It seems as oflate, no one is safe from getting hacked. From hospitals to retailgiants, cybercrimes are becoming more sophisticated and morefrequent. While financial institutions are one of the most advancedelectronic industries today, the financial industry also controlssome of the most valuable assets and therefore has the most to losein an attack.

EMV is a global standard for credit and debit payment cardsbased on chip card technology. EMV seeks to make financialtransactions more secure. In October 2015, so-called liabilityshift sets in. From this point forward, both merchants and issuers(including credit unions) alike will be liable for fraud incurredif they have not yet adopted EMV technology.

Unlike many financial industry mandates, EMV migration is not agovernment mandate; instead, the change is being driven by themajor credit card players in the banking industry (AmericanExpress, Discover, JCB International, MasterCard and Visa). TheUnited States is far behind in transitioning toward the saferpayment method of chip and pin compared to Europe, which has beendeploying EMV for almost 20 years.

While the EMV technology is tested and proven to be successful,the reason U.S. companies have dragged their feet is the extensiveinfrastructure changes that will need to be made. From credit cardmachines to gas pumps, every single point of sale terminal willneeds to be replaced to complete EMV migration.

Financial institutions in particular will need to revise theirentire infrastructure and operations. A Credit Union Times article reported in August that only 2% ofcredit unions have completed their switch to EMV or begun theprocess. As institutions make the move toward EMV migration,becoming familiar with fundamental security terms and devices willhelp ensure effective transition and proper storing of clienthigh-value assets.

Transitioning to EMV Means Securing Your PaymentData

Typically, payment data flows from the customer in the swipe ofthe payment card, via the merchant’s point-of-sale terminal, to theacquirer and then onward to the issuer or card association forpayment authorization. With EMV, payment data can be storeddirectly in the chip of the payment card, instead of the unsecuremagnetic stripe, thus effectively preventing counterfeiting ofcards.

EMV solves one important part of the problem, by providingproof-of-procession (of the card, since counterfeiting becomesdifficult and cost prohibitive to the attackers). With EMV, dippingthe EMV card (instead of swiping it) allows for the chip card togenerate a one-time code called unique to the current transaction.Still, whether data is at-rest or in-transit, it needs to be secureat all times.

While the EMV chip specifications do not help us here, the EMVtokenization specifications will. Data at-rest is data recorded onstorage media and is only considered secure if the data isprotected through strong encryption. Securing data in-transit isequally important – to ensure against liability around losingcardholder data the merchant will want to make sure that data isprotected from the moment it is received on the POS terminal:In-transit data is classified as secure when both parties (or dataendpoints) are capable of maintaining a data transfer channel thatis identified, authenticated, authorized, and private—meaning nobackdoor can be deployed to intercept communication between the twoparties.

Read more: Managing cryptographic keys...

Managing Cryptographic Keys to Avoid Third-partyBreaches

When an EMV chip is embedded in a card, it helps ensure that thecard being used is real and that it in fact belongs to the personusing it, thereby drastically reducing the risk of stolen orcounterfeit cards. On the back-end, safekeeping payment data meansencrypting and decrypting data with the use of cryptographic keys.How to safely manage cryptographic keys is therefore a criticalelement of EMV.

Key management involves creating, deleting, storing anddistributing keys. For EMV, a number of requirements must be metwhen managing keys, some for physical security and others forprocedural aspects.

The primary security device for key management is a dedicatedHardware Security Module. An HSM is a small computerencapsulated within a tamper-evident coating. It can either be astand-alone box or an embeddable electronics board. The rule isthat a key must only be in clear form inside an HSM. Outside theHSM, it must either be in encrypted form, with the encryptiontaking place inside the HSM, or be split into several independentcomponents.

Pros and Cons of Outsourcing Key Management

There are several processes related to key management, includingthe generation, exchange, storage, use, and replacement of keys.For smaller financial institutions, these processes are typicallymanaged by third party service providers such as paymentprocessors. For larger financial institutions, it is more common tomanage keys in-house. How an issuer chooses to manage the process,whether through internal or external processes, or through acombination of both is really a matter of preference and cost.

Critical to understand in the face of EMV is that the issuer isresponsible for ownership of the keys, and that a suitable keymanagement strategy must be in place. There might be securitypolicies in place to ensure that sensitive keys are only managedin-house, or there might be a long history of successfuloutsourcing due to limited internal knowledge about the cardissuing and acquiring procedure, or perhaps the procedure iscentralized through a banking organization, and so on. It is now upthe responsibility of banks and credit unions to find the mostproductive and cost-efficient way to manage their migration.

By October 1, 2015, when the EMV liability shift occurs in theU.S., Visa and MasterCard plan to issue more that 550 million chipand pin cards in the United States. Before then, credit unions needto have an infrastructure in place to handle the new cards and tobetter protect themselves from data breaches.

Johannes Lintzen is vice president of sales and businessdevelopment at the German-based infrastructure security firmUtimaco.