DecryptedTech

Sunday27 November 2022

Is seven seconds worth having your data stolen, some retailers think it is


Reading time is around minutes.

There is a report that over the holidays several retailers disabled the EMV (Chip and Pin) functionality of their card readers. The reason for this? They did not want to deal with the extra time it takes for a transaction. With a standard card swipe (mag-swipe) you are ready to put in your pin and pay in about three seconds. With EMV this is extended to roughly 10 seconds. Of course when you add in all of the other items that retailers throw in (are you are rewards member?) your checkout time can be lengthened quite a bit.

Instead of working with the customers or removing the ads and crap retailers were choosing to simply turn off the EMV security. Of course that is saying that the outlet you are shopping at even has EMV turned on to begin with. Since EMV became a requirement many companies are hedging their bets in the hopes that they do not have a breach before they finally chose to put EMV in place. This is a dangerous game to play with customers data considering the changes in the laws. Now the outlet is directly liable for the loss and is open to legal action (including class action) in the event of data theft.

This type of behavior is, sadly, not uncommon at all. It is all about trying to put off paying for the devices, services and other items that allow the system to function. Any major change to a point of sale system is a big hit financially and the EMV security restrictions (including point to point encryption) are pretty big. Even handling the card readers now requires access control and secured storage for the devices. To make things worse, not every PoS developer is ready or fully supports EMV. Far too many of them have not even begun to make the changes needed. They bank on the fact that their customers will not leave them due to the high cost of replacing a PoS system.

It is an ugly pattern that we are seeing more and more of. Consumer data is not important in the face of profits and cash flow. Companies are expecting their breach insurance and the card issuers to deal with the problem so they do not have to. The concept hat not sunk in that breach insurance will not cover you if you knowingly fail to meet PCI standards. Meanwhile the card issuers are shifting responsibility to the retailers making them directly liable…. In the end the only people that are really affected are the consumers that lose money and time when their data is stolen.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.