Compliance To New Credit Card Chip And Pin Is Laughable3 min read
In October of 2015 the United States credit card industry went forward with a ‘liability shift’ around fraudulent credit card use to retailers. It was intended as an incentive for retailers to step up their Point of Sale (POS) security and move to the chip and pin credit cards. Instead of a user swiping the card they would slide the card’s new chip into the reader and enter their pin to complete the transaction. It’s not perfect but it’s more secure than before. The rest of the industrialized world have been using chip and pin credit cards for over ten years, the United States lagged behind a bit. That is one of the reasons why over 50% of the world’s credit card fraud takes place in the United States.
October 2015 has come and gone and personally being a uber-security nut I pay attention to these types of things. I am disappointed to report that from my experience the retailers either didn’t get the years of memos or don’t care enough to step up their security game. I always say I never will go out on Black Friday and each year I find that one good deal and end up dragging myself out of bed at 5am to get to the store, this year was the same.
I had two missions at two different stores, the first was Home Depot for a Christmas laser house projector called the Star Shower and cheap batteries. The other was Kohl’s for mega discounted video game chairs and great deal on Keurig coffee (yes I bought coffee on Black Friday…woo hoo!). I name the stores because it’s important.
Home Depot has the self-checkout isles and I always use those if I can and at payment time I was pleased to see the chip and pin process in full force. I slide my card in, enter my pin, transaction complete and away I go. I pick on Home Depot because they were motived beyond the EMV chip and pin liability date after their breach, but they improved their security no matter how they were motivated.
I then traveled to Kohl’s which is the second largest department store by sales in the Unites States next to Macy’s. They are not a small organization yet they are not acting like it. Upon my check out at Kohl’s I saw they had the latest chip and pin readers but when I checked out it asked me to swipe the card, not insert the chip. To make matters worse on this Black Friday the cashier never looked at my credit card or asked for my photo ID. Just took my nice smile and repeatedly asked if I wanted to sign up for the Kohl’s card to save 25%… for the fifth time…
Two big time retailers and two very different security experiences. I couldn’t help to think I could have walked in there with a stolen credit card, throw on a nice dumb smile and walked out with a few hundred dollars of merchandise with a simple swipe. As of October 2015 Kohl’s is on the hook for the financial liability for any fraudulent use of credit and debit cards but as of today in Minnesota they are not rushing to protect themselves…. or their customers.
Security is not a thing, it’s a practice, a way of life, a though process of protection. The ‘not in my backyard’ or ‘out of sight out of mind’ mentality is what hurts business and individuals. The retailers and purchase methods we have in place are sloppy, insecure, and are designed for speed not financial protection. Customers need to get educated around these things, retailers need to be held more accountable than they are today. If they don’t ensure the card user is in fact the card owner why are bank’s covering the losses? Laws and regulations are the bare minimum and that’s what we do, only what we are asked not what is needed.
Unfortunately it’s going to take a few more breaches of tens of millions of users identities stolen until the real laws and regulations get put in place.
The funny thing is twenty years ago everyone was fine with taking the time to write out a paper check, today they complain that having to enter a 4 digit pin is too slow… think about that.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.
Follow Me On Twitter