In association with heise online

07 January 2010, 13:28

EC card disaster: French manufacturer Gemalto takes responsibility

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

In a statement, French vendor Gemalto has taken responsibility for the current EC and credit card disaster in Germany. The vendor says it is currently working with the banks to solve the problem and avoid having to replace an estimated 30 million faulty cards. It remains unclear how a solution might be implemented and whether this could involve a software update of the EMV application installed on the cards embedded chip. The problem is caused by a flawed date processing mechanism on the chip which, since the first of January, 2010, has caused the EMV application to terminate certain transactions in terminals equipped with the latest software version.

The Central Credit Committee (ZKA), the stakeholders of the German banking industry, are investigating whether or not it is possible to re-program the faulty cards. Conceivably this would involve the card holders inserting the card in a specially modified ATM at their local bank and although it would in itself be a herculean task, it would negate the need for card replacement and provide a solution for any similar future problems.

The current workaround for getting retail terminals to accept the affected cards only downgrades terminals from the secure EMV method to old, insecure methods. For this purpose, the respective network operators have to reconfigure all "TA 7.0" terminals in such a way that they no longer communicate with cards via the EMV application, but use the "electronic cash ecc" or the magstripe-based "electronic cash Spur 2" applications to authenticate cards. However, magstripes in particular were to be decommissioned within the medium term to avoid problems like skimming attacks. It's been reported that some retailers are using sticky tape to isolate the contacts on the cards. This forces the reader to fall back to reading the magnetic stripe to process the card data. The ZKA are warning against this work-around as they say this could damage either the card or the reader.

In some cases card holders can identify whether or not their cards are likely to have a problem by looking for a manufacturers mark printed on the upper right corner of the back of the card. Cards marked with a G & D, are cards manufactured by Giesecke and Devrient and should not be affected. Unfortunately many cards, those issued by savings banks for example, do not bear a manufacturers mark.

Should the cards indeed require replacing, this would involve considerable expense. At a cost of around 8 euros per EMV-enabled card and with 30 million EC and credit cards in circulation, the total cost of replacement would be 240 million euros – plus the labour for several terminal reconfigurations. If the cards are replaced it remains to be seen who would foot this bill. Whether Gemalto would have to take sole responsibility or whether the vendor could pass some of it to others remains an open question. After all, the faulty module was tested by various authorities and approved by the German Zentraler Kreditausschuss (ZKA) banking industry association.

Gemalto shares dropped by almost 4% at the Paris stock market on Wednesday. In a statement, Gemalto CEO Olivier Piou emphasised that the vendor intends to honour all its contractual obligations. Gemalto is certain that a solution that allows German customers to return to normal use of their cards will soon be found. Cards that the vendor has produced for other countries are apparently not affected.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit