6 Reasons to Call an EMV ‘Time Out’

CEO, Market Platform Dynamics
8:53 PM EDT March 23rd, 2014

The Innovation Project 2014 is a wrap. And to paraphrase the words of one of our delegates, the series of rich and relevant “conversations” among the industry’s elite that started last week in Boston will fuel the actions and activities of those dedicated to driving innovation in the payments and commerce space in the years to come.

Ten such facilitated conversations took place over two days, covering topics as diverse as the differences in how payments innovators and incumbents are igniting new payment methods, how to get consumers to shift from plastic to mobile, lessons learned in igniting payments in developing markets that can be applied in developed markets, the feasibility of Bitcoin as a currency, and whether cash could be on life support, for real, some time soon.

One of the most spirited discussions was on the topic of cyber crime and what the payments industry needs to do about it. Former White House Cyber Czar and cyber security expert Richard Clarke and First Data’s GM of Cyber Crime, Paul Kleinschnitz, initiated this conversation. Panelists included a group of security and fraud experts whose diverse backgrounds and points of view inspired a very candid conversation including The Clearing House’s Dave Fortney, Experian’s Michael Bruemmer, Cortex MCP’s Shaunt Sarkissian, Loop’s George Wallner and Fiserv’s Tom Tobin.

Richard Clarke set the stage by telling us that cyber crime really does pay and is a business that recruits highly qualified Ph.D’s in math from Eastern European universities who go to work every day relentlessly focused on stealing money and data from our financial systems. He told our group that there are only two kinds of companies – those who’ve been hacked, and those who have and don’t know it. He pointed out that almost every large and midsize company in the U.S. has been compromised and that it takes an average of 253 days for a company to realize it has been hacked. He also said that 85 percent of those breaches are caused by people “doing the wrong thing,” citing the Target breach as the poster child for that data point.  He also mentioned that, while the hackers are profiting from the fruits of their labor – Target’s 100 million compromised accounts that could sell for anywhere between $20 and $100 per account – Target has since seen a 46 percent drop in profit quarter over quarter and has said that ongoing expenses related to the breach could have a material adverse effect for the 2014 Q1 earnings and beyond.

Yes, cyber crime really does pay and, yes, cyber crime really does cost its victims dearly.

But I have another, even more controversial takeaway from this panel, and that’s this: we should push the “pause” button on EMV right now, rethink our approach to keeping cardholder data secure, and reinvent how the card industry protects itself from the risks of cyber security.

Here are the 6 reasons why:

1.  EMV solves the wrong problem – and an old one at that.  

Yeah, I know, you’ve heard this from me before. But last week, it wasn’t just me expressing this point of view; someone on the panel even went so far as to say, “EMV is a swear word.”   Sure, we need to “fix” the problem of static PAN data transmitted via the mag stripe, but EMV-issued cards in the U.S. won’t eliminate that risk since they will include mag stripes for some time, just as those issued by non-U.S. banks do today. And at the moment, the prevailing standard is “Chip and Choice,” where a PIN is not required. Published reports suggest that using a PIN with debit transactions reduces fraud by a factor of 5x. Not clear that EMV implemented without requiring a PIN makes much sense.

And in terms of eliminating fraud? Well, we don’t even need to speculate as to whether this is a fait accompli. It isn’t. In the countries where EMV has been implemented, fraud via card counterfeiting has declined dramatically, but card-not-present fraud has increased by as much as the card fraud has declined, if not more. It’s like the fraud “whack a mole” game – beat down fraud via card counterfeiting, and it pops up online.  Now advocates say that the online risk is lower since the volume is lower, but as card transactions increasingly move to the cloud, which is where payments is headed, that risk will only intensify. And the industry will have to spend even more money to eliminate that risk, after having spent lots of money on a solution that just moves the problem to a different place.

2.  It’s not really clear that we have a real problem to solve.  

There was an interesting discussion about how much of a fraud problem we really have in the U.S. and worldwide. In the U.S., fraud exists, but it is very low. In fact, the rate of fraud for online transactions is less than 1 percent, which is exactly where it was in 2010. When fraud dollars are reported, those numbers are higher, which makes sense, of course, since the base since 2010 has grown, but the rate at which fraud is occurring remains constant. Interestingly, outside of the U.S., and where EMV has been implemented, online fraud rates are more than twice that rate.

According to Nilson, in 2012 worldwide total transaction volume of credit, debit, prepaid, private label cards was $21.604 trillion, with fraud losses worldwide of $11.27 billion – or roughly 0.05 percent, or 5.2 cents, per $100.  Douglas King, who authored a report for Atlanta’s Federal Reserve Bank, questioned whether the U.S., looking at these overall numbers, felt there was enough of a problem to invest the billions needed to move to EMV, which, as I’ve noted, doesn’t really eliminate fraud but simply moves it to a new playing field. It’s worth noting that this report was published before the Target breach, but the question remains: how much should the payments industry invest to reduce fraud – and to reduce it to what level?

It’s an important and valid question.  Every industry, not just payments, has to make decisions about investing to eliminate its major source of risk entirely versus reducing it to an acceptable level that also doesn’t impose too much friction on their customers in the process. And, in fact, those in law enforcement have to do cost benefit calculations, too. We can always spend more money to get less crime, but the question is whether the additional spending is worth the additional crime reduction.

9/11 is also a good proxy for this thought process. Post 9/11, the U.S. invested in new systems and policies designed to reduce the risk of terrorists using airplanes as weapons of mass destruction. In the early days of that horrific incident, that even included forcing passengers to stay seated during the first and last 30 minutes of flights headed into or departing from Washington, D.C.  We could have made a decision to eliminate such risks entirely by having people completely disrobe for scanning before boarding an airplane or banning carry-on luggage entirely – as was done to and from the UK in the early days following the aftermath of 9/11, or subject passengers to El-Al airline screening prior to every flight. Hey, we could even have stopped flying and made people walk or take the train or the bus everywhere.

Instead, over the last several years, the TSA has implemented systems like Pre-Check that allows expedited screening for passengers who have gone thru a background check and have installed the somewhat controversial body scanners that check passengers for hidden explosives and have adjusted acceptable levels of carry-on stuff.  But all of those things don’t eliminate entirely the risk of bad things happening – it just makes it more of a pain for the bad guys to do bad things, which, I say as a TSA Pre-Check passenger, is a tolerable amount of friction introduced into the system.

Now back to payments. We could eliminate the risk of payments fraud completely by making consumers use cash to pay for their purchases. Or subjecting them to an arduous authentication process that would, as we’ve seen with 3-D Secure, eliminate the consumer’s appetite for making purchases online, which only hurts merchants. Or, as we are now about to do, spend billions on a standard that only attacks a small piece of a problem that isn’t really that big to begin with.  And, as our panel said, to what end – to eliminate a risk that is already really low? Where’s the ROI – and for whom?  I haven’t seen any of the advocates produce a real ROI analysis—please send, and we’ll post on PYMNTS.com.

3.  EMV makes the wrong people pay

Richard Clarke made a point that “we” as an industry need to understand who’s suffering as a result of the breaches, and then upon answering that question who should pay.

This is where the conversation gets really interesting.

Someone on the panel remarked that the big conundrum of payments is that the parties who issue the cards are completely disconnected from the parties who accept the cards who are completely disconnected with the people who use the cards. Further, today, the parties being asked to change – and being forced to pay – are the consumers who will be inconvenienced by being asked to “dip” and not swipe and the merchants who are being asked to install new equipment or else face the risk of liability and the banks who will be forced to issue new, more expensive cards. According to Nilson, issuers last year absorbed roughly 63 percent of the risk while merchants absorbed 37 percent.

Target has said it will spend $100 million installing EMV readers, but that’s just the tip of the iceberg. There are more than 16 million devices in the U.S. that will have to be upgraded to support EMV payments at a cost of between $200 and $1,500 per device. Taking the low end of the scale, at $200 per device, that’s a $3.2 billion expense (just for the equipment) to the industry, borne by the merchants, not to eliminate fraud but to simply watch it move to another channel, that they’ll also have to invest in new solutions, like tokenization, to fight.

And if you wanted to put a price tag on this to the consumer, assuming that consumers would pay a penny not to have to dip instead of swipe, they’ll be paying another three-quarters of a billion dollars annually (assuming 75.6 billion credit, debit and private label card transactions in 2013) notwithstanding, of course, any of the price increases that they’ll be paying for merchandise bought at merchants to offset the costs of these new devices, they’ll absorb. And these price increases will be borne by consumers, who, for all of the wailing and gnashing of teeth over the Target breach, don’t really feel the pain – roughly 90 percent of those whose accounts are at risk because of a retailer’s breach sign up for credit monitoring after the fact.

Consumers know that they are protected in the event of a compromise and don’t sweat it too much. But 100 percent of consumers will be asked to change how they use their cards and be inconvenienced by it, and maybe even pay more for the things they buy because of it. The big question left unanswered is the extent to which they feel that the tradeoff they are being asked is helping them in any way since they don’t perceive a real problem today.

But here’s the real crime. Those who are perpetrating these crimes are laughing all the way to the bank. Cyber crooks operate today in sanctuary countries like Russia, well out of our reach to find, much less prosecute. If we, as a payments industry, really wanted to put some teeth into getting rid of cyber fraud, we’d be knocking on the doors of our members of Congress about putting the screws to the countries that harbor these bad guys, slapping on fines and penalties, even cutting off their ability to access U.S. Internet sites.  We, as an industry, would be far better off mobilizing Congressional hearings on that point rather than risking that the government decides it needs to intervene on imposing a fraud standard for the industry because of the media coverage of the breach and the faulty assumption that fraud rates are out of control.  At the moment, the people who inflict the pain and impose the costs on our payments system are getting off scot free.

To put this another way, we could take some of the billions we’re spending on the EMV upgrade and use it to lobby Congress and the president to put the screws on countries that harbor these criminals that are wreaking havoc on us.

4.  EMV does nothing to help in the short term.

Yes, Virginia, there is a deadline set for the liability shift, but it’s not realistic to think that most merchants will be able to make that deadline. Until the Target breach, the prevailing wisdom was that EMV was going to be languish as merchants looked to other, cloud-based payment options, and security solutions linked to those payments alternatives. Now, out of fear and motivated by the PR value of saying that they are embracing EMV, their priorities have shifted sharply.

Even so, there just isn’t enough time to implement EMV in 16 million terminals in about a year’s time. So between now and whenever all 16 million terminals are upgraded,  two, three or even more years from now, cardholder data transmitted by EMV cards with mag stripes will continue to be at risk of compromise at the physical point of sale, not to mention moving online as history tells us will be the case.

There are solutions available now that could, for a lot less of an investment, protect cardholder data by making it useless to the bad guys. After all, if data are what they want, then making it useless should be the focus. And tokenization and end-to-end encryption solutions, among other things, are technologies that are available today that can accomplish that goal and are embraced by the networks.

5. EMV is taking our eye off the real threat.

I think that even EMV advocates would agree that EMV wouldn’t have prevented the Target problem. But as one panelist said very well, point-of-sale fraud is bupkus when compared with the volumes that pass over the ACH network, CHIPS and the Fed Wire every day.  NACHA reports that in 2013, an estimated $40 trillion dollars moved from bank account to bank account every day at an average value of $1,760 per transaction. If the bad guys really wanted to wreak havoc, that’s where they’d turn their attention, if not to steal money outright, to shut down our ability to conduct commerce as a nation and as a world.

Ditto with the SWIFT network, which passes secured messages related to financial transactions between more than 10,000 users at FIs and companies in 210 countries resulting in an average of 10 million messages a day. A question raised by someone on the panel was the degree to which our efforts should be focused on ensuring that these systems remain rock solid versus spending tens of billions on systems that have relatively low risks of fraud to begin with. Sorry Target, you get all the press, but you are really small potatoes.

6.  EMV is taking our eye off the real opportunity.  

A big question related to the risk/return/reward equation of investing in EMV raised by this panel is the consequence of diverting attention away from the move to digital payments enabled by connected devices that can secure cardholder data in superior ways. Merchants are interested in supporting mobile payments for a variety of reasons, something underscored by the decision of MCX to adopt a mobile/digital only scheme.

Mobile commerce provides merchants with the opportunity to communicate with their customers and target and serve their most profitable and desirable consumers better with a solution that is potentially more secure than what exists today at the physical point of sale. The deployment of EMV only forces them to divert attention and resources away from something that adds value to the consumer as well as the merchant and the overall payments system.

The discussion that we had last week laid out a number of facts that took the conversation about the merits of EMV from one that simply waved hands around why we should embrace it to one centered on a bunch of facts that paint a very compelling picture about why we might need to push pause and rethink it all.  As I’ve said  before, simply implementing a 30-year-old technology because everyone else in the world has already done it, doesn’t make it the right thing to do right now. And the facts bear this out.

I say it’s time now to disagree on the basis of the ROI of making the move to EMV, not on the basis of the U.S. being the last holdout (which also isn’t true.)  So, show me the money – or better yet, bring me the analysis, and we’ll host a debate live on PYMNTS.com.

So, who’s game?

  • Allie’s World

    Well, for one, hell no I wouldn’t pay a penny to be able to swipe instead of use the chip. I’d be FAR happier – not inconvenienced – by knowing at there was at least some transaction security. You can talk all the encryption you want, but NOTHING will solve skimming unless you get rid of the static, duplicable, data that is the magnetic stripe. EMV is not perfect, no (there’s still a lot of clear text information), but the basic issue is solved by having a unique authorisation code… the one thing that ALSO needs to happen on the Internet. It needs to happen both places…

    As for Internet fraud, yes, it’s a different problem. One that needs solved. But the answer is not to ignore fraud in retail – it’s to fix both issues. The best solution is probably some form of two-factor authentication where one needs a key generated by a mobile app to authorise their credit card transactions. What’s scary, for all the talk and fighting – this would be stupid simple to implement. The banks already have 3-D Secure, and Google developed an open source, very secure, platform called Google Authenticator. Load key into cardholder’s Google Authenticator app, use 3-D Secure to require unique code for each online transaction, force online merchants to use 3-D Secure or quit accepting transactions from them. Internet fraud solved, in a really easy and stupid simple way. But EMV is needed too. Both problems need solved.

    • John Coloe

      Dear Allie’s World, you’re getting warmer. Two-factor authentication implemented via a method that a) works for everyone (and everyone isn’t a tech-savvy, smartphone-toting elite), b) accommodates offline and c) doesn’t introduce onerous transaction-killing friction could be a solution.

      OTP, or one-time password technology, is a better solution, and one that addresses face-to-face, as well online fraud. However, this again doesn’t work for *everyone*.

      What’s needed to reduce both physical and online fraud is tokenization. Most of us are familiar enough with what this looks like in a mobile model. In the physical realm, the embossed and mag stripe emblazoned plastic we carry today morphs to become PAN-less cards that are essentially useless as the authentication mechanism shifts to cloud-connected services. Again, a solution as applicable online as it is in brick-and-mortar settings.

      The conclusion? Take the money that’s needed to implement 30-year old technology that merely shifts the problem, instead of solving the real problem, and invest it in tokenization and other technology that addresses the core weakness in the payments ecosystem.

      Will this require changes for issuers, acquirers, schemes and merchants? Definitely. But at less of a cost than a so-called solution that merely shifts the problem, rather than solve it. In the end, you, me, and every consumer is going to bear the cost of a transition. The questions are what solution to implement, at what cost, in what timeframe, and to what benefit (as in fraud reduction, both physical and online, to the lowest possible level).

  • andrewonedegree

    The problem we have with cards is the fact that they are insecure by their very nature, they after all static data (numeric at that) printed on a physical plastic card. Put that data in a digital format, and in a digital world, they take a lot of time, effort and money to secure.

    EMV works well in-stores, but does nothing when we look at digital (online, mobile whatever). However, that being said, EMV is a must, we have to make life harder for fraudsters, and by claiming it does nothing misses the point.

    IMHO payments need to move away from card schemes and embrace technological solutions that have been designed with digital and security in mind and that address todays challenges.

  • craigkeefner

    Great article. As long as it is the wild west with vendor interface and sluffing off the responsibility to your vendors, the interior datacenter is always at risk. EMV will make no difference as long as companies try to irrationally squeeze costs from supply chain.

    • Philip Andreae

      Totally agree, operators of distributed systems, like that found in large retail environments, must protect their environment from intrusion.

      At the same time by implementing EMV we devalue the static data: Account Number “PAN” Expiry date and cardholder name; printed on the face of the card, embedded in the chip and encoded on the magnetic stripe. We must add a dynamic element “the cryptogram” to make each transaction unique and irrefutable.

      Furthermore we need to also find a second factor to assure the integrity of Card Not Present transactions. we need something like 3D-Secure in this environment to again devalue the PAN, Expiry date, Cardholder name and address.

      Until we devalue the static (should never have been allowed to be a secret) data; the criminals will attempt to steal it.

  • Jean Keil

    I could not agree more with everything in this article. EMV is not the solution. The solution is preventing breaches and penalizing the perpetrators.

  • Canada Buckeye

    Sadly it is the US that is slowing down the rest of the world eliminating the MAG stripe on the back of their cards and forcing them to have swipe enabled machines. Yes, we know that the EMV chip will not completely eradicate fraud but it is the first step. You still have to deal with shutting down online fraud as well as network hacks but tightening down one piece of the chain is necessary.
    Personally, I love the Chip and PIN transaction – it is quicker, safer, and even better – no manual signature, tip and total calculations…. fantastic!

    • Allie’s World

      Chip and PIN is also much more private for the cardholder – no risk of being asked for ID (hopefully), customer control of the terminal (can verify the amount and decline DCC). Far less room for merchant dishonesty (forced DCC, miskeyed amount) than signature transactions. It’s a shame American banks are choosing chip and signature.

  • Plastic Police

    The U.S. should stop the EMV locomotive. As a long time payments fraud professional, the ROI business decision does not make sense and the article point that fraud will simply be squeezed elsewhere (online) is valid. We have seen this with EMV deployments in about all EMV markets.

    A promising technology is Host Card Emulation (HCE) which could help the U.S. and other markets realize the security benefits of EMV such as dynamic CVV and transaction counters in both card present and CNP/online environments potentially because of its flexible hosted/cloud based infrastructure. Connecting a card account to a consumer’s mobile device for online authentication (PIN, MAC ID, geo-location, or other) during e-commerce transactions would be the next logical security step to realize dynamic authentication in both environments.

    One challenge is that, out of the gate, those who do not carry a smart mobile device may not be able to participate in HCE dynamic authentication. Admittedly, this is a significant hurdle. Based on mobile device usage statistics, this number should continue to decrease.

    Moving to a dynamic authentication environment for both card present and CNP transactions is where the U.S. should be headed, not antiquated/legacy EMV technology that is limited in the type of fraud that it addresses and at tremendous cost. Let’s snap out of this knee jerk reaction and let those who know the industry make the decision rather than regulators that are trying to show their constituents that they are “doing something.”

    • Philip Andreae

      Nice to talk about Mobile and HCE as the future. But then demonstrate the business case for the NFC investment required on the part of the retailer. EMV, one can absolutely build a business case if one also includes the intangible advantage of Security and trust.

      Also why do I want to struggle with lining my phone up so that it is centered in the middle of the “Volume” of the field created by the terminals antenna. Especially if the antenna in the phone only works when in really close proximity.

      • WarumNicht

        Philip your own words undermine your argument for EMV– how can one build a ROI that passes the CFO’s test based on “intangible” benefits?

        • Philip Andreae

          Easy, measure the losses incurred by Target and use that relationship to appreciate the value consumers attribute to security and trust.

          Issuers are getting the calls asking for Chip Cards. Merchants are aware of the impact not being secure had on Target. Congress is asking the question why is the USA behind.

          Those who say why EMV, my challenge is simple. What is the Globally interoperable solution, with a track record and proven at scale?

          • WarumNicht

            See my earlier comments. It’ll happen, in dribs and drabs, very slowly. As to you point about “globally interoperable”– say “metric system” and then try to argue how much “global interoperability” matters to the U.S.

          • John Coloe

            Target themselves characterize losses directly attributable to the breach as a rounding error in the grand scheme of things. For Target, and others that have received notoriety in the press due to breaches, the bigger problems are the loss of trust and confidence. These factors alone are responsible for depressed stock valuation, as well as profitability. Thankfully the public memory is short, and Target will no doubt recover quickly.

            Speaking as an educated consumer, I have no qualms purchasing with signature or PIN debit, or credit at Target, or any other brick-and-mortar establishment post-breach. I’ve not called my issuer for a chip card replacement. Nor am I aware of significant numbers of others making such demands.

            The fact of the matter is that banks and schemes offer consumers zero liability protection in the event of card compromise; loss, stolen, breach, whatever. And that’s what keeps the wheels of card payments moving right along.

            Ironically, as a frequent international traveler, I’ve requested chip cards for years from the financial institutions with which I do business. And how many of the cards that I hold are chip-enabled? None! And that’s for someone who’s traveled abroad numerous times a year for several years.

            Again, EMV isn’t the only answer, and all newer, more relevant solutions should be vetted before placing such a huge bet on an out-moded technology. Let us not go blindly do the EMV road without at least evaluating all credible alternatives. There’s simply too much at stake to do so.

      • Plastic Police

        The NFC business case is close in nature to that of merchants upgrading to EMV in the U.S. from a cost perspective. Either way, terminals will have to be upgraded.

        I think too much credit is being given to EMV for fraud reduction. Remember, it only addresses card present fraud, whereas, it is online fraud that is growing from a combination of advances in technology, more people (globally) using computers, global e-commerce, and also because of EMV. In Canada, for instance, they are around 90% EMV deployed and over 70% of their fraud is now online/card not present. The migration of fraud from card present to card not present after EMV deployment is about symmetrical. So, what are you really gaining…particularly for the expense?

        As far as “why is the U.S. behind,” remember that the EU did not go to EMV for security reasons, they went to EMV because of unreliable telecommunications systems – particularly between the various countries. The telecommunications systems in the U.S. have been very reliable which is why there was no need to incur the cost. If we can leapfrog EMV technology and go to something better, why only “catch up” on EMV?

        If a new and promising technology is now here that can address both card present and card not present environments with all of the security benefits of EMV as well as a large degree of flexibility, then my opinion is we should look that way instead.

        I should also emphasize that the Target breach has nothing to do with EMV. The breach would still have occurred. Even if they were fully EMV, because the RAM scraping malware was inside each POS, it would have likely been configured to capture the credit card number during the handoff when it must be decrypted (plain text) in order to proceed with the EMV transaction. So, you would still have a breach and you would still have a credit card (and other) data compromise.

  • Philip Andreae

    Interesting article. HAving been one in the audience at this conference I only heard a vendor promoting his solution openly criticize EMV

    • Dave Birch

      Thanks for the clarification Philip. On balance, I think that US EMV migration makes sense but it’s about skating to where the puck will be, as they say. Bringing together EMV. HCE and tokenisation for converged online/physical payments makes for a reasonable roadmap.

      And a point on MCX: if MCX retailers have NFC terminals installed, they why wouldn’t MCX use HCE for quick and convenient payments? There’s no law that says that EMV tokens have to be issued by banks, retailers could issue their own.

    • John Coloe

      All good points Philip. However, 1991, ’94, ’97, and even 2002, are ancient history considering the overall pace of innovation. Much, much better solutions than EMV exist today, and we simply must not move blindly forward, ignoring these alternatives, for the sake of a 20+ year old pledge. Much has changed since then, and it’s imperative that newer, better ideas have a chance for a far hearing before hastily implementing a so-called solution that doesn’t solve the actual problem.

  • Anonymous European

    It is such a shame that there is this much misinformation on EMV. particularly on the ‘whats the point without the PIN’ The POINT is that the whole mag stripe data isn’t sent over the wire – which means almost all of the recent data breaches in the USA wouldn’t have left customers immediately at risk. Solving face to face is one part of the problem. Europe has seen it fall dramatically – and the ecom hasn’t filled the gap. It has increased but not to a parity level.

    EMV makes the data much less useful – this in itself is a great security measure. It won’t stop the breaches, and yes the data can be used in other ways. But I can’t just sit on a payment network lift all the traffic and then clone it on to a gift card with something I bought for 5$ from ebay. then go back to the same store and spend it again.

    Stop the breaches, make the data less useful. EMV is just one component of the equation. As a protocol it even offers support for offline / online, multiple card holder verifications methods, and has technical solutions for card not present.

    Its amazing how little Americans seem to know about a technology that most of the rest of the world has adopted.

    • John Coloe

      Sorry Anonymous European, but the points you attempt to make simply focus on, as Karen Webster’s piece so eloquently states, the wrong “problem”.

      To your point of “stop the breaches” I say, that’s the very definition of insanity. Industry has tried over and over and over again to create the cyber equivalent of thicker walls and stronger bars, only to be foiled by determined (and, might I add, ingenious) criminals. I’d argue that the way to stop breaches is to simply remove the incentive. Make the data useless, and the hacking stops in it’s tracks.

      With that said, the question is undeniably, how to make the data useless. To that, I can assure you, EMV isn’t the answer.

      • Allie’s World

        How is EMV not the answer? With EMV, the data obtained from such a breach as Target is useless – a counterfeit card can’t be made from it.

        • John Coloe

          EMV cards remain PAN-based. They’re embossed and printed. They also currently continue to include a mag stripe. All points of vulnerability.

          Additionally, EMV terminals aren’t aren’t excluded from malware attacks. As not all information pertaining to the Target breach are publicly known, it can’t be stated with certainty that EMV would have nullified that breach, or others like it.

          Moving to mobile payments and PAN-less instruments, including 2FA, OTP, tokenization, etc. are all superior alternatives to EMV. Instead of varying a decades old process by using a by now ancient “solution” that’s been proved to simply shift fraud rather than eradicating it, why not adopt a new, better, and possibly more cost effective solution?

          • Allie’s World

            Who cares? You miss the point. Why does PAN matter if it can’t be used to authorise a transaction? Why does malware matter if the data stolen can’t be used to authorise a transaction? It doesn’t (well, the malware still does to the retailer – but not to the cardholder nor their issuing bank).

            The mag stripe remains because of people like you stopping progress, but assuming fallback transactions are prohibited (and if they’re not, they should be scrutinised closely by the merchant), the stripe can’t be authorised at an EMV-enabled terminal. Ideally, there would come a point where banks would decline to authorise stripe transactions, and eventually the networks refuse to process them at all.

            How, exactly, do you propose tokenisation without a chip anyway? You can’t change the number on a magnetic stripe each time. Tokenisation, however, should be seen more about privacy than security. EMV has not “been proved to simply shift fraud” – EMV is a solution to counterfeit card fraud, which is a huge problem in the US today. Other forms of card fraud need to be addressed, too, however – where 3D secure, 2FA, etc come in. But none of that negates the need to fix counterfeit card fraud. And there really isn’t a fix cheaper than EMV. Even if there was, global interoperability is essential.

          • nfcguy

            EMV-based card data is dynamic–it changes every time a transaction is attempted and only the issuing bank knows if this time’s one-time-use card data is valid. If the Target hackers would have harvested 70 million sets of EMV-based card data, then that card data could not have been reused again at any merchant or website that requires the security code.

            If the card data passing through the Target has no reusable value, then desire to break into the merchant diminishes.

            2FA: Two factor authentication–EMV cards provide this by requiring ‘what you have’ = a smart card, with ‘what you know’ = a PIN.

            OTP: One time password has little additional benefit if you also have dynamic, one-time use card data.

            Tokenization: Tokenization schemes will be using PANs; EMV cards are, themelves, performaing tokenization because they create one-time use card data locally each time they are presented.

  • Slava Gomzin

    I agree with #1, #2, and #4.
    As a technical guy, I don’t care who pays for it (#3): eventually, it’s us – consumers – who pay for everything.
    I disagree with #5: ACH and bank transfer threats (and solutions) are completely different from merchants’ payments security problems.
    I would agree with #6 but I don’t see “real opportunity”: there is no mature payment technology available today that could be a real alternative to EMV. Crypto-payments (Bitcoin & Co.) is very promising trend but based on recent series of failures it is still on early proof of concept stages. And there is no single mobile payments technology that is secure enough to be accepted by mainstream consumers.

  • Chris Braceland

    Well said, “Canada Buckeye”!
    The EMV non-believers are still out there. [Sarcasm] Yeah, let’s do that, let’s push the “pause” button on EMV. As long as nothing happens to us (your company), eh? [“pause” button sound: *******!!!]
    The, “wait and seers”, cost too much! The, “wait and seers”, said that December 7, 1941, would not happen despite all the warnings. [We used a “pause” button..??] We waited, and the whole world saw what happened.
    We were warned about 9/11 and did not take action until it happened. Whatever it takes to keep our airlines safe, including body scanners, pat downs, baggage scanners, and including removing your shoes, “is a tolerable amount of friction”…? Whatever it takes(!!) so we do not lose one more person this way.
    There were warnings about cyber attacks from the acquirers, the FBI, National Security, etc., before the Target breach even happened, and urged everyone to take note and keep a close eye on their systems. Yes, Target gets the press, but, if you asked their CIO, CFO, the cost of the breach is REALLY, “really small potatoes”; I think you’d get an earful!
    Yes, EMV is the first step to securing payments for customers. It is our responsibility to do so by acting and taking proactive & preventative measures, rather than pushing the “pause” button.

  • WarumNicht

    Unless I’ve missed something in the comments, no one has mentioned issuing banks. And if they don’t convert their card bases to EMV, what merchants do doesn’t matter.

    The US is different– think metric system– and the resistance to central mandate–think Obamacare– make is highly unlikely there will be any enforceable mandate to issue or accept EMV cards.

    Thus we’re left with economics which, as Karen aptly points out, are not compelling.

    Allowing for normal POS turnover, we’ll have EMV terminal in many if not most merchants in the next 5-7 years. Will issuers then covert there cards? Will issuers & merchants trouble to educate consumer to the benefits of EMV? With time, perhaps. But over that tine the online channel will only increase in importance and thus the importance of solving the online fraud problem.

    So the EMV argue, I’d argue, is a bit of a sideshow in the US. By the time, incrementally, comes into force Stateside, the biggest fraud problem will be elsewhere.

    It’ll happen, slowly, but not worth worrying much about. And I’ve probably spent too many words on it in they comment.

  • Alexander Peschkoff

    Contactless EMV terminals can be supplied at less than $50 (let me know if you are interested). Couple them with mobile NFC devices (smartphones and wearables), and you have great UX in retail. Use chip-enabled devices (there are “zero Capex” (!) options for the issuers) to perform 2FA during CNP transaction, and both problems are solved in a simple and elegant way.

    It’s indeed not about EMV vs mag (the latter should have died long time ago), it’s about open mind, common sense and new business models.

  • Michelle Graff Wagner

    What we’re overlooking is the fact that the government is increasingly encroaching on this space, and often responding to PR headlines (especially given the mission of the Consumer Financial Protection Bureau). It is in the interest of this industry to do anything to self-regulate and avoid another “Durbin” moment. EMV may not solve for much except card-present counterfeit card use (and even then, only when PIN is used), but if it moves the needle enough to keep the Fed’s at bay, then we will see adoption by issuers, and the liability shift will impact merchants. And the breaches will continue.

  • Philip Andreae

    Interesting how we all wish to forget history.
    If someone can propose a solution that the world will embrace and will not cost the globe another fortune I am all for it. Please make sure it is a technology that can be implemented quickly and work everywhere.
    Hopefully it will be offered license free, achieve the success that EMV has already achieved and deliver the results EMV has already delivered.
    Yes innovation is moving rapidally. At the same time we still depend on numerous systems that are centuries old and still fit for purpose. HCE and NFC are based on EMV. The ID1 card still seems to be the form factor of preference.
    I believe in innovation. Please quickly propose the optimum global solution, acquire global commitment, and let’s go for it. Otherwise respect global realities and focus on deploying EMV cards and terminals. I then strongly advise that we simultaneously focus on working together to address the real issue Card Not Present fraud to support the ever increasing world of Internet enabled shopping.
    If we are seeking a real solution then lets figure out how to enable my phone to replace my leather wallet. Please make sure the initial not future requirement is that it is able to absorb my drivers license, health care cards, passport, loyalty cards, membership cards, paper money, receipts and yes my payment cards too.

  • http://gold2naira.com.ng Gold2Naira

    Great article. As long as it is the wild west with vendor interface and sluffing off the responsibility to your vendors, the interior datacenter is always at risk.


  • J Wiseman

    The discussion in the comments assumes that EMV is the only solution. As an industry, we should be evaluating all possible solutions. More specifically, the advantages of mobile are not discussed. A mobile solution that combines smartphone and cloud technology can support even better security and is much more difficult to penetrate than a POS payment terminal.

  • Allie’s World

    Just had my first EMV transaction inside the US at Walmart today, they turned it on just yesterday, apparently. This will definitely cause me to shop at Walmart more at the expense of other grocers… why? Because unlike Rosauer’s (URM Stores… read about it, they had a breach as bad as Target) and other magstripe retailers, I can feel confident shopping at Walmart won’t make me a victim of fraud. Good job, Walmart.

Also by This Author