EMV sets the stage for a better payment future

Most merchants now have EMV credit card readers in place, yielding marginally improved security today -- and a platform for better payment systems arriving soon

Yesterday was the deadline. Finally, the United States is switching from the old-fashioned swiping method for credit card transactions to the more secure chip-based system scheme dubbed EMV (for Europay, MasterCard, and Visa, which together originated the technology).

The chip is harder to counterfeit, and unlike magnetic stripes, it can't be easily read and duplicated, which is what credit-card counterfeiters have long done. In other countries, the chip is coupled with a PIN, so if someone steals the card, they can't use it unless they also know your PIN -- a form of second-factor authentication U.S. debit cards have long used, but not U.S. credit cards. However, U.S. banks are not requiring the use of PINs with chip cards; the old-fashioned, security-irrelevant signature will still be used here.

The EMV secure payment technology has been ubiquitous in Europe and Canada for years, but it failed to gain traction in the United States because banks and merchants were reluctant to make the necessary changes. They not only had to change their card readers but also their back-end systems to accommodate chip-based cards, and they decided the fraud cost was less than the switching costs.

However, the massive breach at Target in 2013 and resulting fears that criminals would flood the market with counterfeit cards drove some of the momentum to switch to the EMV payment technology. Congress even threatened to act, and President Barack Obama mandated last fall that federal agencies use EMV terminals, to spur industry change.

But the switchover is not law or regulation. It's a decision that the credit card processors imposed on their member banks and the merchants who accept their cards. No actual penalty looms for merchants that didn't finish deploying the new readers by the Oct. 1 deadline, nor for those with no plans to do so.

Chip-enabled credit and debit cards still have the magnetic stripe, so merchants can continue to process payments the old-fashioned way. What's changed is that businesses will be held fully liable for any fraud that occurs as a result of not being EMV-compliant. It's a ticking time bomb for merchants that don't switch. (Apple Pay and Android Pay transactions are even more secure than chip transactions, so merchants aren't liable for fraud when using these payment systems.)

"This is a liability mandate," said Prakash Santhana, a director at Deloitte's Payments Integrity practice for Cyber Risk Services. If the criminal uses a counterfeit card, the merchant will "eat the costs" arising from the fraud if it had not adopted EMV.

The new payment technology represents a significant security improvement, but caveats remain. The mandate applies to credit cards but not yet debit cards, and concessions -- namely, the lack of a required PIN -- were given to the U.S. consumer that make EMV payments less secure than in Canada or Europe. The upside is that EMV hardware installed by merchants lay a foundation for even more advanced payment methods in the future.

Most U.S. EMV card readers come with NFC radios for electronic payment systems like Apple Pay and Android Pay, but that radio technology is not part of the EMV specification. However, Apple timed Apple Pay's debut well to take advantage of the reader switchover, and card reader makers put the necessary radio technology in the new terminals they had to make to support the EMV chips. That also gave a boost to the little used Google Wallet, which predated Apple Pay by several years and whose revamped service is now called Android Pay.

Merchants: Switch or suffer the risk

There are three players in the payment card equation:

  1. The card networks and processors that handle payments
  2. The banks that issue cards to consumers
  3. The retailers and merchants who accept cards from consumers

The switchover to EMV required changes across the board: The processors updated their systems to process transactions from EMV cards, the banks issued new chip-enabled cards to all their customers, and the retailers had to upgrade the card readers and point-of-sale systems to accept the chip cards.  

The liability is now spread between banks and merchants. If the criminal uses a cloned card at a merchant that has not switched to EMV, then the merchant is completely liable for all costs associated with the fraud. But if the card did not have a chip in the first place, then the bank that issued the card is liable.

"It's a carrot/stick approach" to get all players EMV-compliant, said Deborah Baxley, a principal for the Cards & Payments practice at Capgemini Financial Services. There are plenty of "carrots" to upgrade sooner rather than later -- such as reducing liability and penalties for retailers with a lot of terminals if they have updated the majority of their equipment.

The two exceptions to the EMV rule are gas station pumps and ATMs, which have two more years to upgrade their readers because the technology is much more complex than that of point-of-sale terminals. Private label cards, such as the cards issued by retailers, are not included in this switchover. Debit cards have also been delayed for EMV, as the issuers and card networks had to come up with a different approach. The Dodd Frank Act requires debit cards to be able to work on two independent networks, which is counter to EMV, Baxley said. 

Addressing only one type of fraud

When the card networks got together in the mid-1990s, they were concerned with various kinds of payment fraud. The EMV standard emerged in order to address a specific type: "card not present" fraud. This refers to criminals stealing account and customer information stored on the cards' magnetic stripes to create counterfeit or cloned cards. The three-digit code on credit cards was originally introduced to verify the person actually had the card at the time of the transaction. 

Card-not-present fraud accounts for between 10 and 15 percent of overall fraud, estimated Gary McGraw, CTO of Cigital.

It's fairly inexpensive to create counterfeit cards with stolen data in the magnetic stripe; it's much more expensive to try to do that with chips. Because the switchover is not complete, however, there's still room for counterfeit fraud. If card data is stolen, that data can still be used to create cloned cards to withdraw money from ATMs, Baxley said.

There are two ways to implement the EMV standard: chip-and-PIN and chip-and-signature. Chip-and-PIN, used by most countries who've adopted EMV, requires users to dip the card through the reader and enter a secret code to verify the transaction. With chip-and-signature, there is no change in user behavior except for the fact consumer dips the card instead of swiping, before signing for the transaction. The United States is the last of the G20 countries to adopt the EMV standard, and while most of the countries picked chip-and-PIN, the United States and a handful of other countries opted for chip-and-signature.

"For whatever reason, [they've] decided the American public is too stupid to do chip-and-PIN," said McGraw. The switchover is a "baby step" toward making payments a little more secure, but "chip-and-PIN is way, way, way, better for payment security."

By going with chip-and-signature, the United States is addressing only the cloning problem. Consider physical theft. Under chip-and-PIN, a thief with a stolen -- and real -- card would not be able to use it without also knowing the secret code. With chip-and-signature, the thief in the possession of the stolen card could conceivably use a fake signature.

Additional controls needed

EMV will "take counterfeit fraud off the table," said Stephen Orfei, general manager of Payment Card Industry (PCI) Security Standards Council (SSC). However, the PCI Council has emphasized repeatedly that EMV is not a silver bullet, and retailers and merchants need additional security controls, such as point-to-point encryption and tokenization, to secure cardholder data. Point-to-point encryption will ensure the information read off the credit card is immediately encrypted and transferred via a secure tunnel to the point-of-sale system. This would make it harder for memory-scraping malware on infected PoS terminals from harvesting card data.

EMV will also not address online fraud, skimming, or other types of identity theft, and experts predict criminals will switch more of their efforts online. Stolen card numbers could still be used to buy things online, and there will be more examples of ACH fraud, check fraud, and account takeovers, Santhana said.

If fraud is a large pie, the slice representing the face-to-face counterfeit card problem will shrink, but the online fraud slice will get bigger. The fraud pie isn't going to get any smaller because of EMV.

"Once you seal off one vector, attackers switch to a different one," Santhana said.

An expensive decision to not switch

Replacing hardware and software throughout the country to be EMV-ready was a massive undertaking, and it was not cheap. McGraw estimated billions of dollars in costs. Retailers who've already been burned by data breaches and fraud-prone organizations were already on track to switch. Walmart switched over more than a year ago, for example.

In the years before Target, telling all the merchants they have to go out and buy new systems was a hard argument to make, McGraw said. In that sense, the retail breaches had a silver lining, as it motivated banks and merchants to make that shift.

The smallest businesses may not be as motivated to switch because the transaction amounts they would have to absorb are much smaller. In the case of businesses like dry cleaners, the customer has to come back, making a fraudulent transaction less likely, Santhana noted. It's the midsized and large retailers who will not be able to absorb the costs of fraud or weather the reputational damage caused by a major fraud incident, Baxley said.

"It's like buying insurance. Some won't buy, and the smart ones do," McGraw said.

For the retailer, this was strictly a hardware change as they needed to invest in new card readers and point-of-sale systems, but there were associated costs, such as training employees on how to use the new systems. Part of the delay in the EMV rollout was also a resource issue: Merchants had to wait until their banks and their payment gateway/processors had been certified to use EMV, before they could deploy the hardware and test to ensure the new systems were working.

For merchants still on the fence, there's another "carrot" to make the work worthwhile: future-proofing to accept more modern payment methods, such as contactless payments.

For merchants who've wanted to take advantage of Google Wallet or Apple Pay, upgrading to EMV would address that change at the same time.

The switchover may have been a little rough, but it positions retailers to take advantage of the new changes looming. As people get used to chip-enabled cards, contactless payments, and even biometrics to pay for things, future upgrades and enhancements will be less disruptive, thanks to EMV. "Maybe by 2018, we can get smart enough to use the PIN," adds McGraw.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCapgeminiDeloitteGoogleNFCVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place