Would EMV Help?

Andrew Barratt, Managing Director, Europe

With the spate of cyber attackers on US retailers recently, Coalfire’s European Managing Director, Andrew Barratt considers how the attacks on retailers differ outside the US and what the potential impact of similar attacks is in a world where chip and pin technology is more widely deployed.

Working in both the US and Europe gives us a good perspective on the payment security landscape.  The US has a much higher rate of credit card usage than most European countries; loyalty schemes and reward incentives are much more mature and embedded in American consumer culture.  In Europe, card usage is increasing but the type of card varies by country:  in the UK, credit card use is moving in a similar direction as the US and includes a high rate of debit card usage - cards are now quickly replacing cash. The UK now even has a variety of innovative mobile technologies trying to disrupt the card market. On the other hand, Germany is different story. Credit card usage is very low (consumer culture is quite averse to borrowing) and the debit scheme is a closed system.  However both of Europe’s large economies moved away from using the magnetic stripe years ago.

EMV – or chip and pin as it is more commonly referred to in the UK - has been in heavy use since 2006, which has helped lower the impact of brick and mortar retail breaches significantly.  EMV technology doesn’t rely on sending the full track information to the payment processor meaning that the data is easier to secure.

With retailers adopting more of the security controls detailed in the Payment Card Industry Data Security Standard (PCI DSS) and the widespread adoption of chip and pin for authenticating customers, huge losses from face to face retailers are less common. 

Large US retailers are being targeted for smash and grab style payment card data breaches because the data is easier to use fraudulently.  If a cyber-attack steals a lot of magnetic stripe data, this can be used to clone cards, which can then be used in stores to make fraudulent purchases. 

When transactions are authenticated using EMV’s chip and pin verification method, less data is transmitted to the processor.  If this data is stolen it is considerably harder to be used fraudulently (not impossible but much harder.)  EMV is not without its flaws and a number of attacks have been demonstrated by Professor Ross Anderson’s research team at Cambridge University.  These typically attack the card reader and try to grab the pin as it is sent to the smart card on the chip for verification.

For US retailers, minimizing exfiltration possibilities should be a high priority. Lock down and monitor the outbound connections! 

The fraud bubble has squeezed attackers’ focus on e-commerce operations in the UK, service providers and other businesses that handle lots of cardholders not present transactions.  As the cost of implementing attacks against the smart card declines, Europe serves to be a good learning ground for the US.  If the US adopts a future EMV model adoption can be considered with lessons learned overseas for more consumer protection.

Andrew Barratt


Andrew Barratt — Managing Director, Europe

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS