Supervalu breach shows why move to smartcards is long overdue

US remains one of the last developed nations to use magnetic stripe cards

The data breach disclosed by Supervalu on Thursday shows yet again why the ongoing migration of the US payment system to smartcard technology can't happen soon enough.

Supervalu is one of the largest grocery wholesalers and retailers in the U.S., and the breach could affect thousands of people who shopped at the company's stores between June 22 and July 17, as well as customers from several other major grocery store chains for which Supervalu provides IT services. Supervalu has posted an online FAQ ( download PDF) with details about the breach, which followed a criminal intrusion into its payment processing network.

The U.S. is the last among the developed nations to still predominantly use credit and debit cards based on magnetic stripe technology. Most other advanced countries cut to chip-based cards based on the Europay MasterCard Visa (EMV) standard a long time ago.

EMV-based smartcards have proved to be considerably safer to use than magnetic stripe cards because they are almost impossible to clone. Crooks who manage to steal data from a smartcard would be unable to do use it create a fraudulent card as they often do with magnetic stripe cards.

In many of the countries that have adopted the technology, users are required to enter a Personal Identification Number (PIN) instead of a signature when using the card, thus making them almost unhackable. Even if hackers are able to gain access to a smartcard they need to know the PIN in order to use it.

In the U.S., MasterCard and Visa have set a deadline of October 2015 for all retailers to begin supporting EMV smartcards. After that deadline, any retailer that has not yet made the move would be held liable for the costs of a data breach.

The credit card companies have not mandated the use of PINs in the U.S. Instead, the they have left it up to retailers and card-issuing banks to decide whether to require a PIN.

The National Retail Federation (NRF) and other retail industry trade groups have raised a ruckus over this issue. They have claimed that moving to smartcards without having a mandatory PIN is a half-baked move. They have noted, for example, that EMV technology does little to prevent crooks from using stolen card numbers to make online or phone purchases.

In numerous position papers and statements over the past several months, they have proposed alternatives to EMV technology such as tokenization and end-to-end encryption, which they argue is cheaper and more effective.

According to the NRF and others, if the U.S payment industry has to embrace more secure technology, it makes sense to move to something that addresses both current and emerging security threats and not just part of the problem like smartcards do.

While such concerns might have merit, they ignore time constraints.

Cybercrooks are not waiting for the U.S retail industry to debate the merits and demerits of different technologies. In recent years, much of the credit and debit card fraud has migrated from other countries to the U.S simply because magnetic cards are a much easier target than smartcards.

Smartcards will almost certainly make it harder for crooks to perpetrate payment card fraud. While the cards may not be perfect, they are safer than magnetic stripe cards. There's nothing to stop merchants from implementing a PIN requirement if they want to. Nor is there anything to prevent merchants from adopting end-to-end encryption or other tokenization measures as additional security measures to bolster card security.

Implementing better security is going to cost money, with estimates into the billions of dollars. Across the U.S., merchants will need to replace or upgrade an estimated 13 million point-of-sale systems to make them ready for EMV card transactions. But the alternative is more data breaches of the sort that Supervalu acknowledged this week.

And those often prove even more costly to remediate than just implementing more secure technology in the first place.

Just ask Target.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and Hackingdata securityvisasecuritymastercarddata protection

More about SupervaluTopicVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts