This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
If you live in the United States and you have a credit card, chances are high your bank recently sent you a new card with an embedded smart chip. Banks and other card issuers are scurrying to put chip-enabled credit cards in their customers' hands. Debits cards, too. These cards are critical for a new security system for card-based payments that will go into effect in the U.S. soon.
In the lingo of the payments industry, the new cards are called EMV cards. EMV is an open set of specifications for smart cards and other acceptance devices such as smart phones and fobs. EMV stands for Europay, MasterCard and Visa, which are the three companies that developed the standard in 1994. Today the EMV standard is managed by EMVCo LLC, which has six member organizations – American Express, Discover, JCB, MasterCard, UnionPay and Visa – and dozens of EMVCo associates. EMVCo makes decisions on a consensus basis to assure card infrastructure uniformity throughout the world.
You might wonder, why we are just getting these cards now and why are they more secure? Those are good questions, and there's a long story behind them. Let me try to put everything in context.
Magstripe technology is far too vulnerable
Most credit and debit cards have a magnetic stripe on the back, and even the new EMV cards still have a magstripe, at least for now. The magstripe is encoded with sensitive information used in transactions, including the primary account number (PAN), the card expiration date, and various bits of information that are important to the global payment networks. Unbelievable as it might seem in this era of massive data breaches, this data is not encrypted or protected in any way. Then again, magstripe technology is about 40 years old, meaning it predates today's urgent need for data security.
The problem is, thieves can use illicit card readers (skimmers) or other means to steal data from a magstripe or a POS device. The thief can then print the stolen data on counterfeit plastic cards or use it over the Internet or via the phone to commit fraud. According to Javelin Strategy & Research, point-of-sale fraud in the U.S. was $6 billion in 2014.
EMV protects against card-present fraud
EMV technology, which is "only" two decades old, uses a smart chip embedded in the card to hold sensitive data and more information that can be used to authenticate both the card and the legitimate card owner. The distinguishing feature of EMV is the consumer payment application is resident in the secure chip on the card. This isn’t possible with a magstripe because there are no processing capabilities.
The smart chip has a secure element that is able to store the account information, as well as secret information (like a PIN), securely and perform cryptographic processing. These capabilities provide the means for more secure card-present payments.
In order to execute a payment, the chip in the card must connect to a chip reader in an acceptance terminal (i.e., a POS device). This connection can be either via direct contact or contactless using near field communication (NFC). With contact, the chip must come into physical contact with the chip reader. This is called "dipping" the card. With contactless, the chip must come within sufficient proximity of the reader for information to flow between the chip and the acceptance terminal.
Extra security measures
When an EMV card is presented at a POS, the cardholder can be required to enter a PIN at the terminal. This PIN can be validated against a PIN value stored on the card. If they match, the transaction continues. This prevents someone from stealing the card and using it unless he also knows the legitimate card owner’s PIN. This is the way that EMV security works in virtually every country except the U.S.
An alternative to entering a PIN is to enter a signature, just as we do today with magstripe credit cards. As you can imagine, a signature is much less effective as a security measure than a secret PIN that is validated against a stored PIN value. However, signature authentication is the dominant implementation that will be used in the U.S. Presumably it is to avoid putting a burden on cardholders to remember a PIN for their credit card.
Regardless of PIN or signature authentication, EMV cards create a onetime use code for each transaction, and this code gets paired up with the account data on the card. This means the information that is sent to the card processing companies can be used once, and only once, so if it is stolen it cannot be reused.
Why EMV isn't a panacea for card fraud
All of these EMV capabilities are designed to reduce fraud specifically when a card is physically presented for a transaction. The thing is, consumers aren't using cards in person as much as they used to. A lot of card use has shifted to online transactions, and EMV doesn't do a thing for reducing card-not-present (CNP) fraud. In fact, it's quite the opposite.
EMV is in use in more than 80 countries around the world, and many of them saw a spike in card-not-present fraud following implementation. For example, in the United Kingdom, CNP fraud rose 79% in the first three years after the national rollout of EMV. Similar spikes happened in other countries, and experts predict this will happen in the U.S., where CNP fraud already totaled $10 billion in 2014. Online merchants need to prepare now for the potential of even higher fraud rates than they already experience.
Banks, merchants, card processors and other companies in the payment processing industry will spend billions of dollars, collectively, to implement card security that is already past its prime and which only addresses a portion of fraud totals. Many experts say this effort is too little, too late, but it's already in motion and too late to stop it.
Meanwhile, October 2015 is an important date for the U.S. EMV rollout. This is when a liability shift for card fraud in certain circumstances is scheduled to take place. Merchants who aren't prepared to accept those brand new EMV cards we're all getting in the mail could be held liable for the loss if fraud occurs because the merchant can't accept an EMV card and is forced to fall back on the magstripe technology. This will affect large merchants much more than smaller merchants, so expect confusion to reign for months or years as we have to change our behaviors from one merchant to the next—i.e., dip here but swipe there.
The world is watching the U.S. EMV rollout closely. This is the largest economy yet to adopt the technology. Let's hope it's all worthwhile.
For more information, check out www.GoChipCard.com.