Credit Card Data Security is a boring subject but necessary – Hello chip-and-pin technology!

From the Principal’s Office

Well, the NRF conference was unimpressive, or I missed all the good stuff.  That notwithstanding, I see a resurgence in software development companies bringing POS and Merchandise Management software packages to the market.  You will recall that the particular sector went through some consolidation in the past few years as one company gobbled another and took a solution out of the market, and we were left with fewer choices from which to pick.

Then, we have the breach into major retailers’ credit card information.  A highly sophisticated one at that, perpetrated by some smart but nasty people whose intelligence could be better put to use to cure cancer, Alzheimer’s disease, or just making customers buy more of your products.

Bob Amster – Principal, RTG

Credit Card Data Security is a boring subject but necessary – Hello chip-and-pin technology!

By Bob Amster

Chip-and-PIN credit card security has been adopted and living well in Canada and Europe for years, not in the US, where retailers have been loath to embrace it, even though it is safer than just swiping the magnetic stripe on the credit cards.  With the recent intrusion into more than one major retailer’s systems – all the way into the actual POS devices (read this article) – it appears that that is about to change.  (Now read this article.)  Chip-and-PIN is a technology wherein the credit card contains an electronic chip that identifies the card.  This information is transferred to the credit authorization terminal device by proximity to the device.  The cardholder must enter the corresponding personal identification number (PIN).  Under this concept, the card never leaves the customer’s hands but the card number still has to be transmitted and stored (encrypted or not).

EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or “chip cards”) and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. (Wikipedia.)

Chip and PIN can come in the contactless form known as near field communication (NFC), or inserted into a reading device.  The former is faster than the latter.

Of course, the implementation of EMV in stores, whether mandated or not begs the question: what are ecommerce sites going to have to do differently to validate the cardholder over the Internet, or will they accept the potential liability of having to pay for fraudulent transactions, which many say it’s an unaffordable risk?  One option being considered is the mobile wallet as the virtual chip-and-PIN card, as well as other payment instruments such as PayPal.

Rick Dakin CEO, Co-Founder and Chief Security Strategist of Louisville, CO-based Coalfire points out that EMV “…is a fraud-management system.  It is not a data protection or data security tool.”  He adds, that there are other technologies already in motion, wherein the credit card data are rendered unreadable immediately after capture, thus protecting the data.

Dakin continues: “two phases of remediation are going to be required.  Addressing fraud reduction does not by definition increase after-the-fact data protection.”

One valid question to ask is: if the cost of implementing EMV is higher than the cost increasing data protection, in which will retailers want to invest their dollars?

Clearly, the recent events have elevated pressure on retailers and there is now a rush to adopt a new technology.  This pressure is internally driven, intended to voluntarily improve the retailers’ exposure to risk.

It is also fairly clear that the cost of replacing credit authorization/PIN pad terminals is an impediment to adopting fraud-preventing EMV technology.  Only a few credit authorization/PIN pad devices are designed to accept both magnetic stripe swiping and contactless validation.  For retailers contemplating upgrading or implementing new POS systems now, they need to decide whether or not they want to invest in devices that are good only for today’s mag swipe environment, or good for both; today’s environment and October 2015 mandated EMV requirements.

Domestically, the Ingenico iSC250 and the Verifone PINpad 1000SE are both; EMV capable and mag stripe capable.  Other such devices are available in Europe.

Mark Weiner, Managing Partner for Reliant Security, New York, NY, which began as a PCI consulting firm and provider of the Red Box states: “The underlying philosophy to preventing the types of breaches we have seen, is a need to maintain a ‘layer of defense.’”  The hackers that penetrated the two department stores recently, should have never been able to get from the HVAC vendor, to a secretary’s desktop, to servers, to the POS devices.

Weiner is an advocate of using jump servers to allow external service providers, consultants, and other outsiders in order to control who has been there, doing what, and easily disaccredit them once their engagement and need for access are over.

In a departure from what has been the direction of the retail software development world to provide fully integrated systems, Weiner suggests that integrated POS systems are becoming a security problem because they provide multiple access paths to get to the POS device itself.  POS devices typically run on the Windows operating system.  Reliant Security espouses de-integrating (move payment away from every other function), and move a way from Windows as the OS for payment, and move to the Linux OS, which is believed to be more secure because “it has fewer moving parts” according to Weiner.

So, as unglamorous as I think credit card data security is among many other information systems topics, I painfully recognize that we are living through a paradigm shift, and that it is necessary, like going through security checkpoints at airports, and we all know how unglamorous that is…


Visit our Web site!
Obtain more information about us at

What’s new with us?
Investor Due Diligence Projects
We assisted Boston-based private-equity group PRCP with a couple of due diligence projects and portfolio companies, specifically KT Tape, InMotion Entertainment, and a couple of players to be named later.

Choice Pet Supply
We completed our software selection project for this early-stage, successfully growing, regional retailer owned by Centripetal Capital Partners.

Kering Americas
We were engaged by this international, luxury brands conglomerate to assist in managing a project to incorporate a newly-acquired brand into the family that already includes Gucci, Alexander McQueen, Stella McCartney, and Bottega Veneta, among others.

Expert Assistance

Robert Lawson continues to work for a major software developer of in-store solutions for a number of key retail clients.

If You Have a Need
…and would like to discuss it with us, please contact us at the number below.  We would be happy to review with you how we can help you.

The Retail Technology Group:
is located at:
761 Rock Rimmon Road
Stamford, CT 06903-1216
Telephone 203-329-2621