EMV Is No Payment Security Panacea
Implement EMV and you eliminate payment card fraud, right? Wrong.
On Oct. 1, 2015, the U.S. will become the last G20 country to transition to EMV technology, which leverages a chip in the payment card instead of a magnetic stripe to authenticate a transaction.
The benefit of EMV lies in the dynamic nature of the data; because the chip creates a unique code for each transaction, it isn’t possible for criminals to use stolen credit card numbers to create fake EMV cards like they can with magnetic strip cards.
As Ovum senior analyst Kieran Hines notes, it’s not going to be an easy or inexpensive change to make. "Migrating to the EMV standard involves replacing or modifying all mag-stripe only credit and debit cards, as well as the PoS (point-of-sale) terminals and ATMs that they are used in," he says.
And that’s why it’s taken so long for the U.S. to move forward on the change. As the primary benefit of EMV is in reducing card cloning and the use of lost/stolen cards, the argument made by U.S. issuers and acquirers has been that the benefits don't outweigh the costs, Hines says.
Still, Aite Group senior analyst Shirley Inscoe warns that it won’t be a good idea for either merchants or card issuers to cut corners in that process.
"Most of the card issuers are issuing EMV credit cards, but they’re holding off on replacing their existing debit cards," she notes. "Personally, I think that’s a big mistake, because I think it’s going to drive a lot of the fraud to debit cards, and their strategy of waiting to issue debit cards is going to backfire."
Other Forms of Card Fraud
While EMV cards will eliminate a significant amount of fraud at the point of sale, that doesn’t mean fraud will disappear. "When you’re talking about billions of dollars a year, the bad guys are not going to just give up that kind of income," Inscoe says. "They’re going to find another way to replace that income, so what they’re going to move to is partially online fraud, where they don’t have to use a chip."
They’ll also likely shift to application fraud – using stolen identities to apply for and use legitimate cards. "We'll see that application fraud becomes a real problem – and institutions are going to have to become much more focused on application fraud, because frankly it hasn’t been a big issue up until now for them, but it will be after EMV rollout," Inscoe says.
While the UK saw a significant increase in card-not-present fraud after its EMV rollout, Inscoe says the U.S. is likely to see an even greater surge, simply because it’s the last to the table. "As these other countries rolled out EMV, a lot of their fraud just moved to another market," she says. "For example, when Canada rolled out EMV, we joked about how they’d sent all their card fraud south of the border to the United States."
EMV alone won’t be enough to eliminate credit card fraud. "Security usually is a layered approach, and EMV certainly tackles specific types of risks," says Bob Lowe, vice president of business development at Shift4. "If it’s implemented with other approaches, it does provide a fairly complete solution. Our concern is … just because you get an EMV device, that doesn’t mean the traffic coming out of that device is secured."
Aite Group’s Inscoe says it’s important to understand that EMV alone would not have prevented many major retail breaches, such as the massive Target breach in 2013.
"It would have happened just as it did even if EMV had been totally rolled out," she says. "The difference is that the data that was stolen could not then have been used to create counterfeit cards to use at point of sale – they would have used that data in a card-not-present environment."
EMV Shouldn't Go It Alone
When it’s used as part of a complete solution, Shift4’s Lowe says, EMV can really make a difference.
"Used in conjunction with the right encryption approach and with tokenization, you certainly can eliminate cardholder fraud from a merchant environment. EMV gives you more authentication of the card itself, so it removes the risk that you’ve got a person standing in front of you with a card that happens to be a clone of a card that was stolen some time ago," he says. "That’s the particular risk that it addresses."
A recent survey of more than 500 leading North American retailers by Boston Retail Partners (BRP) found that many respondents understand the importance of a complete solution that reaches beyond EMV. According to the survey results, the use of end-to-end encryption by retailers is expected to increase by 151 percent by the end of 2016, and the use of tokenization will increase by 130 percent by the end of 2016.
As the BRP report notes, "EMV adoption does not actually reduce the risk of a breach; rather it weakens the incentive for thieves to steal credit card information by requiring that the physical card (and its security chip) be present at the transaction. A second line of defense – encrypting credit card data at the swipe – is also highly recommended."
Chip-and-PIN vs. Chip-and-Signature
There are two types of EMV cards – chip-and-PIN, which requires the cardholder to enter a PIN to complete the transaction, or chip-and-signature, which uses a signature to verify the transaction instead. In the U.S., Shift4’s Lowe says, Visa has committed to chip-and-signature while MasterCard has said it’s up to the issuing bank to decide which solution to use.
Lowe says the difference between Visa’s and MasterCard’s positions could lead to a unique situation in the U.S. market.
"Could we ever see an environment where, because Visa has said you don’t need a PIN but MasterCard is saying you should have a PIN, will we ever see a situation where restaurants end up saying, 'Well, we take Visa but not MasterCard?'" he asks.
Regardless, Ovum’s Hines says the shift to using a PIN can be a challenge for consumers who aren’t familiar with the process.
"The experience in other markets shows that this isn't a problem once things are bedded in, but it is an issue in the short term, and both merchants and issuers will need to be prepared to handle these situations," he says. "This can also lead to consumers closing some card accounts, to reduce the numbers of PINs they need to remember."
Chip-and-signature still offers significant security benefits, Lowe says. "Every time a chip is used, a cryptogram is written back to the chip, which is going to be looked to be seen the next time," he says. "So what we’re doing is making sure that the card itself is bona fide. We know this is a good card – we know it can’t be a copy."
Apple Pay and More
Beyond EMV, Aite Group’s Inscoe says there is huge promise in mobile payment solutions, which are already making their mark. While some called Apple Pay a failure after only 4.6 percent of consumers who could have used it on Black Friday 2014 actually did so, Inscoe says it’s also reasonable to view that as a huge win for a solution that had only just arrived on the market.
Ovum’s Hines says there are several benefits to mobile payment technologies like Apple Pay.
"For example, one of the key aspects of Apple Pay is that the transaction uses a token (a one-use card number) to pass to the merchant's PoS terminal,” he says. "As a result, the customer's actual card number is never shared with the merchant, making the transaction more secure than an EMV transaction in effect."
With that in mind, Inscoe urges merchants to consider upgrading their PoS terminals not only to accept EMV transactions, but also to accept NFC solutions like Apple Pay.
"In other words, be ready to accept the new cards with EMV chips, but also be ready to use mobile payments. That way, they won’t have to look at possibly replacing their terminals twice," she says. "And I would recommend that they replace them and upgrade them as quickly as they can."
Shift4’s Lowe says it’s also crucial to examine any solution you’re considering as fully as possible.
"The challenge is seeing past the box-ticking approach and understanding truly what you’re getting," he says. "There will be EMV solutions out there that are secure, and there will be EMV solutions out there that are not secure. … And clearly, a solution that uses EMV in conjunction with point-to-point encryption is going to be more secure than a solution that just has EMV."
Despite all the challenges the U.S. will inevitably face in adopting EMV, Hines says it’s a worthwhile shift to make. "We're looking at a massive upgrade in the security of the card base and acceptance network, so this will absolutely make a big difference to card security for U.S. consumers."
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.