The rollout of chip and PIN credit cards could cost $8.6 billion or more. Some experts say it’s not worth it – that the technology is already obsolete, and that better, less expensive options are on the way. Others say it will be years before those options are mainstream, and the time to reduce fraud is long overdue.
Relief is in sight for the beleaguered US Payment Card Industry (PCI). By October
US EMV worth the cost and effort
2015, chances are that America will no longer have the dubious distinction of leading the world in credit card fraud – writes CSOOnline.
A year from next month, the 1960s-vintage “swipe-and-signature” magnetic stripe card system is expected to yield to EMV (named for its original developers, Europay, MasterCard and Visa), also known as “chip and PIN” – a smart-card system that has been in broad use in Europe and other parts of the world for nearly two decades.
The much-anticipated, and debated, shift will not be because of a mandate. But next October marks the so-called “liability shift” – a clear incentive for merchants and banks to make the transition if they haven’t already.
As MasterCard’s Carolyn Balfany explained it to the Wall Street Journal earlier this year, “what will change is that if there is an incidence of card fraud, whichever party has the lesser technology will bear the liability.”
So, if a customer has a chip card but a merchant has the old, swipe-and-signature technology, the transaction will still work, but if it is fraudulent, the merchant will bear the cost. Or, if the merchant has a new terminal but the bank has not issued an EMV card to the customer, the bank eats the cost of any fraud.
According to advocates of the change, it should dramatically improve credit card security in the US, now home to about half the world’s credit card fraud, even though only about a quarter of all transactions take place here.
According to EMV Connection, the UK Card Association reports that, “losses at UK retailers have fallen by 67% since 2004; lost and stolen card fraud fell by 58% between 2004 and 2009; and mail non-receipt fraud has fallen by 91% since 2004.” It said Canada saw similar improvements after rolling out EMV in 2008.
But critics say that doesn’t tell the whole story. Security blogger Brian Krebs noted last May that EMV terminals would not have prevented the catastrophic breach at Target late last fall. “Without end-to-end encryption of card data, the card numbers and expiration dates can still be stolen and used in online transactions,” he wrote.
Also, a UK research firm at the University of Cambridge released a paper earlier this year titled, “Chip and Skim: cloning EMV cards with the pre-play attack,” in which they said they had discovered serious vulnerabilities that would allow criminals to clone EMV cards even if they did not have physical possession of the cards.
They agreed that EMV had made, “using counterfeit and stolen cards … more difficult,” but noted that “criminals adapted,” by turning their attention to attacking “card-not-present” (CNP) transactions, which are beyond the scope of EMV.
The bottom line: “EMV did not cut fraud as its proponents predicted,” the team wrote.
EMV Connection acknowledges that attackers have migrated to CNP transactions – although it points to the MasterCard Chip Authentication Program (CAP) and the Visa Dynamic Passcode Authentication (DPA) as improvements to security for EMV cards in online transactions.
But the recent announcement by Apple of its Apple Pay system, which will come with the iPhone 6, would bypass the need for the card entirely, by having the user load the card information into the phone (where it is then encrypted) and then authenticating a purchase with a fingerprint and by placing the phone next to the near-field-communication (NFC) receiver at participating merchants. Reportedly, Visa, MasterCard and American Express have already agreed to participate with it.
While Apple Pay has not yet been tested in the real world, that and other advances like My PinPad in the UK have had people like David Froud, blogger and founder of Core Concept Security, declaring that it makes sense for the US to save itself the billions it will cost to move to EMV and simply move directly to more secure mobile payment options. Estimates of the cost to make the shift, for credit cards, point-of-sale (POS) devices and ATMs ranges from $6 billion to more than $8.6 billion.
“Why would the banks make this expense when the main driving factor behind EMV is being negated on a daily basis by innovations in payment technology?” Froud wondered in a July post, noting that EMV is not exactly cutting edge, since it was introduced in France 21 years ago.
But a number of other security experts, while they agree that EMV is not perfect, say it is demonstrably better than the mag stripe, and well worth the expense.
“For some weird reason, a lot of people in security equate ‘not a panacea’ – and these don’t exist in infosec – with ‘has no value,’” said Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals. “What if AV catches just 30% of viruses? Would you rather deal with a third more of them? It’s the same with EMV – there is reliable data from the EU that EMV has reduced card-present fraud.”
That is the argument Jacob Ansari, director of technical services at Sikich, makes as well, that while EMV is effective only with “card-present” transactions, which is the major kind of fraud now happening in the US.
“Attackers looking to perpetrate card-present fraud in the US can do it ridiculously easily,” he said, adding that the results in countries that have adopted EMV indicate that its adoption in the US, “would lead to a marked decrease in card-present fraud.”
Julie Conroy, analyst at Aite Group, said, “there is no technology that will wipe out all fraud,” and that while EMV would not have prevented the Target breach, “it would have significantly impeded the criminals’ ability to monetize the breach, by making it very difficult to use the stolen data at the point of sale.”
The post US chip and PIN migration worth the effort and cost appeared first on Payments Cards & Mobile.
