Encrypted credit cards? Don´t they already exist?
Encrypted credit cards have been around for a long time now – or, at least, credit cards with a limited amount of encryption. The magnetic strip on the back of each credit card is encrypted, and so is some of the data in the more recent chip-and-PIN cards, but basically the security offered by most encrypted credit cards is, well, basic.
When you go shopping in a store like, let´s say Target, the retailer provides an electronic terminal for you to scan “encrypted” credit cards. The terminal sends your card´s identifying data to the credit card company´s servers to verify that you have the funds to pay for your purchases.
Although the electronic transfer of information is encrypted in transit and at rest, there is a weak point in the process during which the data is decrypted into clear text so that it can be read by the payment processing software. In Target´s case it was the point of sale (POS) electronic terminal where the weak point was located.
The Target hack was on a massive scale
Hackers used the weak spot in Target´s POS electronic terminals to steal the details of 110 million credit and debit cards. Not just the credit card numbers were taken, but their PIN numbers and the card holder´s address, email and phone number – suggesting that Target´s customer database was also hacked (because encrypted credit cards do not have your email address on the magnetic strip).
Initially the retail giant tried to cover-up the hack, but as shoppers started reporting unauthorized purchases on their credit accounts, Target had to come clean and admit to the data breach. As a result, the lawsuits are flying in, Congress called the company negligent and attorney generals in every state in the country are looking into the matter.
The damage to Target – both financially and in terms of lost reputation – will be billions of dollars
Yet the hack could have been worthless
Had the retail industry adopted properly secure encrypted credit cards, the hack of Target´s database would have been worthless. Properly secure encrypted credit cards work not by storing the credit card number and PIN on the magnetic strip, but by storing a random encrypted number and a public key.
When a purchase is made at a store like, let´s say Target, the retailer does not need the credit card number or PIN, just an authorization code so that the card can be charged. So, when the credit card is used, the random encrypted number and card holder´s public key is transmitted to the credit card issuer. The credit card issuer sends back an authorization code that just the credit card would be able to read.
This “PKI encryption” at the point of sale would mean that any hacked credit card details would be worthless to the hacker. It would cost billions of dollars to introduce a system for properly secure encrypted credit cards to be used in the retail industry, and there seems to be no consensus between banks, retailers, and credit card issuers on what standards should be used.
Google already making strides towards genuinely secure payments
Google has already addressed the problem of genuinely secure payments with the introduction of its Digital Wallet. The Digital Wallet works by isolating credit and debit card data and processing it outside of the Android operating system in a chip they called the Secure Element (SE).
Google´s plan of keeping credit card data out of the reach of malware running in the operating system has really taken off. Many companies are in a battle to come out on top in the lucrative market for credit card fees. Because of a lack of consensus, few manufacturers are adding the SE chip to mobile devices or the near-field communications chips needed to radio encrypted data from encrypted credit cards to the POS terminals.
Because of the lack of consensus between banks, retailers and credit card issuers, and a lack of knowledge about which way encrypted credit cards are headed – if at all – many more retail companies are likely to experience a similar attack to that witnessed by Target.