There are a lot of people now pointing to the Europay MasterCard Visa (EMV) card (aka “Chip and PIN”) as the savior from breaches such as those at Target and I am sure Visa and MasterCard are very pleased with that fact. Well, I hate to burst your bubble, but if the US was only using EMV like Europe and Canada, it probably would have had only a minor impact.
Are you stunned by that statement? After all, that is not how Visa and MasterCard are portraying EMV. If you read their media statements, they imply that EMV is the answer to these breaches.
To make sure I was describing the security features of EMV correctly, I reached out to my friend and EMV expert Andrew Jamieson, Security Laboratories Manager, at Underwriters Laboratories – Transaction Security in Kew, Australia. Underwriters Laboratories tests and certifies a lot of things, one of which is card terminals (magnetic stripe and EMV) to the PCI standards. As such Andrew has a lot of knowledge in the area of EMV and how it works.
I asked whether or not EMV cards are encrypted.
“EMV cards are not encrypted, per se, but instead store a couple of secret keys which are used as part of the authentication of the entire transaction. All card data can be output from the card in the clear – PAN, CVV, etc – except for the customer PIN and the secret keys. The CVV will also be different from that on a magnetic stripe, either static (called an iCVV) or can also be a dynamic value that changes with each transaction (dCVV).”
Well there is a piece of interesting news. While the transaction gets encrypted with the secret keys, an EMV card would still provide some information in a Target-like breach.
Then I asked if there is a risk even with EMV.
“So, any chip based transactions from an exposure such as the Target one would only have exposed the PAN (technically, the PAN on the card can be different from the PAN on the face/track, but in reality this never happens), not the full track. As the CVV would not have been exposed, the PAN would have limited value.”
If the magnetic stripe was not present, the CVV would not be required or recorded in the chip, so only the iCVV or dCVV would be available and those would not be usable as the code printed on the card would not match either of those values. Therefore the information gathered would not allow for the cloning of cards because the information recorded in the chip is not the same as the information that is printed on the physical card. But this should not be a surprise because that was what the EMV standard was designed to do, prevent the cloning of cards.
However in a Target-like breach where the terminal and/or POS system were compromised, the chip would have still given up enough information to be used in card not present transactions such as those conducted via eCommerce. As a result, the attackers would be limited to only defrauding online merchants but that is where most card fraud is being committed.
EMV is not a “silver bullet” such as the card brands like to imply. Yes, it is better than the magnetic stripe, but it does nothing to stem the tide of the growing fraud in online transactions. There are a number of new technologies on the horizon that will minimize the fraud risk of using credit/debit cards in both card present and card not present situations. But until the card brands get behind those solutions, they will continue to push their old solutions and not address the current problems.
PCI Guru 
The technical solutions mooted here are impressive but any technical solution will take a long time to get agreed, rarufied and implemented. Surely there is a much quicker way. As Andrew notes, the physical CVV2 code on the back of the card is not compromised in an attack such as Target’s. So in the case of an EMV card the exposed card cannot be used in face to face (no PIN) and cannot be used on-line (no CVV2). You point out that ‘There are plenty of Web sites and call center merchants where CNP transactions do not require CVV2/CVC2’ but that is easily remedied. PCI SSC already mandate much about web site design and testing; why not just add a requirement that the CVV2 is needed for CNP transactions.
Making changes to all of those Web sites to accept CVV2/CVC2/CID will take time as well and may even create problems for the merchants’ transaction processors. So that might not be as quick as you think either.
The beauty of my approach is that the card brands already have the single use algorithms built, it would just be agreeing to which one to use. I would think that could be accomplished in three to six months. However, you are correct that it would take a couple of years to get it rolled out. After all, it took EMV eight years before it was rolled out.
To clarify one item of my comment – the ‘security code’ on the rear of the card (CVV2/CVC2) would of course also not be exposed by any EMV transactions, so the value of any PAN values exposed would be minimal even for CNP transactions.
Agreed regarding CVV2/CVC2.
However, in regards to CNP transactions. There are plenty of Web sites and call center merchants where CNP transactions do not require CVV2/CVC2. So relying on that as a way to minimizing fraud and losses is not a good control.
The real opportunity empowered by EMV here is threefold. Firstly to prevent the physical world fraud endemic in magnetic stripe use. Secondly to prevent crossover fraud resulting in static data extracted from the physical domain being used in the virtual domain as CNP. Thirdly to expand the use of EMV into the virtual domain and effectively eliminate CNP.
The UK, with a long history of payments innovation, took a leadership position in implementing EMV in the physical world and is again the first to expand EMV Chip & PIN to online use. A 10 month trial was recently held and this is now being expanded with further major financial industry players 2014. This expansion includes EMV use for eCommerce, eBanking and MPoS.
Fraudsters need to make a living and with the rest of the world running to implement EMV the USA becomes the weakest link – simplified but real. As the UK and other countries expand EMV onlne then the only major market to use CNP again becomes the USA. As a business and as a consumer I know where I would rather be…
Google “Secure Electrans” or “HomePay” and you can find all about it. The implementation recently obtained International Common Criteria Certification – the first ever globally in category.
That is all good and well, but at the end of the day, the card is the problem, EMV or otherwise.
The way to address the problem is single use codes of 15 to 16 characters in length so that the code is compatible with existing POS solutions. This approach was tried in the early 2000s by American Express, Visa and some banks for eCommerce purchases, but never caught on because no one pushed it. With the pervasiveness of smartphones and other devices, these codes can be generated and then even displayed as bar codes to avoid data entry issues. And since they can be used only once, who cares if they’re stored and they’re stored in clear text?
Until we address the root cause of the problem, we will continue to have the problem.