Yesterday was the deadline. Finally, the United States is switching from the old-fashioned swiping method for credit card transactions to the more secure chip-based system scheme dubbed EMV (for Europay, MasterCard, and Visa, which together originated the technology).
The chip is harder to counterfeit, and unlike magnetic stripes, it can't be easily read and duplicated, which is what credit-card counterfeiters have long done. In other countries, the chip is coupled with a PIN, so if someone steals the card, they can't use it unless they also know your PIN -- a form of second-factor authentication U.S. debit cards have long used, but not U.S. credit cards. However, U.S. banks are not requiring the use of PINs with chip cards; the old-fashioned, security-irrelevant signature will still be used here.
The EMV secure payment technology has been ubiquitous in Europe and Canada for years, but it failed to gain traction in the United States because banks and merchants were reluctant to make the necessary changes. They not only had to change their card readers but also their back-end systems to accommodate chip-based cards, and they decided the fraud cost was less than the switching costs.
However, the massive breach at Target in 2013 and resulting fears that criminals would flood the market with counterfeit cards drove some of the momentum to switch to the EMV payment technology. Congress even threatened to act, and President Barack Obama mandated last fall that federal agencies use EMV terminals, to spur industry change.
But the switchover is not law or regulation. It's a decision that the credit card processors imposed on their member banks and the merchants who accept their cards. No actual penalty looms for merchants that didn't finish deploying the new readers by the Oct. 1 deadline, nor for those with no plans to do so.
Chip-enabled credit and debit cards still have the magnetic stripe, so merchants can continue to process payments the old-fashioned way. What's changed is that businesses will be held fully liable for any fraud that occurs as a result of not being EMV-compliant. It's a ticking time bomb for merchants that don't switch. (Apple Pay and Android Pay transactions are even more secure than chip transactions, so merchants aren't liable for fraud when using these payment systems.)
"This is a liability mandate," said Prakash Santhana, a director at Deloitte's Payments Integrity practice for Cyber Risk Services. If the criminal uses a counterfeit card, the merchant will "eat the costs" arising from the fraud if it had not adopted EMV.
The new payment technology represents a significant security improvement, but caveats remain. The mandate applies to credit cards but not yet debit cards, and concessions -- namely, the lack of a required PIN -- were given to the U.S. consumer that make EMV payments less secure than in Canada or Europe. The upside is that EMV hardware installed by merchants lay a foundation for even more advanced payment methods in the future.
Most U.S. EMV card readers come with NFC radios for electronic payment systems like Apple Pay and Android Pay, but that radio technology is not part of the EMV specification. However, Apple timed Apple Pay's debut well to take advantage of the reader switchover, and card reader makers put the necessary radio technology in the new terminals they had to make to support the EMV chips. That also gave a boost to the little used Google Wallet, which predated Apple Pay by several years and whose revamped service is now called Android Pay.
Merchants: Switch or suffer the risk
There are three players in the payment card equation:
- The card networks and processors that handle payments
- The banks that issue cards to consumers
- The retailers and merchants who accept cards from consumers
The switchover to EMV required changes across the board: The processors updated their systems to process transactions from EMV cards, the banks issued new chip-enabled cards to all their customers, and the retailers had to upgrade the card readers and point-of-sale systems to accept the chip cards.
The liability is now spread between banks and merchants. If the criminal uses a cloned card at a merchant that has not switched to EMV, then the merchant is completely liable for all costs associated with the fraud. But if the card did not have a chip in the first place, then the bank that issued the card is liable.
"It's a carrot/stick approach" to get all players EMV-compliant, said Deborah Baxley, a principal for the Cards & Payments practice at Capgemini Financial Services. There are plenty of "carrots" to upgrade sooner rather than later -- such as reducing liability and penalties for retailers with a lot of terminals if they have updated the majority of their equipment.
The two exceptions to the EMV rule are gas station pumps and ATMs, which have two more years to upgrade their readers because the technology is much more complex than that of point-of-sale terminals. Private label cards, such as the cards issued by retailers, are not included in this switchover. Debit cards have also been delayed for EMV, as the issuers and card networks had to come up with a different approach. The Dodd Frank Act requires debit cards to be able to work on two independent networks, which is counter to EMV, Baxley said.
Addressing only one type of fraud
When the card networks got together in the mid-1990s, they were concerned with various kinds of payment fraud. The EMV standard emerged in order to address a specific type: "card not present" fraud. This refers to criminals stealing account and customer information stored on the cards' magnetic stripes to create counterfeit or cloned cards. The three-digit code on credit cards was originally introduced to verify the person actually had the card at the time of the transaction.
Card-not-present fraud accounts for between 10 and 15 percent of overall fraud, estimated Gary McGraw, CTO of Cigital.
It's fairly inexpensive to create counterfeit cards with stolen data in the magnetic stripe; it's much more expensive to try to do that with chips. Because the switchover is not complete, however, there's still room for counterfeit fraud. If card data is stolen, that data can still be used to create cloned cards to withdraw money from ATMs, Baxley said.
There are two ways to implement the EMV standard: chip-and-PIN and chip-and-signature. Chip-and-PIN, used by most countries who've adopted EMV, requires users to dip the card through the reader and enter a secret code to verify the transaction. With chip-and-signature, there is no change in user behavior except for the fact consumer dips the card instead of swiping, before signing for the transaction. The United States is the last of the G20 countries to adopt the EMV standard, and while most of the countries picked chip-and-PIN, the United States and a handful of other countries opted for chip-and-signature.
"For whatever reason, [they've] decided the American public is too stupid to do chip-and-PIN," said McGraw. The switchover is a "baby step" toward making payments a little more secure, but "chip-and-PIN is way, way, way, better for payment security."
By going with chip-and-signature, the United States is addressing only the cloning problem. Consider physical theft. Under chip-and-PIN, a thief with a stolen -- and real -- card would not be able to use it without also knowing the secret code. With chip-and-signature, the thief in the possession of the stolen card could conceivably use a fake signature.
Additional controls needed
EMV will "take counterfeit fraud off the table," said Stephen Orfei, general manager of Payment Card Industry (PCI) Security Standards Council (SSC). However, the PCI Council has emphasized repeatedly that EMV is not a silver bullet, and retailers and merchants need additional security controls, such as point-to-point encryption and tokenization, to secure cardholder data. Point-to-point encryption will ensure the information read off the credit card is immediately encrypted and transferred via a secure tunnel to the point-of-sale system. This would make it harder for memory-scraping malware on infected PoS terminals from harvesting card data.
EMV will also not address online fraud, skimming, or other types of identity theft, and experts predict criminals will switch more of their efforts online. Stolen card numbers could still be used to buy things online, and there will be more examples of ACH fraud, check fraud, and account takeovers, Santhana said.
If fraud is a large pie, the slice representing the face-to-face counterfeit card problem will shrink, but the online fraud slice will get bigger. The fraud pie isn't going to get any smaller because of EMV.
"Once you seal off one vector, attackers switch to a different one," Santhana said.
An expensive decision to not switch
Replacing hardware and software throughout the country to be EMV-ready was a massive undertaking, and it was not cheap. McGraw estimated billions of dollars in costs. Retailers who've already been burned by data breaches and fraud-prone organizations were already on track to switch. Walmart switched over more than a year ago, for example.
In the years before Target, telling all the merchants they have to go out and buy new systems was a hard argument to make, McGraw said. In that sense, the retail breaches had a silver lining, as it motivated banks and merchants to make that shift.
The smallest businesses may not be as motivated to switch because the transaction amounts they would have to absorb are much smaller. In the case of businesses like dry cleaners, the customer has to come back, making a fraudulent transaction less likely, Santhana noted. It's the midsized and large retailers who will not be able to absorb the costs of fraud or weather the reputational damage caused by a major fraud incident, Baxley said.
"It's like buying insurance. Some won't buy, and the smart ones do," McGraw said.
For the retailer, this was strictly a hardware change as they needed to invest in new card readers and point-of-sale systems, but there were associated costs, such as training employees on how to use the new systems. Part of the delay in the EMV rollout was also a resource issue: Merchants had to wait until their banks and their payment gateway/processors had been certified to use EMV, before they could deploy the hardware and test to ensure the new systems were working.
For merchants still on the fence, there's another "carrot" to make the work worthwhile: future-proofing to accept more modern payment methods, such as contactless payments.
For merchants who've wanted to take advantage of Google Wallet or Apple Pay, upgrading to EMV would address that change at the same time.
The switchover may have been a little rough, but it positions retailers to take advantage of the new changes looming. As people get used to chip-enabled cards, contactless payments, and even biometrics to pay for things, future upgrades and enhancements will be less disruptive, thanks to EMV. "Maybe by 2018, we can get smart enough to use the PIN," adds McGraw.