At an estimated cost of $8-10 billion to implement EMV in the U.S., the security benefits of this convoluted effort would seem to be few and far between, making that investment--most of which will be borne by merchants and third-parties--of little tangible value. Here's why:
Item #1: Counterfeit Reduction Will be Elusive. All EMV cards in the U.S. will be issued with a dual-mode mag-stripe option for the foreseeable future. The only difference in the mag-stripe option for an EMV card is the encoding of a service code ("201" vs. "101" for mag-stripe only). EMV-equipped and -ready POS terminals that read the 201 code when a dual-mode card is swiped directs the user to dip the chip portion of the card in the appropriated slot (at the bottom of the terminal) instead. Thieves and hackers know this, so when they obtain a lost or stolen card (or compromise a mag-stripe database from merchants without EMV capabilities), the simply program in the 101 code, and commit mag-stripe fraud at any merchant doing mag-stripe only (the vast, vast majority at this time). So reduction of counterfeit in the U.S. (which Nilson Reports estimated as 29% of total GLOBAL card fraud--a situation which drove the cardbrands to finally push EMV in the U.S. as European issuers complained about rampant fraud in this country) is not likely to come any time soon as mag-stripe use is projected to continue for 10-15 years (versus hard-stops in mag-stripe acceptance within five years in EMV-implementing countries like the U.K. and Canada).
Item #2: Chip+PIN is discouraged by the brands. Armed with compete information about what's safe and what's not, just about every ingenuous party--including the Attorney Generals of eight states in late November--believes that we can't get effective security from chipcards without including PINs. It's been reported that some 30% of the issuers cannot technically process PINs for credit because of outdated system limitations, so they--and the network brands--fall back on the old canards that a) consumers can't remember another PIN, and b) only 35% of merchants have implemented PIN. Meanwhile, legally-compliant deployment of debit--where PIN protection is widely accepted and use-- is running into predicable problems because EMV was not designed to accommodate choices among brands easily. PIN use prevents most of lost and stolen card fraud (the source of about 15% of U.S. card fraud), and helps foil some fraud from counterfeiting mag-stripes.
Item #3: The card brands don't want PIN on credit cards. One of the problems is re-setting a PIN (e.g., from an ATM). For debit, banks had to figure out how to do that. They never built that for credit accounts. Many credit accounts are processed through other parties; if PINs were required, those parties would have to implement/re-route credit auths through different rails. Credit and signature-debit rails for many smaller FIs are primitive; to THIS DAY, 25% of Visa's signature-debit transactions, which ride the credit rails, take 2-3 days to clear and settle for this reason--no better than the worst ACH transactions.... While Visa and MC have been scrambling to put up credit and debit 'gateways' for issuers to attenuate problems like these, we still have nearly one-third of banks wholly unable to do much of anything in real-time--or to support PINs across the board.
Item #4. EMV Exposes Sensitive Account Credentials. The EMV chip encrypts payment account credentials (e.g., the PAN, expiration date, etc.), but when the protocol communicates with a POS terminal, all of the data except the Cardholder Verification Value (the 3-4 digit code seen in the white panel of plastic cards) is decrypted. The encrypted CVV is combined with a portion of the transaction information (e.g., the date, merchant ID, etc.) as a cryptographic 'blog' that is sent to the merchant's acquirer for decryption and processing. The rest of the account credentials are decrypted at the POS, and remain in the clear there. If those credentials are intercepted (or stored in a merchant database that is compromised), they can be used to commit fraud online at websites that do not use the CVV as part of the authorization sequence (including Walmart.com, several airlines, and other retailers--about 20% of online merchants producing 30+% of volume).
Item #5. EMV Deployment Drives Fraud Online. Finally, most deployments of EMV (except in Spain) have eventually reduced fraud at POS, but drove that fraud to other channels--namely online purchases. Some researchers are projecting a doubling of "Card Not Present" fraud in the U.S. with a few years, due mainly to the incremental impact of EMV. Yet EMV has no solution at-present for CNP/online environments--nor does EMVCo, which is owned by the six global card brands (Visa, MC, Amex, Discover, JCB and China Union Pay), have any expertise in developing online solutions. Thus, it is conceivable that EMV, as being implemented in the U.S., could cause more fraud than it eliminates!
So there is no bang for the EMV buck--not the way the card brands are implementing it at this time. Pretending that EMV would have prevented the problems experienced with the Target and Home Depot data breaches is disingenuous at best. Tokenization would help--but there are no plans by the brands at this point to tokenize EMV card transactions (beyond providing the dynamic CVV encryption, which prevents an EMV transaction from being replayed by a crook).
A much more worthy (and cost-effective) effort would be to address the EXISTING problem produced by mag-stripe. Securing today's mag-stripe transactions--which can be done in a variety of methods, including Magtek's CyberStripe offering--would be a much better return on the investment of time, money and effort by the nation's merchants. Such a hedge on the dumbed-down programs of the card brands would pay off for society far sooner, and--if pursued now--might avoid the wasted investments in and hassles with EMV that are underway today
A growing perception that EMV chipcard deployment in the U.S. is too little too late to address the country&
Nov 24 2015
Banks give a lot of reasons for providing chip cards that work with signatures, rather than four-digit PIN codes, but none of them are convincing.&
Nov 24 2015
The battle over supremacy in mobile payments at POS took another odd turn in early December when Walmart launched its
Nov 24 2015