MagTek's Hart: With Swipe Readers, Encryption Is "Not Enough" [TRANSCRIPT]
With so many new swipe readers hitting the market, do you feel these various companies are paying enough attention to security?
The bad guys are certainly paying enough attention to security, or lack thereof, and that’s why we at MagTek, are so passionate about security and building the world’s safest swipers!
The world needs to better understand card security and unfortunately many in our industry who profess to be leaders and experts are steering merchants and processors down the wrong path.
They have a simplistic view of fraud, they spout off on the effectiveness of encryption to protect cardholder data, and literally put their heads in the sand when shown evidence of its insufficiency. Look at the recent breach at Global. I am sure the data was encrypted at many points, but the fact remains the data is in the clear on the card itself and must be presented to the brands in the clear.
The whole notion of POINT to POINT encryption is misguided. It begs the question, if you cannot protect the data from end to end, what good is Point to Point? But in this case, even End to End encryption cannot protect cardholder data because there are so many easy ways to capture it, at many different points and it’s always in the clear on the card itself. Encryption by itself is insufficient. It helps with the confidentially of cardholder data. But a robust security solution must also assure the authenticity and the integrity of the data and the payment devices. Only then can we disrupt fraud in real time.
Square had been behind the pack for a while, but recently announced an encryption upgrade. What message does that investment send to the payment security community?
Encryption by itself is a distraction. In 2005, even before there was a PCI, MagTek built the very first Secure Card Reader with embedded encryption, but we knew it was not enough to disrupt fraud.
We did a root cause analysis and developed products that could transform the lowly magstripe card into a very secure, counterfeit resistant, unique token. Square, on the other hand, is simply following the PCI guidance in an effort to be “compliant” but with very little thought to offering security. Remember they have a million or so readers in the field that have no encryption and you don’t hear anyone asking to have them recalled. Square has always believed their readers were adequate without encryption, so the move to add encryption is more political than philosophical.
You should notice too, that like other vendors in the dongle space, the encryption happens after the data has left the magnetic head. This means a crook can clamp on to the wires protruding from the head, add a tiny Bluetooth transmitter, and voila, you have transformed the encrypting Square reader into a skimmer. You cannot do that with MagneSafe products.
Cardholder data can only be protected by strong authentication which incorporates dynamic data. Encryption will help merchants and processors make the data more difficult to steal, but it will not make the data less valuable. Until we remove the incentive to steal the data in the first place, the bad guys will continue their attacks and find other places to steal the data prior to it being encrypted; like right off the card itself.
The most interesting entrant into the dongle space is perhaps Eventbrite, which isn't really a payment company at all. Could you see a future where dozens — hundreds? — of companies issue their very own swipe technology?
It’s interesting that Eventbrite is marketing a reader to its users. I think you will see many other offerings where tablets and phones are turned into multi-purpose transaction terminals, where payment is but one feature. Cards will be with us for decades. They’re just so darn convenient. They don’t need batteries. They don’t take up much space so I can carry lots of them. They still work if I drop them in a pail of water, or spill a coke on them. And it takes less than a second to swipe. So at MagTek we know that companies like EventBrite will want easy, secure, sturdy, comfortable, and consistent ways to let the consumer swipe a card, and we concentrate on making sure the consumer can trust a MagTek reader to give them genuine protection, not just the false god of PCI compliance.
Those cards containing a magnetic stripe can serve as a low cost, very secure identity authentication token that can be used in a variety of online and offline environments. We see cards being used to facilitate secure banking, gaming, shopping online and even used for enterprise access control to physical locations like work and even home. Because we can authenticate the card and the secure readers, we have opportunities to leverage the very same technology for use in and outside of payments.
Which dongle makers have done the best job with security to date? What partners in the space have you been working with?
To your first question the answer is MagTek, of course! We have been building strong security into our products for more than a decade. Our MagneSafe Security Architecture is a layered approach to protecting data and stopping fraud and it is at the core of all of our products. Our tag line is: MagTek, security from the inside. We have literally embedded the most advanced security into a tiny chip that is secured inside the magnetic reading head combining advanced encryption, token generation and authentication mechanisms designed to identify counterfeit cards and further alert the merchants if a counterfeit terminal has been introduced into their POS environment. Leveraging multiple layers of security is the best way to stay ahead of the bad guys. Our knowledge of criminal motivation and the weaknesses of our payment system give us a solid understanding of how to build a responsible and practical security strategy.
Because we are a major OEM supplier, many companies support our MagneSafe architecture and embed it into their products. We place nearly four million reading solutions into the market annually, and we have been seeding the market with secure card reader authenticators so that consumers can continue to swipe safely and confidently.
Do you see the industry adopting a security standard for the dongle in the future? What details would be included?
The PCI Council, which manages the PCI DSS, has published new rules for devices that read cards. They’ve dubbed it SRED which stands for Secure Reading and Exchange of Data. The rules (which interestingly enough are optional) say card readers will need to undergo testing, certification, and listing on the Council Web site. Obviously, this adds considerable time-to-market and financial expense to vendors like us and a handsome profit to PCI.
But the PCI council’s recommendations are lame, at best. They are geared around PCI-PTS which is the standard for PIN protection. Now ask yourself, if the PIN was printed or embossed on the front of the card, do you really think that an encrypting PINpad could protect it?
The PCI council needs to think outside the box or at least give vendors freedom to do so. Instead they prescribe exactly how to protect the data using archaic technology and outdated thinking. They have declared PIN data and Card data to be comparable, when in fact they’re not. One is visible at all times on the front of your card and the other is knowledge based. They each need to be protected but not necessarily by the same method.
The strongest encryption, including SRED, cannot protect the cardholder data that are pre-exposed on the front and back of payment cards.
We at MagTek rely on open standards (created by legitimate standards organizations) and sound security principles. We understand the root cause of the fraud and have acted on that knowledge to bring better security to the payments industry. Our payment technologies revolve around multi-factor authentication – something you have – a unique object that cannot be counterfeited (like a card), something you know – a PIN, a password or a secret and always something else - something unpredictable. In our case, we read the unpredictable value that emanates from an ordinary magstripe card. These extra bytes represent the magnetic signature of the card itself. And they have a remarkable quality, they are stochastic by nature. That is they change unpredictability with every swipe but within boundaries by which they may be correlated and authenticated. Without changing anything about the magstripe card, it is very secure, when used in modern readers.
Any authentication method needs to incorporate dynamic data. All static data is vulnerable. It can be compromised because it can be read, copied and reused. This is the root cause of our skimming and database breach problems. If we rely only on static data, even if it’s encrypted at some point or many points, we can’t determine if the data on the card being presented was stolen from Global Payments’ database or copied at a skimmer on an ATM. However, when a dynamic or one-time-use property is added to the authorization process and is authenticated, then the stolen static cardholder data becomes useless to the criminal because he has no means to predict or generate the next authentication values. Making stolen data useless is the end result we are all looking to achieve. For that to happen, encryption is insufficient. Dynamic authentication is the answer. It assures confidentially, authenticity and integrity of the cardholder data and the devices which are used to carry, read, transport and receive cardholder data. That is the mission of MagTek – genuine security.