Holes in EMV-Enabled POS & ATM Systems Open Vulnerabilities
Having an EMV-enabled system in place is not a total guarantee against breaches. Holes in updated POS infrastructures may have instigated recent compromises, and credit unions need to aware as well.
According to EMV chip data from The Strawhecker Group more than 52% of merchants enabled their system to accept chip payments. Glenbrook Partners recently reported that 63% percent of all cards in the market are chip cards.
Nevertheless, what is troubling to merchants and financial institutions is recent breaches occurred despite EMV-compliant devices in use at those locations. For example, at the recent Kmart breach, the company acknowledged malicious code infected its payment data systems despite the retail chain having implemented EMV compliant POS systems.
Ashley McAlpine, fraud prevention manager for Rancho Cucamonga, Calif.-based CO-OP Financial Services, said what their fraud prevention team initially observed about some recent breaches through MasterCard and Visa alerts are cards apparently inserted correctly at the time of authorization (purchase). “Upon further research, we’re finding cards actually compromised due to additional activity.”
The fraud team learned some merchants are not setting up their EMV technology for return transactions, only for the purchases. Consumers in those instances are susceptible to compromise.
“Why that is important for us to recognize that is when we’re looking for common point of purchases, a lot of time credit unions only focus on where the authorization is taking place and not necessarily looking at other points of the transaction, such as the returns,” McAlpine pointed out.
Who is responsible for EMV usage? It’s not up to the member to make that decision, right now it is up to the merchant to ensure their practices are in line, McAlpine pointed out. “So not only are they using the same EMV technology for purchases but also for returns and other transactions.”
In all instances, the EMV-enabled POS terminals, if configured correctly, should read the 201 service code (101 is for mag-stripe only) when a dual-mode card is swiped and direct the consumer to dip the chip portion of the card in the correct place at the bottom of the terminal.
The CO-OP fraud prevention manager warned that some credit unions are not always configuring their EMV-enabled ATM systems correctly either.
“A lot of credit unions are setting up their ATM terminals with EMV but maybe not recognizing they need to use the same enable EMV technology on in-house ATMs,” McAlpine warned. Such as when members go to an ATM inside a branch to receive a cash advance.