They call it a “data breach.” An “attack by unknown hackers.” “Sensitive” customer information becomes “exposed.” Credit and debit cards are “compromised.” Pundits wring their hands; merchants live in fear; and customers become increasingly wary of using their cards. Still, the reports just keep coming in.
Let’s be honest: the core problem is that using stolen MSR card data to create and sell counterfeit cards is big business. Big, international, lucrative business. It’s an organized crime scheme that is increasingly migrating to the US because we are one of the last countries to implement EMV to authenticate cards used in payment transactions. In essence, we’re leaving the back door wide open and inviting the counterfeiters in.
Why are we the last in line to put these criminals out of business?
EMV was created to combat fraud in Europe at a time when most transactions were off-line, without reliable or affordable communications to the card issuers. In the mostly online U.S. environment, until recently, there was not sufficient support within the payments industry. Chip cards were expensive ($10+!) and issuers were reluctant to invest without POS devices in place at merchants to use the EMV capability. Merchants were unwilling to invest in new POS hardware if there were no cards in circulation; a “chicken and egg” scenario (I refuse to speculate on who were the chickens). But now that the rest of the world has adopted EMV, most counterfeit cards are produced specifically for use in the US.
Why aren’t we moving faster to implement EMV?
Here’s my theory: there are so many rumors, misunderstandings and outright misinformation about EMV (some are genuine misconceptions; some are generated by vendors with a vested interest in the status quo or in other unproven technologies) that some banks, acquirers, and merchants are unsure of what’s true, what’s false, what’s myth, and what really matters.
To set the record straight, I am presenting my own EMV-related version of Snopes. Here are some of the tales I’ve been hearing, followed by the real story:
1. We can leapfrog EMV by going to mobile payment.
Making a purchase with a smartphone or mobile wallet is inherently no more secure than any other current method of contactless payment, but mobile can use EMV contactless technology to authenticate the card information. By actively detecting clones, EMV renders them useless.
2. EMV is 20-year-old technology. It’s outdated.
EMV is NOT a technology. It is a set of international development specifications (sometimes called an architecture, a framework, or an infrastructure) for authenticated payment transactions. EMV defines the standards – it does not specify the technologies to be used to meet those standards.
Yes, the original development of EMV standards began in 1994. As payment technologies have continued to evolve over the decades, EMV specifications (and the associated certification standards) have steadily progressed.
Today’s EMV standards are current and will evolve to address emerging issues. The specific technologies used to implement the latest standards will always update and innovate.
3. EMV does nothing to protect online transactions.
EMV is not designed to address online transaction security, for merchants or for consumers. There are other technologies and protocols designed to authenticate and protect online transaction data, such as SSL, encryption, tokenization and risk analytics.
4. We don’t need EMV if we have point-to-point encryption (P2PE).
That’s like complaining that your sunscreen doesn’t keep you dry in the rain, because EMV and P2PE are two completely different things.
The EMV chip authenticates the card: it confirms that the card is original/has not been cloned. The PIN authenticates the user: it confirms that the card user and the cardholder are one and the same. EMV does not encrypt any card information or data.
P2PE protects card data by encrypting it at the Point-of-Sale. P2PE does nothing to authenticate the card or user.
Ideally, EMV and P2PE should be used in conjunction in any card-present transaction. A multi-layered approach to point of sale security will always be the most effective way to prevent counterfeiting and fraud.
Every time a fraudulent MSR card is presented and accepted, resulting in a charge-back, another merchant sees the light: EMV is – and should be – the new reality. Thankfully, that is absolutely TRUE.
Allen Friedman serves as Director of Payment Solutions at Ingenico Group, North America.