Oct. 1^st was the big day. On that day, U.S.merchants were required to be equipped to process payments madewith EMV cards, a.k.a. chip cards, or face liability for fraudulenttransactions that they accept. The big question is: Do EMV cardsreally solve anything?

Among the issues presented by EMV cards is thechip-and-signature versus chip-and-PIN debate. Some argued thatchip-and-PIN, dominant outside the U.S., is more secure because itrequires a PIN that presumably only the cardholder knows. However,recent reports showed that clever fraudsters figured out years agohow to bypass PIN security by secretly embedding a second chip oftheir own in stolen cards.

On the other hand, earlier that month, the FBI issued anendorsement of chip-and-PIN technology as the more secure option.According to the FBI statement, chip-and-signature, favored in theU.S. primarily because it's less disruptive for consumers, doesnothing to prevent the type of fraud made famous by the Targetbreach.

Credit card payment technologies found ways to sidestep thephysical plastic card entirely. For example, Apple Pay let usersregister their cards for use on their iPhone 6 and later Appledevices. Once registered, users are authenticated at the point ofsale using their fingerprints.

There's just one problem. No special trickery is required toregister a stolen card on any iPhone a fraudster happens to beusing, assuming that card has not already been registered withApple Pay by the legitimate user.

It's important to note that all of these technologies addressedonly card-present/point-of-sale types of transactions. What aboutonline transactions, where about one third of all fraudulentactivity takes place?

Employees at the $7.9 billion First Tech Federal Credit Union inMountain View, Calif., are currently engaged in a pilot programwith MasterCard to test an authentication technology for onlinetransactions that uses facial recognition. Or to put it anotherway, they're trying out a technology that uses selfies.

Yes, you read it correctly. Selfies.

The cornerstone of this selfie authenticationis MasterCard's Identity Check mobile app. Once the app isinstalled on the user's smartphone, the user registers by snappinga selfie. Future online transactions then flow like this:

1. The user goes shopping on a participating e-commerce site.
2. At checkout, a notification is sent to the user's smartphonevia the Identify Check app notifying them that a transaction ispending.
3. The user snaps a new selfie via the app which is then matchedto the selfie submitted at registration.
4. Assuming the two selfies match, the transaction isauthorized.

What if some fraudster already had a photograph of the user andjust snapped a picture of the picture? MasterCard already thoughtof that. The app requires the user to blink while snapping theauthentication selfie. This eye movement lets the app know that alive person is being photographed.

If there's one thing history has proven, it's that for everysecurity measure we implement, there's some clever and unscrupulousfraudster out there who is ready, willing and able to figure a wayaround it. Only time will tell if the experts ever finally developthe completely bullet-proof security scheme.