Threat of the Week: Is EMV 20 Years Too Late?
In the aftermath of the Target, Neiman Marcus and other retailer breaches, suddenly new enthusiasm has embraced EMV, the chip and PIN credit card security toolset, as a safer way to process plastic.
There’s just one problem.
Maybe it’s not the solution.
That contrarian thinking has been voiced lately by a growing number of security experts.
Roll back the clock and, pre-Target, enthusiasm for EMV had waned. In part, the push for EMV eased because chip and PIN is very old technology (its origins date back to 1990). Also, merchants in the U.S. were loudly grumbling about the billions of dollars required to upgrade point-of-sale terminals to accept EMV.
The Target breach seemed to erase the hesitancy, however, as merchants raced for a way to restore dwindling consumer confidence in plastic credit cards. Target itself has announced its support for EMV at an estimated cost of $100 million to upgrade its in-store technology.
Vivid proof of the resurgent popularity of EMV came in a survey conducted by Naples, Fla.- based payments company ACI Worldwide at the March BAI conference.
“More than 40% of respondents indicated they are more aggressively looking at their EMV plans. Another 30% are still exploring options required to meet the 2015 liability shift, and just under 10% indicated they are already EMV compliant,” ACI said.
“These frauds have many financial institutions believing they have to do something,” said Paul McMeekin, global consumer payments product marketing manager at ACI Worldwide. “It seems banks are pushing ahead with EMV,” he said.
Issuing a chip and PIN card costs in the vicinity of $5, tenfold the cost of a mag stripe card. So far, cost has deterred most banks and credit unions from offering the technology, but McMeekin said that will change this year as more financial institutions jump on the EMV bandwagon.
There is little debate that mag stripe cards have entered their senility. The technology dates back to around 1970. Its vintage means criminals have spent decades devising ways to steal mag stripe data — skimming is the favorite way — and they have become very skilled at it.
EMV is the current global standard for putting an integrated circuit (the chip) on a plastic card.
Better, smarter transaction validation is said to occur when the chip is present. There’s no easy way to skim chip and PIN card data, and when a PIN is required, the level of security at point of sale is significantly higher than with mag stripe cards.
That’s the good news.
There also is bad news.
“A lot of people seem confused about what EMV can do,” McMeekin said.
That belief is widely accepted among security experts. Chip and PIN cards are virtually impossible to copy. But, Target’s breach occurred in the company’s data center. The nature of the physical cards did not matter at that point.
Lack of adequate security and an obvious lack of effective encryption are what went wrong at Target.
So, running to EMV because of Target is fundamentally illogical.
Worse yet is the fact that although chip and PIN cards are more secure than mag stripe cards, most experts believe that the vast majority of cards in the U.S. will continue to have a mag stripe for many, many years. The reasons is to accommodate retailers who resist the MasterCard and Visa demand to implement chip and PIN by 2015.
The earliest estimates for something approaching ubiquity of chip and PIN terminals at retail is 2017, but most experts do not expect that to come until after 2020; meaning mag stripes and their flaws will remain in our lives
And that’s not the end of the bad news.
Yes, EMV cuts card-present fraud, but Karen Webster, CEO of payments experts Market Platform Dynamics in Massachusetts, said a sharp jump in card-not-present fraud will make up for the security gains. She said that happened in the United Kingdom and Europe after widespread EMV adoption.
Webster insisted that the estimated cost of $10 billion to embrace EMV in the U.S. will only buy a short term fix.
“EMV does not move us into the digital world and that is where we need to be,” she said.
Her viewpoint is shared by many.
“EMV is an antiquated way of looking at things. I would not be focused on plastic anymore,” said Adam Dolby, vice president of business development at Encap Security in Palo Alto, Calif.
“EMV is a 1990s solution to a 2014 problem,” sighed Mark LaRow, an executive vice president at Tysons Corner, Va.-based MicroStrategy, a mobile software developer. “Nobody still wants a pocketful of cards. What they want are apps on their phone. EMV does not get us there and at what cost? Implementing EMV will be a giant tax on the retail and financial services infrastructure,” he added.
Few experts believe EMV will die out. Most believe that by late 2015, when MasterCard and Visa liability shifts will put economic penalties on retailers who aren’t EMV compliant, most national retailers will have embraced EMV.
That is a good thing. It will indeed cut card-present fraud.
But the EMV threat lives in what it will not fix: Card-not-present fraud and big data breaches such as Target’s.
Those issues remain massive and that is why confusion about EMV just may rank among the most significant threats in financial services.