Double-encrypted PINs provide extra layer of protection in breaches

by. Dan Kramer

As Target-breach updates continue to roll out, PIN compromise is among the hot topics. The question as to whether PINs were exposed in the holiday-time incident gained steam when JPMorgan Chase imposed limits on daily ATM withdrawals for impacted cards. Target has since confirmed the PINs were compromised, but insists hackers were unable to crack the encryption code that protects them.

Understandably, consumers are nervous that a PIN compromise could put their money at even greater risk, as counterfeit artists can more quickly and easily steal cold hard cash from an ATM. It’s much easier to swipe an odd-looking counterfeit card at an ATM than to hand it over to a store clerk. Yet it’s not possible to walk away from that ATM with money unless the fraudster also knows the PIN associated with their counterfeit card.

However, not many consumers understand the level of encryption that accompanies a PIN as it travels through the payments system. Unlike much of the mag-stripe data on a credit or debit card, PINs are essentially double encrypted, making them extremely difficult for hackers to read even if they do gain access to them. PINs are first encrypted at the point of sale (POS). They are then encrypted a second time as they travel from the processor back to the merchant for verification of available funds.

This is among the reasons PIN remains one of the most secure authentication methods available today. It’s also one of the reasons card-not-present fraud remains as high as it is today. Because acceptance of PIN in online environments is minimal, fraudsters can more easily access the accounts of their victims via e-commerce.

continue reading »