Tag Archives: PIN

Chip and PIN security questions cause trouble for researchers

The payment card industry bigwigs are on the attack, after academic researchers from Cambridge University brought into question the security measures which govern the billions of pounds worth of Chip and PIN transactions carried out by UK consumers every year.

Professor Ross Anderson is leading a study into the Chip and PIN system’s potential to protect the data and finances of its users. He and his team have concluded that there is a fatal flaw, which could leave millions exposed to fraud, data loss and monetary theft.

Prof. Anderson has since stated that the payment card industry within the UK is now attempting to silence him and prevent his research from becoming more widely known, in what is a fairly serious series of accusations.

UKCA (UK Cards Association) allegedly sent a letter to Cambridge University, in which it requested that the study’s findings were not published on the internet.

The researchers found that it is possible to make purchases using a portable device even if you do not enter a PIN number which is correct.

Prof. Anderson constructed a blog post and explained in detail the way in which UKCA had attempted to prevent the publication of this damning evidence, which shows the Chip and PIN system is far from totally secure.

UKCA chair, Melanie Johnson, has been reported as saying that the researchers were acting irresponsibly in her opinion, after publishing the findings which could give criminal groups a new way of exploiting payment card users.

The main issue which security experts seem to have with Chip and PIN systems and the bodies which endorse their use, is that they are often treated as completely impenetrable. In turn, the banking sector is thought to perceive research into weaknesses in the system as necessary, but the publication of the resultant details an unhelpful conclusion to proceedings.

Prof. Anderson said that this research will be followed by further indictments from other studies, increasingly the likelihood that the payment card industry will react negatively in the future.

Reports from the Press Association, claim that the UKCA admits sending a letter to the university, but only with the intention of questioning the publication of details that explain how Chip and PIN security can be circumvented.

PCI DSS updated with new regulations

Businesses dealing with payment card transactions will need to examine in detail the freshly updated security requirements from the Payment Card Industry Standards Council in order to ensure continued compliance and protection for customers.

The Payment Card Industry Data Security Standard (PCI DSS) is managed by this organisation, and it is accepted internationally by businesses of all kinds. Sub-categories of the overall set of rules have been updated in order to move with the ever changing technology and the threats against which businesses and consumers must be robustly defended.

The regulations governing PIN Transaction Security (PTS) and Point of Interaction (POI) are now moving into version 3.0, with the update representing three years of continuous review and analysis that runs in cycles within the PCI. Many hundreds of businesses have been involved in formulating the update, which ensures that real world threats are addressed.

The PCI Standards Council has confirmed that new requirements will see the standardisation of PIN entry terminals. This will alter the current rulings, which differ depending on whether the terminal is manned by a member of staff, remotely monitored or comprehensively encrypted, and by replacing these separate rules with a unified update it should be easier to comply whilst security is simultaneously improved.

Several new regulations have been implemented in order to increase security in key areas. This includes replacing older, less secure wireless standards for payment card data transmission with more robust alternatives, as well as requiring encryption of consumer information whenever it is handled by businesses and at every point on its journey.

The PCI Standards Council has accepted that these stricter regulations will require suitable technology to support them and, as such, have approved additional technology to help firms adhere to the regulations and make payment card information much harder to access if you do not have the requisite authority.

The PCI Standard Council’s Bob Russo said that protecting customer data and preventing loss or theft would be made far easier under the new regulations, with blanket encryption and improved wireless protocols making all the difference.

Laptop theft puts thousands of credit card customers in jeopardy

The personal details of thousands of customers have apparently been lost after a laptop was stolen from a partner of credit card provider MBNA.

A spokesperson for MBNA confirmed that the claims made in the Lancashire Evening Post were accurate, acknowledging that a laptop had been taken from the offices of a finance firm, NCO Europe, which provides services to MBNA and thus deals with sensitive data pertaining to its customers.

MBNA has said that whilst there were known to be personal details on the stolen device, it would not reveal the specific type of information it contained. It did confirm that there was no PIN information stored within the compromised files.

At this time MBNA has said that it is continually monitoring the cards of the affected group of customers and as yet none of the leaked information had been used to defraud those involved.

MBNA has contacted the customers whose information has been implicated in the theft to explain the situation and the potential damage that it could cause. In an attempt to appease its customer base, MBNA has provided a free 12 month subscription to the CreditExpert tracking service.

MBNA hopes that by using the CreditExpert service, its customers will be able to quickly identify any fraudulent activity within their accounts, thereby mitigating the effect of the data theft.

The laptop theft has been reported to the police and in order to preserve the integrity of the investigation, details as to how the device came to be taken cannot be revealed at this time.

Security expert Nick Lowe commented on the recent theft, suggesting that the implementation of data protection within businesses of all types should be automatic, bypassing any margin for error that staff may introduce and making a safer working environment in which laptops can be used without becoming a liability.

A survey in November showed that just 41 per cent of all businesses install encryption capabilities on their laptops and experts fear that without further efforts to push for universal encryption policies, data theft from portable devices will continue to be a big problem.

Our Customers

  • ATOS
  • Age UK
  • Alliance Pharma
  • Liverpool Football Club
  • CSC
  • Centrica
  • Citizens Advice
  • City of London
  • Fujitsu
  • Government Offices
  • HCL
  • LK Bennett
  • Lambretta Clothing
  • Leicester City
  • Lloyds Register
  • Logica
  • Meadowvale
  • National Farmers Union
  • Network Rail
  • PKR

Sales question? Need support? Start a chat session with one of our experts!

For support, call the 24-hour hotline:

UK: 0800 999 3600
US: 800-220-7013

Or, if you've been given a screen sharing code:

Existing customer?

Click below to login to our secure enterprise Portal and view the real-time status of your data protection.

Login to Portal