David Marcus, president of PayPal, admitted on Twitter Monday that his Europay, MasterCard and Visa (EMV) credit card was skimmed during a recent visit to the UK. The culprit then used the information to make a series of purchases.
Chip cards cannot be cloned, so how was Marcus’ card compromised?
Toronto-based security expert Chris Mathers believes what likely happened is that the chip card terminal had an issue processing the card as a chip card and instead processed it like it would an ordinary mag-stripe card.
“It’s happened to me here in Canada a couple of times, and we’re exclusively chip here,” Mathers said. “I’ve put my card in and the merchant says ‘we’re not reading your chip. Swipe it’. I think it’s because the cards and the machines can’t talk to each other all over the world. There’s no common international protocol. There are varying degrees of card security depending on the jurisdiction you’re in.”
Marcus’ mishap is sobering news for chip-card advocates because it calls into question the security of chip cards. Some security experts have warned that chip cards would not have prevented the recent breach at US retailer Target, Digital Transactions noted. Given that data can still be transmitted unencrypted, or in plain text, during an EMV transaction, fraudsters could still theoretically intercept the same data they would from mag-stripe cards, such as the primary account number (PAN), card expiration date and cardholder name.
EMV proponents say that information would be useless to hackers because it is still virtually impossible to clone a chip card. But they could still use that data to make purchases online, where not having the chip wouldn’t matter.
“The same controls that would keep the data safe in an EMV world would also keep the data safe in a Non-EMV world,” wrote business security specialist Branden R. Williams, in a blog post. “So, the stock answer is no, EMV by itself would not have prevented the Target breach. In fact, we know that EMV actually facilitates card-not-present fraud due to their handling of ‘routing information,’ which is what we call ‘sensitive authentication information,’ or the data that is typically known in the mag-stripe as tracks data.”
However, other experts insist that such a breach could not have happened with EMV, as the encryption is said to begin at the point-of-sale (POS) terminal. “The minute you put your information in, it’s encrypted there,” said Mathers. “I’m not going to say it’s not possible – as we know, anything is possible. But the encryption starts at the POS terminal, which is supposed to provide you with an extra level of security. So the overriding question is, how long will that extra level of security hold?”
Cash-flow based metrics now feature prominently alongside traditional revenue measures of business performance in the key figures or financial summary pages of any public company.
GTNews asks Pugsley about what advice she would give to treasurers dealing with mergers and acquisitions, what the key challenges for her year ahead will be and how she is selecting a treasury management system (TMS).
The US money market fund reforms came into effect in 2016 and are already dramatically shaping US fund industry with investors flooding out of prime funds and into government securities. While the reforms are similar, they are not the same. GTNews interviews Yeng Bulter, global head of the cash business at State Street Global Advisors on the differences.
Tim de Knegt, strategic finance and treasury manager for the Port of Rotterdam, discusses how he is using blockchain, the challenges he will face in his role of treasury over the next 12 months and the advice he would give to someone starting out their career in treasury.