U.S. is still tiptoeing toward EMV credit cards

At least we’re finally officially in the transition period, but it could last for years

Isn’t it wonderful? Now that October is behind us, all our credit card security problems have been solved! But wait — why did I get a call from one of my credit card companies informing me that my account had been compromised? How can that be?

In October, the U.S. went through the “Payment Networks’ Liability Shift,” the first significant milestone toward full rollout of Europay MasterCard Visa (EMV) chip technology here. So what has actually changed?

EMV is chip-based technology that is being deployed on credit and debit cards to replace the long-antiquated magnetic stripe system. It’s already been deployed throughout most of the world, but the U.S. has been slow to implement it. One of the long-term goals of EMV is to enhance the security of credit card transactions. For example, it significantly increases the cost (to attackers) of cloning a credit card account. It is supposed to keep a consumer’s account number more private, so that an adversary can’t easily steal one’s account number and make fraudulent transactions.

The Payment Networks’ Liability Shift was a big step, but largely symbolic, at least from the perspective of us consumers. Before the shift, merchants charging an account were not financially liable for account compromises. Instead, it was the credit card issuers’ liability. Now, however, merchants that have not complied with the milestone by deploying EMV-compatible payment terminals will be responsible for fraudulent transactions on their equipment. This, of course, places a potential financial burden on merchants, and the belief is that they’ll comply rather than risk the loss.

But even if they do comply, not everything is unicorns and rainbows, at least not yet. Why not? Well, if you happen to have an EMV card in your wallet, take a look at it. Do you see your account number on it? Of course you do. Do you see a magnetic stripe on the back? Of course you do. Well, then, how on earth can we protect account information if we’re going to stick it right there on the card? Good question. The short answer is that we will — eventually. But we’re in a transitional stage of things now, and so credit cards will remain a hybrid of magstripe and EMV for a while.

The reason for the slow transition on the card end is that merchants are also transitioning slowly. Despite the incentive to make the change, an awful lot of merchants haven’t made the move. In my unscientific observations, I’d estimate that, at best, 50% of the merchants I have patronized have gone EMV. And being very interested in the technology, when I see an EMV terminal at a merchant, I always try it out. More than half of the payment terminals I experimented on actually functioned with an EMV-based card, even if the hardware had the EMV slot in place.

Oh, and not all merchants are required to comply yet. Some, like gas stations, have additional time to comply. Plus, not all consumers even have EMV cards yet.

So was the whole October 2015 thing just a bunch of malarkey? Not entirely. It’s the first of several milestones in which the credit card industry is nudging U.S. merchants and consumers toward a more secure world, but it’s really just the first step. There are other milestones coming along in 2017 and 2018, but as of today, consumers can’t point to many major changes.

In some countries, like Australia, consumer payment cards no longer have magnetic stripes on them, and starting in August 2014, Australian merchants stopped allowing signatures to be used to authenticate transactions. Instead, consumers there must use a PIN entered on a payment terminal to authenticate and authorize a transaction.

So what’s a U.S. consumer to do? Sadly, we don’t have a great deal of leverage. If our accounts are compromised, we rely on our credit card issuers to replace the cards promptly, but we’re still faced with the unfortunate inconvenience of updating our card information everywhere we use and store those accounts. I should point out that when I got the call in October, my card issuer got a replacement to me, at no cost, the very next morning.

So here’s what I suggest:

  • Whenever possible, avoid storing your account data on online sites. It’s not convenient to re-enter your card information every time you purchase something from a merchant you frequent, but keeping your information off of that merchant’s site is actually a good practice. Plus, there are excellent password and account number manager programs that help automate entering your account information when you need to.
  • Use EMV, Apple Pay or other contact-free payment options when they’re available. If a payment terminal supports EMV, try it. If it doesn’t work, let the merchant know of your displeasure. (Yeah, I know that’s not likely to have much effect.)
  • Consider a separate account for high-risk transactions (e.g., online sites where you store your account, or restaurants where the wait staff take your card out of your direct sight for payment).
  • When your credit card issuer gives you the option of getting an EMV card, do it. I saw in an online advertisement that my favorite card had EMV, and I immediately called the issuer’s customer support and asked for one.

Apart from that, we can only dream of a more secure financial transaction future. I’ve had to go through the credit card compromise process now about five or six times, and I for one will be very happy when we’ve solved that problem.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Kenneth van Wyk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place