869)

EMV (nicknamed "Chip and Pin") technology makes it more difficult for a theif to steal your credit card out of your pocket and then use it.
It does not prevent data breaches.

To complete an EMV transaction with a merchant, you have to hand over a credit card with an embedded chip. Then you have to provide a PIN used to decrypt the credit card authorization. The merchant can then use the decrypted authorization for the transaction.

And the merchant can still store that information and get compromised.

The Target breach was an inside job. It didn't happen at a store counter. EMV does nothing to protect against these attacks.

If you have to tell a third party how to decrypt you super secret in order to do business with them, it isn't very super secret anymore. What's the point. We need a system that doesn't require you to hand over the keys your account.

their terminals already had it (1)

YesIAmAScript (886271) | about 4 months ago | (#46881873)

The terminals that had the problem were their new (few months old) chip and PIN-capable EMV terminals.

Chip and PIN doesn't fix the breach Target had. Only Chip and PIN with tokenization does.

I already have one Chip and PIN card from my bank (US bank) and I'm trying to get my other one switched too. But it doesn't fix this problem.

Target, if you replace your terminals again, please get ones that do Chip and PIN and also NFC and PIN please?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>