Why The Continued EMV Push?

Visa and MasterCard continue their push to get merchants in the United States to install Europay, MasterCard and Visa (EMV) capable terminals so that they can push issuers to transition to what most of the world refers to as “Chip and PIN”.  Because Visa and MasterCard have a vested interest in EMV technology, they feel obligated to push this “dead horse” onto the rest of us.  The problem is that merchants and everyone else outside of Visa and MasterCard have with EMV is that there is not a business driver to convert as EMV does little or nothing to address today’s card fraud issues.  

As background, EMV was developed to address the rampant card present transaction fraud that occurred with the fall of the Iron Curtain back in the late 1980s.  Overnight, credit/debit card cloning of the magnetic stripe on the cards became big business in Eastern Europe.  With the rollout of EMV in Europe in the mid-1990s, card present transaction fraud plummeted to at or below the levels in the United States because the chip in the EMV card was impossible to clone (although to be compatible, EMV cards have a magnetic stripe which still can be cloned).  Spin ahead a decade to the mid-2000s to today.  Card present transaction fraud continues to be at about the levels in the United States and Europe.

Times change and so does fraud.  With the advent of eCommerce over the Internet starting at the turn of the century, fraud has moved to card not present transactions.  As long as someone has the PAN, expiration date and cardholder name, you can shop almost anywhere.  And if you are someone who is committing fraud, you can buy that information via the Internet for around $2 to $10 an account.  Pay more and you can get the three to four digit code (CVV2, CVC2, CID, etc.) that confirms you have the card in your possession.  Card not present frauds run around 10 times or higher than card present fraud and is costing merchants and some consumers billions every year.

So what does EMV do to minimize card not present fraud?  Absolutely nothing.  Not that there have not been attempts to introduce EMV-based solutions for eCommerce.  A number of European banks and American Express in the early to mid-2000s tried to introduce standards that used inexpensive serial and USB EMV card readers connected to a shopper’s PC.  But none of these solutions could gain traction with eCommerce application developers and merchants, so eventually they dropped their efforts.  Had Visa and MasterCard had some foresight, they would have partnered with a few of the influential eCommerce merchants and eCommerce application developers and created an eCommerce EMV standard and related APIs, but that did not happen.

To add insult to injury, EMV probably only minimally improves the risk of data breaches.  The reason is that EMV moves attacks to compromising terminals and POS systems at the merchant and gaining access to systems and information at the transaction processors and financial institutions.  That is because once the information in the chip is being processed, it is handled the same way as information off of a magnetic stripe.  If it is not processed, stored or transmitted securely, an EMV card is just as susceptible to being breached as its older, less secure magnetic stripe counterpart.  And given the current state of affairs with BlackPOS, POS botnets, vSkimmer and the like, the risk with EMV is probably only slightly better than magnetic cards.

Unfortunately for Visa and MasterCard, technology has moved on.  With the advent of smartphones and tablets, application developers created eWallet applications.  eWallet applications store a cardholder’s credit/debit card information in a secure file or database.  Some eWallet applications use these devices’ near field communication (NFC), Bluetooth or Wi-Fi capabilities to securely transmit the card information to a merchant’s POS solution.  There are also eWallet applications that display the PAN as a bar code so that merchants can use their existing POS technologies to scan it from the screen.  Coming in the near future are eWallet applications that will generate a single use 16 digit number with bar code, NFC, Bluetooth and Wi-Fi capabilities.  All of these solutions offer as much, if not more, security than EMV.

The times have changed and so has card fraud.  Yet here we are with Visa and MasterCard continuing to push EMV technology.  EMV does little to nothing to address today’s issues or issues that are down the road.  It is time for Visa and MasterCard to move on from EMV and look for the next new solution and stop pushing a dead end technology on merchants that have no good business reason to adopt it.

7 Responses to “Why The Continued EMV Push?”

  1. January 9, 2014 at 2:31 AM

    EMV deals with card present transactions, so does merchants. Thats why mercahnts should use EMV, the card is present. The problem is not stealing a cardnumber and use it on the internet. (This is a problem for copanies making internet payments with cards) The problem is making a card copy and to steal PIN. Then the fraudster can empty your account in an ATM. Copying a magstripe takes 1 second, it is impossible to copy a chip. Internet fraud with card not present gives the fraudster very little profit, and the fraudster will most likely be caught. This kind of fraud is done by amatures. Copying 100 cards and PIN will give the fraudster a million dollar, in cash, within a few days. Removing magstripe will eliminate this kind of fraud.

    • January 9, 2014 at 6:51 AM

      The trouble is that EMV is only going to reduce card present fraud by one or two hundredths of a percentage (0.01% to 0.02%) if the UK and European card present fraud statistics are any indication. The vast majority of card fraud is from card not present because people do not want to get caught in person. But the larger issue is that the drop that might come (emphasis on “might”) by using EMV does not provide a payback to merchants for anywhere from five to 12 years. Merchants need a payback in three years or less to make it worthwhile.

      You also need to re-read the EMVCo Book A, Architecture and General Requirements, Annex A, Data Elements. The cardholder name, PAN and expiration date are all in clear text, not encrypted. As a result, someone with a sophisticated attack can insert themselves between the reading of the card and any encryption process and still read enough information on the chip to commit fraud. This is why the current paradigm needs to change.

  2. 3 Andrew Jamieson
    December 12, 2013 at 2:44 AM

    Not sure I can agree that EMV does not help to reduce card present fraud – that is not backed up by the figures from both from the schemes, and law enforcement in areas where EMV is deployed. EMV transactions _are not_ processed the same way as MagStripe transactions, you need to compromise the key on the card to have any effect (or make use of specific implementation vulns, which pre-supposes many complicated steps that are still harder than any track data compromise anyway). In the back end, the keys should be stored in a HSM, the same way your PIN encryption keys are stored, so they are safe there too.

    You are correct in saying that EMV does not address CNP, but then it was not designed to and the systems you talk about don’t address CNP either. Also Visa and MC _did_ create a CNP standard – it was called SET, way back in the head-y days of the mid nineties when the internet was sill new and Netscape was cool. It was, unfortunately, very poorly executed and died horribly. But they did try (badly).

    I always find the resistance to EMV in the US market strange. EMV does not fix everything, but if we wait for something that does, we’ll never move from Magstripe which would be a tragedy – because magstripe _is_ a problem.

    • December 12, 2013 at 3:56 AM

      I over generalized with the processing comment.

      However, in the US a lot of large merchants switch their own transactions which means their central transaction switch becomes the target along with the terminal. In theory, the switch should be securing the cardholder data, but I have run across a few that are not properly configured and if they were accessed, it would be game over.

      The terminal attack is actually rather interesting in that it does nothing to compromise the EMV card other than make every transaction appear as accepted regardless of PIN entered and whatever the transaction processor sends back as a result. Quite ingenious.

      • 5 Andrew Jamieson
        December 12, 2013 at 4:23 AM

        Ahhh, but the card keys are stored at the Issuer, not the transaction switch / acquirer. So, poorly implemented security at the acquiring institution does not render EMV security invalid. Poor security at the Issuer would, but then if you’re Issuer has bad security then you have a whole other problem ….

      • December 12, 2013 at 5:37 AM

        Ahhh, but you forget that we have processors that are also the issuer here in the States. And for some of them, while the issuer side is secure, I cannot necessarily say the same for their processing operations.

  3. December 10, 2013 at 11:41 AM

    I could not agree more with your post. The problem is, there are so many fanatics pushing EMV (apparently it’s a BIG ox and many are being fed by it) as the defacto standard for stopping card present fraud, it’ll be almost impossible to stop. You are 100% correct, EMV does not address card-not-present at all and when this is brought up, the argument is “let’s address card-present first; then we’ll address card-not-present” — like that’s an answer. I’ve found that EMV threads, as far as passion goes, rivals political and religious oriented threads. I’ll be interested in watching this one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

December 2013

%d bloggers like this: