The banks need to think carefully about how they deal with security flaws in Chip and PIN technology if they are to maintain the trust of merchants.
Last week’s revelation that Cambridge University researchers have once again compromised the security of the Chip and PIN system does not come as much of a surprise.
Systems security always needs to be an ongoing process. Once you put a wall up, someone – whether crook or academic – will try to find a way around it. And it is normally only a matter of time before they succeed.
What is strange is the banks’ seeming reluctance to talk to the boffins about how the security of the payment system could be improved. The researchers say they have reported the loophole to the banks and identified ways Chip and PIN could be upgraded to stop crooks from exploiting the technique.
The response from the payment industry has not exactly been deafening. And it has appeared to focus on the argument that as every brand of Chip and PIN bank card could be exploited no single organisation can take responsibility for the flaw.
The card schemes and banks are happy for major retailers to spend hundreds of thousands of pounds upgrading their systems to comply with the Payment Card Industry Data Security Standard (PCIDSS); and continue to raise the bar with new versions of the standard to stay one step ahead of fraudsters.
But what is the point of this without an ongoing security upgrade regime for the core Chip and PIN technology?
The boffins are right to continue to expose the weaknesses of the current system (the same team came up with a way to clone Chip and PIN cards two years ago). Now it’s up to the banks to put their money where their mouth is on payment security.
No comments yet